wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Paul Zillmann <paul@zil.li>, wireguard@lists.zx2c4.com
Cc: henningreich@gmail.com
Subject: Re: Overlapping AllowedIPs Configuration
Date: Thu, 06 Jun 2019 12:09:45 +0200	[thread overview]
Message-ID: <87lfyfdnyu.fsf@toke.dk> (raw)
In-Reply-To: <536efee3-3d15-682f-4979-7fa2bb3457c3@zil.li>

Paul Zillmann <paul@zil.li> writes:

> Hello,
>
> we have the same problem here, although our allowed IP ranges should be 
> 0.0.0.0/0 for all peers.
> We have OSPF traffic on the wireguard links so it should be task of the 
> Kernel's routing table to decide where to send what.
>
> The problem is that the allowed-ips configuration has multiple purposes: 
> routing table and firewall/packet filter. This introduces these 
> problems. It would be helpfull to get a compile flag or something else 
> to make this behavior optional.

That is probably not going to happen; the crypto-routing is quite
integral to Wireguard, and is an important security feature.

> Right now Wireguard isn't very friendly to dynamic routing.
>
> I came up with multiple solutions:
> - create multiple interfaces + tunnels.
> or
> - create a bash script that injects the Kernel's routing table into the 
> wg tool every other minute.
>
> Do you guys have a better idea? If not I would create the bash script.

IMO, the "right" way to fix this is to make your routing daemon aware of
wireguard and have it configure the routes directly into the wireguard
table. That also gives you security for your routing protocol
automatically (since only authenticated sources/destinations will be
allowed), as long as you have a secure way of bootstrapping the
wireguard keying.

-Toke
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  reply	other threads:[~2019-06-06 10:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-06 21:08 Overlapping AllowedIPs Configuration Aleksa Sarai
2019-05-11 15:19 ` Henning Reich
2019-05-11 17:11   ` Aleksa Sarai
2019-05-25 18:39 ` Paul Zillmann
2019-06-06 10:09   ` Toke Høiland-Jørgensen [this message]
2019-06-07  8:05     ` Ivan Labáth
2019-06-07 10:07       ` Matthias Urlichs
2019-06-13  7:29         ` Vincent Wiemann
2019-06-07 23:58     ` Paul Zillmann
2019-06-08  7:32   ` Markus Grundmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87lfyfdnyu.fsf@toke.dk \
    --to=toke@toke.dk \
    --cc=henningreich@gmail.com \
    --cc=paul@zil.li \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).