From: Aryn Starr <whereislelouch@icloud.com>
To: Derrick Lyndon Pallas <derrick@pallas.us>
Cc: wireguard@lists.zx2c4.com
Subject: Re: [Feature Request] Add ability to exclude subnets from AllowedIPs
Date: Mon, 26 Aug 2019 00:56:45 +0430 [thread overview]
Message-ID: <404FD4CE-ACC0-41F0-A36D-CB3DC339B3F5@icloud.com> (raw)
In-Reply-To: <47ECFF71-29D8-472B-98D3-C7BF72ADA7F7@pallas.us>
[-- Attachment #1.1: Type: text/plain, Size: 1929 bytes --]
I haven’t tested that allowedIPs approach actually. I’ll take a look at that python wrapper, thanks.
I don’t know much about iptables and routing. I think learning it sufficiently will take quite some time? Or are there some tutorials around?
I also actually use WireGuard with macOS (though I occasionally use it on Linux, too).
> On Aug 25, 2019, at 11:47 PM, Derrick Lyndon Pallas <derrick@pallas.us> wrote:
>
> Why wouldn't this happen as an iptables rule?
>
> If some AllowedIPs trick is working for you and you're using Python and the kernel version of Wireguard, check out [1], which will allow you to programmatically set up the interface.
>
> FWIW, I'm not sure adding complication to AllowedIPs is the right approach, but adding it to a tool seems reasonable. Maybe it also makes sense to allow an IPset, but I'm haven't thought it through. My gut says routing prior to Wireguard is probably what you're looking for.
>
> [1] https://github.com/ArgosyLabs/wgnlpy
>
> ~Derrick • iPhone
>
>> On Aug 22, 2019, at 12:10 PM, Aryn Starr <whereislelouch@icloud.com> wrote:
>>
>> I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)
>> The best current solution I’ve seen is
>> ```
>> $ python3
>>
>>>>> import ipaddress
>>>>> n1 = ipaddress.ip_network('106.203.202.0/23')
>>>>> n2 = ipaddress.ip_network('106.203.203.13/32')
>>>>> l = list(n1.address_exclude(n2))
>>>>> print(l)
>>
>> ```
>> Which is terrible.
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #1.2: Type: text/html, Size: 3485 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-08-26 12:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-22 19:10 [Feature Request] Add ability to exclude subnets from AllowedIPs Aryn Starr
2019-08-25 19:17 ` Derrick Lyndon Pallas
2019-08-25 20:26 ` Aryn Starr [this message]
2019-08-26 17:48 ` Ivan Labáth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=404FD4CE-ACC0-41F0-A36D-CB3DC339B3F5@icloud.com \
--to=whereislelouch@icloud.com \
--cc=derrick@pallas.us \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).