[wireguard-dev] Ability to use one udp port for multiple wg interfaces

[wireguard-dev] Ability to use one udp port for multiple wg interfaces

[nicolas prochazka]

Hello,
this question have alreadry be post in the past, but i need some help.
We want create one wireguard interface by client, because at this
moment, we are using one interface for all our client, and it's
becomes very difficult to manage in term of Qos , network analyse ,
security , iptables ..
With mutliple interface, all is good in term of performance with the
last release , but each interface must have it's own port, that  is
not possible to manage ( different port by client )
Is there a solution ?
Regards,
Nicolas Prochazka

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

I'd recommend you use multiple peers per interface. The strong binding
with allowed-ips enables you to use qos, network analysis, security,
and iptables rules in a very straightforward way.

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[nicolas prochazka]

Hello,
i known, but we are using one interface by customer, each interface
manages multiple peers ( > 500 )
as
wg_interface0 = client 0  = 500 peers
wf_interfacen= client n = 500 peers

at this moment, only one interface wg0  manage all peers and all
customers , it's very complicating for the administrive tasks , qos,
client separation ....

Regards,
NIcolas

2017-09-21 13:25 GMT+02:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> I'd recommend you use multiple peers per interface. The strong binding
> with allowed-ips enables you to use qos, network analysis, security,
> and iptables rules in a very straightforward way.

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

On Thu, Sep 21, 2017 at 1:46 PM, nicolas prochazka
<prochazka.nicolas@gmail.com> wrote:
> at this moment, only one interface wg0  manage all peers and all
> customers , it's very complicating for the administrive tasks , qos,
> client separation ....

It should be possible to accomplish these administrative tasks and qos
via subnet range rather than interface. Each interface will handle up
to 2^20 peers, which should certainly be enough.

In any case, if you would like to use different interfaces, you'll
need to use different ports.

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

Please do not prefix your email subjects with [wireguard-dev].

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[nicolas prochazka]

Ok,
To be more precise, the uses cases are :
services ( as daemon ) are listening on specifiq interface/Ipv6
address to secure and active service by client, with only one
interface, it is not possible, aliasing seems to be not relevant.
However i can understand that is not the problem of wireguard ,
perhaps can you tell us if an internal dev is possible or if the
nature of wireguard forbid this ?

Regards,
Nicolas
Ps : sorry for the prefix

2017-09-21 13:55 GMT+02:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> Please do not prefix your email subjects with [wireguard-dev].

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

Perhaps I'm not understanding your last message, but it's most
certainly possible to bind to a particular IP address with a service.
It's also possible to bind to _all_ IP addresses, and then use
iptables to control which source networks have access to a particular
port. Finally, within a service, if you only allow input from wg0
since allowed-ips gives strong cryptographic binding, you can
explicitly filter on the IP addresses you get from recvfrom.

I don't understand your meaning of "internal dev".

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[nicolas prochazka]

internal dev = hack your code for our specifiq use, to multiplex
listening udp port .
I agree with you about configuration, it is possible, but we are using
"historical" private software, and it's difficult to deal with.
It is not a wireguard issue.

Regards,
Nicolas


2017-09-21 14:54 GMT+02:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> Perhaps I'm not understanding your last message, but it's most
> certainly possible to bind to a particular IP address with a service.
> It's also possible to bind to _all_ IP addresses, and then use
> iptables to control which source networks have access to a particular
> port. Finally, within a service, if you only allow input from wg0
> since allowed-ips gives strong cryptographic binding, you can
> explicitly filter on the IP addresses you get from recvfrom.
>
> I don't understand your meaning of "internal dev".

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

On Thu, Sep 21, 2017 at 3:14 PM, nicolas prochazka
<prochazka.nicolas@gmail.com> wrote:
> "historical" private software, and it's difficult to deal with.
> It is not a wireguard issue.

In that case, I'd recommend you bind your services to 0.0.0.0 and just
use iptables to do net-based ACLs with the standard filter table.

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[nicolas prochazka]

A last thing what we also prefere with multiple interface it that the
server public key is not shared between our customer.
customer only known there's interface public key, so , when we destroy
a customer, the key is never used again.
Regards,
Nicolas

2017-09-21 15:24 GMT+02:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> On Thu, Sep 21, 2017 at 3:14 PM, nicolas prochazka
> <prochazka.nicolas@gmail.com> wrote:
>> "historical" private software, and it's difficult to deal with.
>> It is not a wireguard issue.
>
> In that case, I'd recommend you bind your services to 0.0.0.0 and just
> use iptables to do net-based ACLs with the standard filter table.

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

[Jason A. Donenfeld]

There shouldn't be any massive issue with sharing your public key
between customers. Just keep your private keys private.