* crypto routing with subnets?
@ 2017-10-20 17:39 Bruno Wolff III
2017-10-20 18:02 ` Jason A. Donenfeld
0 siblings, 1 reply; 4+ messages in thread
From: Bruno Wolff III @ 2017-10-20 17:39 UTC (permalink / raw)
To: wireguard
I want to try to route a local network over wireguard through my router
while not breaking a direct connection from my server while I'm testing
the new setup. And I'm wondering if I'm going to need two wg devices or
if I can use one?
On the destination the config would be something like:
[peer]
PublicKey = I37b0D0JbbBrSyH/oHjdMvL0P3m8kZQ5RiJ0Dha3ClU=
Endpoint = 98.103.208.27:992
AllowedIPs = 192.168.7.1/32
PersistentKeepalive = 25
[peer]
PublicKey = I37b0D0JbbBrSyH/oHjdMvL0P3m8kZQ5RiJ0Dha3ClU=
Endpoint = 98.103.208.26:992
AllowedIPs = 192.168.0.0/16
PersistentKeepalive = 25
It seems like this should work, though the public keys would be different
in the real setup. (The second peer doesn't exist yet, so I can't use its
public key in the example.)
So my main question is will traffic to 192.168.7.1 go to the first peer even
though it is covered by the network in the second peer or do I need to
make a wg0 and wg1 and do the routing at the interface level?
If I actually left the public keys the same, would this still work? (The
securtity domain is nearly the same as the hardware is in the same place.)
I don't think it could work as I think this would break tracking what IP
address was last used by each peer.
Eventually I want to do something a bit more complicated, because I will only
want devices that connected to my router with wireguard (i.e. my devices,
not guests on my network) to be able to send packets over that tunnel.
But for now traffic going through the tunnel doesn't get any access where I
would be worried about guest traffic using the tunnel. At that time the server
and router peer networks will be disjoint.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: crypto routing with subnets?
2017-10-20 17:39 crypto routing with subnets? Bruno Wolff III
@ 2017-10-20 18:02 ` Jason A. Donenfeld
2017-10-20 18:06 ` Bruno Wolff III
0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2017-10-20 18:02 UTC (permalink / raw)
To: Bruno Wolff III; +Cc: WireGuard mailing list
Hi Bruno,
Fortunately the inquires of this email are things that you could
figure out simply by trying, so if you want to learn-by-doing, you can
stop reading here and finish reading afterward.
Here are the solutions:
1. A peer is its public key, which means you can't have two different
peers with the same key, since they'd be the same peer. In essence
you're asking for a==a&&a!=a, which is always false.
2. Traffic will always go to the most specific route, which means the
/32 will take precedence over the /16.
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: crypto routing with subnets?
2017-10-20 18:02 ` Jason A. Donenfeld
@ 2017-10-20 18:06 ` Bruno Wolff III
2017-10-20 18:15 ` Jason A. Donenfeld
0 siblings, 1 reply; 4+ messages in thread
From: Bruno Wolff III @ 2017-10-20 18:06 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
On Fri, Oct 20, 2017 at 20:02:43 +0200,
"Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
>Hi Bruno,
>
>Fortunately the inquires of this email are things that you could
>figure out simply by trying, so if you want to learn-by-doing, you can
>stop reading here and finish reading afterward.
I'm doing that too. Though I can't test the full set up right now as I
can't safely change the router firmware until I get home.
>
>Here are the solutions:
>
>1. A peer is its public key, which means you can't have two different
>peers with the same key, since they'd be the same peer. In essence
>you're asking for a==a&&a!=a, which is always false.
I mostly wanted to make sure I had a correct mental model for how this
worked. It seemed like it had to be that way.
>2. Traffic will always go to the most specific route, which means the
>/32 will take precedence over the /16.
For this one, I was a bit worried that it might work sometimes, but have
problems later as I couldn't find an explicit answer in the documentation
(I might have missed it.) saying it worked like normal network routing. The
examples I saw were all disjoint networks.
Thank you for the clarifications.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: crypto routing with subnets?
2017-10-20 18:06 ` Bruno Wolff III
@ 2017-10-20 18:15 ` Jason A. Donenfeld
0 siblings, 0 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2017-10-20 18:15 UTC (permalink / raw)
To: Bruno Wolff III; +Cc: WireGuard mailing list
On Fri, Oct 20, 2017 at 8:06 PM, Bruno Wolff III <bruno@wolff.to> wrote:
> For this one, I was a bit worried that it might work sometimes, but have
> problems later as I couldn't find an explicit answer in the documentation (I
> might have missed it.) saying it worked like normal network routing. The
> examples I saw were all disjoint networks.
I should clarify this. I mention places that it uses a radix trie, but
this is probably gibberish, so I should make this explicit in the
manpage.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-10-20 18:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-20 17:39 crypto routing with subnets? Bruno Wolff III
2017-10-20 18:02 ` Jason A. Donenfeld
2017-10-20 18:06 ` Bruno Wolff III
2017-10-20 18:15 ` Jason A. Donenfeld
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.