Ability to use one udp port for multiple wg interfaces

Ability to use one udp port for multiple wg interfaces

[Damian Kaczkowski]

[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]

Hello.

I'm trying to run two wg interfaces bound to one udp port. eg. wg0 ang wg1
on 51820/udp . wg shows that both interfaces are created (wg0 and wg1). wg
also shows that all peers on both interfaces are defined. However only
peers defined on one wg interface (either wg0 or wg1) are able to establish
connection. Peers on the other interface are not able to connect.

Is this currently unsupported configuration?

Or is this supported configuration and I am doing something wrong?

If unsupported, do you consider to support it in the future?

It would be useful if one wants to easily manage ACLs via firewall rules
defined by wg interfaces (easy to define zones), but do not want to open
multiple ports for every new zone/peer(s). Currently one have to open one
udp port per wg interface. It is not very friendly to open additional udp
ports in multiple peer scenario where firewall ACLs are desirable. If one
have limited number of free udp ports then it also does not scale well.

I am using wireguard build no 20170115 on lede/mips linux.

Greets.

[-- Attachment #2: Type: text/html, Size: 1256 bytes --]

Re: Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

Hello Damian,

1. Always use the latest snapshot version of WireGuard. The one you
listed is out of date.

2. No, you cannot use the same port.

3. You may have multiple peers on a single wireguard interface. This
is the configuration that you probably should be using. "It is not
very friendly to open additional udp ports in multiple peer scenario
where firewall ACLs are desirable" This is 100% incorrect. With
multiple peers on an interface and a sufficiently clamped allowed-ips
entry for each, you'll have perfect firewall ACLs.

Regards,
Jason

Re: Ability to use one udp port for multiple wg interfaces

[Damian Kaczkowski]

[-- Attachment #1: Type: text/plain, Size: 1151 bytes --]

Hello Janson.

On 2 May 2017 at 10:55, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> 3. You may have multiple peers on a single wireguard interface. This
> is the configuration that you probably should be using. "It is not
> very friendly to open additional udp ports in multiple peer scenario
> where firewall ACLs are desirable" This is 100% incorrect. With
> multiple peers on an interface and a sufficiently clamped allowed-ips
> entry for each, you'll have perfect firewall ACLs.
>

3. Well if one uses firewall to control flows between zones in environment
with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
tool just to control only wireguard ACLs is not very convenient way from
administrative point of view. Also in case where peer is roaming and
changing its source IP (eg. road warrior) then maintaining wireguard ACLs
will be a huge PITA, if not impossible at large scale.


4. Does wireguard have some means so that iptables can easily
differentiate tunnels (peers) and put them in appropriate 'zone'? like eg.
iptables -m policy --help
iptables -m ah --help
iptables -m esp --help

Or something similar?

Regards.

[-- Attachment #2: Type: text/html, Size: 1776 bytes --]

Re: Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

On Tue, May 2, 2017 at 11:56 AM, Damian Kaczkowski
<damian.kaczkowski@gmail.com> wrote:
> Hello Janson.

My name is Jason.

> 3. Well if one uses firewall to control flows between zones in environment
> with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
> tool just to control only wireguard ACLs is not very convenient way from
> administrative point of view. Also in case where peer is roaming and
> changing its source IP (eg. road warrior) then maintaining wireguard ACLs
> will be a huge PITA, if not impossible at large scale.

No, you are wrong. Allowed-ips controls the IP addresses _within_ the
tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or
similar to match a _precise_ peer.


> 4. Does wireguard have some means so that iptables can easily differentiate
> tunnels (peers) and put them in appropriate 'zone'? like eg.
> iptables -m policy --help
> iptables -m ah --help
> iptables -m esp --help
>
> Or something similar?

WireGuard has gone out of its way to explicitly avoid this brain
damage. Use the allowed-ips concept instead.

Re: Ability to use one udp port for multiple wg interfaces

[Damian Kaczkowski]

[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]

On 2 May 2017 at 18:32, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> > Hello Janson.
>
> My name is Jason.
>

Sorry.


> > 3. Well if one uses firewall to control flows between zones in
> environment
> > with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
> > tool just to control only wireguard ACLs is not very convenient way from
> > administrative point of view. Also in case where peer is roaming and
> > changing its source IP (eg. road warrior) then maintaining wireguard ACLs
> > will be a huge PITA, if not impossible at large scale.
>
> No, you are wrong. Allowed-ips controls the IP addresses _within_ the
> tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or
> similar to match a _precise_ peer.
>

Ok. Thanks for a tip. However I still think wireguard looses some
flexibility in that way eg. when peer roams from one network to another
then its ip address may be unknown.

Anyway, it is not only about roaming case so if it is not much of a work
and if it is not a security problem then please consider to allow multiple
wg interfaces to work on one port. I hope it won't hurt to allow this
functionality and I am sure it might come handy for some admins in the
wild. Maybe it could be implemented in pair with the idea of refactoring
per interface vs per peer private keys? Hope you will consider it at some
point.

Best Regards.
Damian.

[-- Attachment #2: Type: text/html, Size: 2144 bytes --]

Re: Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 1766 bytes --]

On May 2, 2017 19:59, "Damian Kaczkowski" <damian.kaczkowski@gmail.com>
wrote:

On 2 May 2017 at 18:32, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> > Hello Janson.
>
> My name is Jason.
>

Sorry.


> > 3. Well if one uses firewall to control flows between zones in
> environment
> > with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
> > tool just to control only wireguard ACLs is not very convenient way from
> > administrative point of view. Also in case where peer is roaming and
> > changing its source IP (eg. road warrior) then maintaining wireguard ACLs
> > will be a huge PITA, if not impossible at large scale.
>
> No, you are wrong. Allowed-ips controls the IP addresses _within_ the
> tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or
> similar to match a _precise_ peer.
>

Ok. Thanks for a tip. However I still think wireguard looses some
flexibility in that way eg. when peer roams from one network to another
then its ip address may be unknown.



No, wrong. Roaming regards external IP. Allowed IPs regards internal tunnel
IPs, which are static.


Anyway, it is not only about roaming case so if it is not much of a work
and if it is not a security problem then please consider to allow multiple
wg interfaces to work on one port. I hope it won't hurt to allow this
functionality and I am sure it might come handy for some admins in the
wild. Maybe it could be implemented in pair with the idea of refactoring
per interface vs per peer private keys? Hope you will consider it at some
point.


No, you are very mistaken. Please reread the docs on allowed ips keeping in
mind that these concern internal tunneled ips and are static. Typing to you
on my phone so can't write more now.


Best Regards.
Damian.

[-- Attachment #2: Type: text/html, Size: 3699 bytes --]

Re: Ability to use one udp port for multiple wg interfaces

[Damian Kaczkowski]

[-- Attachment #1: Type: text/plain, Size: 2652 bytes --]

On 2 May 2017 at 21:45, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> On May 2, 2017 19:59, "Damian Kaczkowski" <damian.kaczkowski@gmail.com>
> wrote:
>
> On 2 May 2017 at 18:32, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
>>  > 3. Well if one uses firewall to control flows between zones in
>> environment
>
> > with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
>> > tool just to control only wireguard ACLs is not very convenient way from
>> > administrative point of view. Also in case where peer is roaming and
>> > changing its source IP (eg. road warrior) then maintaining wireguard
>> ACLs
>> > will be a huge PITA, if not impossible at large scale.
>>
>> No, you are wrong. Allowed-ips controls the IP addresses _within_ the
>> tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or
>> similar to match a _precise_ peer.
>>
>
> Ok. Thanks for a tip. However I still think wireguard looses some
> flexibility in that way eg. when peer roams from one network to another
> then its ip address may be unknown.
>
>
> No, wrong. Roaming regards external IP. Allowed IPs regards internal
> tunnel IPs, which are static.
>

True. But I still think that ability to assign multi interfaces to one udp
port would be handy. Eg when one want to use only specific and limited
ports (like eg 53) for wireguard but still wants to have more interfaces at
one's disposal. Possible use case - be able to easily assign and group
various peers to different interfaces and monitor those interfaces
parameters (exposed eg by kernel) using monitoring tools capable of
collecting various information/data and/or plotting graphs like bandwidth,
traffic, and so on. This info could be later used for analysing or
debugging.


Anyway, it is not only about roaming case so if it is not much of a work
> and if it is not a security problem then please consider to allow multiple
> wg interfaces to work on one port. I hope it won't hurt to allow this
> functionality and I am sure it might come handy for some admins in the
> wild. Maybe it could be implemented in pair with the idea of refactoring
> per interface vs per peer private keys? Hope you will consider it at some
> point.
>
>
> No, you are very mistaken. Please reread the docs on allowed ips keeping
> in mind that these concern internal tunneled ips and are static. Typing to
> you on my phone so can't write more now.
>

Reading through the docs.

I come to scenario where I would like to disable whole allowed-ips thing. A
multi-homed scenario where traffics comes out via one peer/interface and
come back via the other one. Wrote about this in another email.

Greets.

[-- Attachment #2: Type: text/html, Size: 4833 bytes --]

Re: Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

On Fri, May 5, 2017 at 8:28 PM, Damian Kaczkowski
<damian.kaczkowski@gmail.com> wrote:
> True. But I still think that ability to assign multi interfaces to one udp
> port would be handy. Eg when one want to use only specific and limited ports
> (like eg 53) for wireguard but still wants to have more interfaces at one's
> disposal. Possible use case - be able to easily assign and group various
> peers to different interfaces and monitor those interfaces parameters
> (exposed eg by kernel) using monitoring tools capable of collecting various
> information/data and/or plotting graphs like bandwidth, traffic, and so on.
> This info could be later used for analysing or debugging.

No, you're doing it wrong. Those monitoring use cases you mentioned
are already taken care of by the existing design. If you need help
with a particular configuration or setup, you're free to ask about
those particular use cases. But what you've asked so far simply isn't
the WireGuard way of doing things; we offer here a better design than
that.


> Reading through the docs.
>
> I come to scenario where I would like to disable whole allowed-ips thing.

Then either you're doing things horribly wrong, or WireGuard isn't the
tool for you. AllowedIPs is the essential concept.

If you have questions about how to reach a particular goal, we can
help you. But I believe this particular conversation has reached a
dead end.