All of lore.kernel.org
 help / color / mirror / Atom feed
* Ability to bind wireguard to specific interface / ip address
@ 2017-05-05  9:34 Damian Kaczkowski
  2017-05-11 11:44 ` Jason A. Donenfeld
  0 siblings, 1 reply; 2+ messages in thread
From: Damian Kaczkowski @ 2017-05-05  9:34 UTC (permalink / raw)
  To: WireGuard mailing list, Jason A. Donenfeld

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

Hello Jason.

Currently wireguard binds by default to: 0.0.0.0:<ListenPort>

I want to bind to port 53. However I still want to run dnsmasq on LAN
interface. Currently it is not possible:

daemon.crit dnsmasq[1359]: failed to create listening socket for 10.7.7.1:
Address in use
daemon.crit dnsmasq[1359]: FAILED to start up

I want wireguard only on WAN interface / ip address.

This could be done by listening on some other port and mangling packets
with iptables, but this just does not go hand in hand with 'Simple &
Easy-to-use' wireguard policy ; ).

Could you consider implementing ability to select to which interface / ip
address bind to please?

Greets.
Damian

[-- Attachment #2: Type: text/html, Size: 984 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Ability to bind wireguard to specific interface / ip address
  2017-05-05  9:34 Ability to bind wireguard to specific interface / ip address Damian Kaczkowski
@ 2017-05-11 11:44 ` Jason A. Donenfeld
  0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2017-05-11 11:44 UTC (permalink / raw)
  To: Damian Kaczkowski; +Cc: WireGuard mailing list

Hi Damian,

Indeed right now WireGuard lets you specify a "listen port", but then
defaults to opening two sockets, one for v4 and one for v6, on the ANY
address. This generally isn't a problem because WireGuard is silent
unless it's sent fully authenticated packets. For ease of use, I
figured that it should accept these from anywhere, since if it's
authenticated, it's authenticated. But there is the sysadmin concern
of wanting to run other services on the same port, like a local DNS
resolver on 53. I can't think of a clean interface for allowing this,
however. Maybe you have some ideas? For example, if I simply allow
specifying IP:port, then how does this work for supporting v4&v6?
Maybe I should then allow for specifying an arbitrarily large sized
list of IP:port combos, and reserve one special case one for "both v4
and v6"? But this gets super complicated and I don't want that. Or
maybe I should rely on using the v6-mapped-v4 hack, except this isn't
available on all systems and isn't really efficient for what we're
doing inside WireGuard. So, hmm... I couldn't come up with a clean way
of doing this, so I just stuck with the simplest thing I could think
of... Ideas?

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-05-11 11:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-05  9:34 Ability to bind wireguard to specific interface / ip address Damian Kaczkowski
2017-05-11 11:44 ` Jason A. Donenfeld

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.