All of lore.kernel.org
 help / color / mirror / Atom feed
* wg trunk (TM) traffic isolation: VRF vs netns
@ 2020-12-20 19:21 jrun
  2020-12-22 19:23 ` Tomcsanyi, Domonkos
  2020-12-23 13:55 ` Matthias Urlichs
  0 siblings, 2 replies; 3+ messages in thread
From: jrun @ 2020-12-20 19:21 UTC (permalink / raw)
  To: wireguard


hello,

my use case is, if possible, is to provide vpn to friends and family and also
peering with other wg nodes (work etc). this obviously needs traffic isolation
and i have though about it for a while but don't have definitive answer.

1. on way i thought of doing is to have a point-to-point (dedicated wg interface
for each user) solution.

2. the other is to group interfaces based on the category of users (think friends
vs family vs even work).

they both probably need writing up something for set-up and tear-down each of
interfaces which should be fine but both would need a way of isolating traffic;
either between indivitual user's interface or between group interfaces. there is
also the question of ACL'ing the site-to-site traffic for each group and/or
user.

for this i've looked into VRF and netns; this has been brought up before
here and other place but i don't seem to be able to read the conclusion:
https://lists.zx2c4.com/pipermail/wireguard/2017-September/001706.html

from outside it looks like cumulus devs like their VRF, and wireguard devs lean
recommend using netns

https://www.wireguard.com/netns/

that^ link is not a solution for me but i can think of ways to use netns for
my case.


thoughts?

- jrun

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: wg trunk (TM) traffic isolation: VRF vs netns
  2020-12-20 19:21 wg trunk (TM) traffic isolation: VRF vs netns jrun
@ 2020-12-22 19:23 ` Tomcsanyi, Domonkos
  2020-12-23 13:55 ` Matthias Urlichs
  1 sibling, 0 replies; 3+ messages in thread
From: Tomcsanyi, Domonkos @ 2020-12-22 19:23 UTC (permalink / raw)
  To: jrun; +Cc: wireguard

Hi,

Using different network ranges for different groups of people + applying correct iptables rules shall be a simple solution, utilizing a single WG interface. People will get a static IP assigned in their respective range, so they are not allowed to use anything else as source address, so cannot circumvent iptables.

Cheers,
Domi

> 22.12.2020 dátummal, 16:36 időpontban jrun <darwinskernel@gmail.com> írta:
> 
> 
> hello,
> 
> my use case is, if possible, is to provide vpn to friends and family and also
> peering with other wg nodes (work etc). this obviously needs traffic isolation
> and i have though about it for a while but don't have definitive answer.
> 
> 1. on way i thought of doing is to have a point-to-point (dedicated wg interface
> for each user) solution.
> 
> 2. the other is to group interfaces based on the category of users (think friends
> vs family vs even work).
> 
> they both probably need writing up something for set-up and tear-down each of
> interfaces which should be fine but both would need a way of isolating traffic;
> either between indivitual user's interface or between group interfaces. there is
> also the question of ACL'ing the site-to-site traffic for each group and/or
> user.
> 
> for this i've looked into VRF and netns; this has been brought up before
> here and other place but i don't seem to be able to read the conclusion:
> https://lists.zx2c4.com/pipermail/wireguard/2017-September/001706.html
> 
> from outside it looks like cumulus devs like their VRF, and wireguard devs lean
> recommend using netns
> 
> https://www.wireguard.com/netns/
> 
> that^ link is not a solution for me but i can think of ways to use netns for
> my case.
> 
> 
> thoughts?
> 
> - jrun

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: wg trunk (TM) traffic isolation: VRF vs netns
  2020-12-20 19:21 wg trunk (TM) traffic isolation: VRF vs netns jrun
  2020-12-22 19:23 ` Tomcsanyi, Domonkos
@ 2020-12-23 13:55 ` Matthias Urlichs
  1 sibling, 0 replies; 3+ messages in thread
From: Matthias Urlichs @ 2020-12-23 13:55 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 860 bytes --]

Hello,
> thoughts?
>
> - jrun

When in doubt, do both.

I am running my home router as a couple of netns domains on one of the 
less-overworked servers in the basement, facilitated by a couple of 
"dumb" scripts that set it all up.

My setup: create a netns instance, move the machine's main interface 
into it, setup VLANs and bridges in there, and then add a veth interface 
to one of the bridges whose other end is moved back to the root namespace.

Bonus points, the router instance doesn't have any services (thus only 
needs FORWARD firewall rules) and can run on basically any local system 
with enough bandwidth. Just add VLANs to its interface on the switch.

Within that router netns I have separate VRFs for "sensitive" and 
"guest" traffic, mainly to simplify firewall rules and routing tables.

-- 
-- Matthias Urlichs



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-23 13:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-20 19:21 wg trunk (TM) traffic isolation: VRF vs netns jrun
2020-12-22 19:23 ` Tomcsanyi, Domonkos
2020-12-23 13:55 ` Matthias Urlichs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.