WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* wg addconf :: AllowedIPs gets deleted with the additions of peers
@ 2018-06-25 19:51 Adrian Sevcenco
  2018-06-25 19:55 ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 8+ messages in thread
From: Adrian Sevcenco @ 2018-06-25 19:51 UTC (permalink / raw)
  To: WireGuard mailing list

Hi! It seems that AllowedIPs declaration gets erased when peers are 
added with addconf
So, we have the interface :
wg showconf wg0
[Interface]
ListenPort = 43333
PrivateKey = <XXX>

and we add a peer
wg addconf wg0 hal.conf.p1
[Monday 25.06.18 22:48] root@sev : /etc/wireguard/peers_server $
wg showconf wg0
[Interface]
ListenPort = 43333
PrivateKey = KLLZ9i4ffUeCv+e6cs7V7+jKM3KJtgaRkEbt52UCcEU=

[Peer]
PublicKey = /azluhJf0RYaIxu6rHRHx6+fKfivwOnKVp9Naefgsk0=
AllowedIPs = 0.0.0.0/0

then we add a second peer :
wg addconf wg0 x360.conf.p2
[Monday 25.06.18 22:49] root@sev : /etc/wireguard/peers_server $
wg showconf wg0
[Interface]
ListenPort = 43333
PrivateKey = KLLZ9i4ffUeCv+e6cs7V7+jKM3KJtgaRkEbt52UCcEU=

[Peer]
PublicKey = /azluhJf0RYaIxu6rHRHx6+fKfivwOnKVp9Naefgsk0=
Endpoint = 79.115.160.101:43333

[Peer]
PublicKey = 0bC+LP/8fsjjn9RSdq+Bz1qdgPRV3CYE/4fEiOqjrC4=
AllowedIPs = 0.0.0.0/0

the AllowedIPs declaration was erased from first peer..

the file contents :
[Monday 25.06.18 22:49] root@sev : /etc/wireguard/peers_server $
cat hal.conf.p1
[Peer]
PublicKey = /azluhJf0RYaIxu6rHRHx6+fKfivwOnKVp9Naefgsk0=
AllowedIPs = 0.0.0.0/0

[Monday 25.06.18 22:50] root@sev : /etc/wireguard/peers_server $
cat x360.conf.p2
[Peer]
PublicKey = 0bC+LP/8fsjjn9RSdq+Bz1qdgPRV3CYE/4fEiOqjrC4=
AllowedIPs = 0.0.0.0/0

Thank you!
Adrian

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-25 19:51 wg addconf :: AllowedIPs gets deleted with the additions of peers Adrian Sevcenco
@ 2018-06-25 19:55 ` Toke Høiland-Jørgensen
  2018-06-25 20:00   ` Adrian Sevcenco
  0 siblings, 1 reply; 8+ messages in thread
From: Toke Høiland-Jørgensen @ 2018-06-25 19:55 UTC (permalink / raw)
  To: Adrian Sevcenco, WireGuard mailing list

Adrian Sevcenco <adrian.sev@gmail.com> writes:

> Hi! It seems that AllowedIPs declaration gets erased when peers are 
> added with addconf

You can't have the same AllowedIPs for two different peers... :)

-Toke

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-25 19:55 ` Toke Høiland-Jørgensen
@ 2018-06-25 20:00   ` Adrian Sevcenco
  2018-06-25 20:37     ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 8+ messages in thread
From: Adrian Sevcenco @ 2018-06-25 20:00 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen, WireGuard mailing list

On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>=20
>> Hi! It seems that AllowedIPs declaration gets erased when peers are
>> added with addconf
>=20
> You can't have the same AllowedIPs for two different peers... :)
Err... so, it's a bug or a feature?
If it is a feature how can i make server accept whatever ip get the=20
client(s) in various networks?

Thank you!
Adrian

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-25 20:00   ` Adrian Sevcenco
@ 2018-06-25 20:37     ` Toke Høiland-Jørgensen
  2018-06-26  7:34       ` Adrian Sevcenco
  0 siblings, 1 reply; 8+ messages in thread
From: Toke Høiland-Jørgensen @ 2018-06-25 20:37 UTC (permalink / raw)
  To: Adrian Sevcenco, WireGuard mailing list

Adrian Sevcenco <adrian.sev@gmail.com> writes:

> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>>=20
>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
>>> added with addconf
>>=20
>> You can't have the same AllowedIPs for two different peers... :)
>
> Err... so, it's a bug or a feature?

A feature. The AllowedIPs controls which IP addresses will be routed to
that peer. They refer to addresses inside the tunnel. So depending on
your setup you'd specify the single IP you assign each peer, or possibly
any subnets behind that peer you want routed through the tunnel.

> If it is a feature how can i make server accept whatever ip get the=20
> client(s) in various networks?

Changing IPs *on the outside* of the tunnel will be accepted
automatically. The Endpoint specifier is only the initial address; if a
device changes its IP, it'll just keep sending packets from the new IP,
and because they are authenticated by the crypto, the other peer will
accept them and change its notion of what IP the other peer is
reachable at automatically. So as long as only one peer changes its IP
at a time, roaming mostly just works :)

-Toke

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-25 20:37     ` Toke Høiland-Jørgensen
@ 2018-06-26  7:34       ` Adrian Sevcenco
  2018-06-26  7:44         ` Eric Light
                           ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Adrian Sevcenco @ 2018-06-26  7:34 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen, WireGuard mailing list

On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>=20
>> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
>>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>>>
>>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
>>>> added with addconf
>>>
>>> You can't have the same AllowedIPs for two different peers... :)
>>
>> Err... so, it's a bug or a feature?
>=20
> A feature. The AllowedIPs controls which IP addresses will be routed to=

> that peer. They refer to addresses inside the tunnel. So depending on
> your setup you'd specify the single IP you assign each peer, or possibl=
y
> any subnets behind that peer you want routed through the tunnel.
Then, how can i set a default allow everything for each peer? Should i=20
make a different tunnel for each peer?
But given your explanation i still feel that it is a bug that when an=20
AllowIPs is declared with the addition of a second peer the declaration=20
from the first peer gets erased ...
It should be either a global setting per tunnel OR an individual setting =

per peer (in which case it should stay set)

Thank you!!
Adrian

>=20
>> If it is a feature how can i make server accept whatever ip get the
>> client(s) in various networks?
>=20
> Changing IPs *on the outside* of the tunnel will be accepted
> automatically. The Endpoint specifier is only the initial address; if a=

> device changes its IP, it'll just keep sending packets from the new IP,=

> and because they are authenticated by the crypto, the other peer will
> accept them and change its notion of what IP the other peer is
> reachable at automatically. So as long as only one peer changes its IP
> at a time, roaming mostly just works :)
>=20
> -Toke
>=20

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-26  7:34       ` Adrian Sevcenco
@ 2018-06-26  7:44         ` Eric Light
  2018-06-26  8:13         ` Matthias Urlichs
  2018-06-26 10:56         ` Toke Høiland-Jørgensen
  2 siblings, 0 replies; 8+ messages in thread
From: Eric Light @ 2018-06-26  7:44 UTC (permalink / raw)
  To: Adrian Sevcenco; +Cc: wireguard

Hi, Adrian!

The reason you can't have the _same_ AllowedIPs for two different peers is =
because that's what's used to set the routes.  How can you set two differen=
t routes for the same destination?

So, because you're trying to set 0.0.0.0/0, there can only ever be one peer=
 at the end of that route.

What you need to do is set a more precise range for the AllowedIPs.  For ex=
ample, 192.168.100.0/24 and 192.168.101.0/24 (for two hosts on different ne=
tworks), or 192.168.88.200/32 and 192.168.88.201/32 (for two hosts on the s=
ame network).

Then if you want one host that just *everything else* tunnels through, you =
can set a 0.0.0.0/0 - which behaves as your default route.

Hope that helps  :)

Eric

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Tue, 26 Jun 2018, at 19:34, Adrian Sevcenco wrote:
> On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
> > Adrian Sevcenco <adrian.sev@gmail.com> writes:
> >=20
> >> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
> >>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
> >>>
> >>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
> >>>> added with addconf
> >>>
> >>> You can't have the same AllowedIPs for two different peers... :)
> >>
> >> Err... so, it's a bug or a feature?
> >=20
> > A feature. The AllowedIPs controls which IP addresses will be routed to
> > that peer. They refer to addresses inside the tunnel. So depending on
> > your setup you'd specify the single IP you assign each peer, or possibly
> > any subnets behind that peer you want routed through the tunnel.
> Then, how can i set a default allow everything for each peer? Should i=20
> make a different tunnel for each peer?
> But given your explanation i still feel that it is a bug that when an=20
> AllowIPs is declared with the addition of a second peer the declaration=20
> from the first peer gets erased ...
> It should be either a global setting per tunnel OR an individual setting=
=20
> per peer (in which case it should stay set)
>=20
> Thank you!!
> Adrian
>=20
> >=20
> >> If it is a feature how can i make server accept whatever ip get the
> >> client(s) in various networks?
> >=20
> > Changing IPs *on the outside* of the tunnel will be accepted
> > automatically. The Endpoint specifier is only the initial address; if a
> > device changes its IP, it'll just keep sending packets from the new IP,
> > and because they are authenticated by the crypto, the other peer will
> > accept them and change its notion of what IP the other peer is
> > reachable at automatically. So as long as only one peer changes its IP
> > at a time, roaming mostly just works :)
> >=20
> > -Toke
> >=20
>=20
>=20
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-26  7:34       ` Adrian Sevcenco
  2018-06-26  7:44         ` Eric Light
@ 2018-06-26  8:13         ` Matthias Urlichs
  2018-06-26 10:56         ` Toke Høiland-Jørgensen
  2 siblings, 0 replies; 8+ messages in thread
From: Matthias Urlichs @ 2018-06-26  8:13 UTC (permalink / raw)
  To: wireguard

On 26.06.2018 09:34, Adrian Sevcenco wrote:
> Then, how can i set a default allow everything for each peer? Should i
> make a different tunnel for each peer? 

Why would you want to? You need IP routing information for each peer,
just like you need their public key. You can't have two peers / networks
/ whatever with the same IP address or address range. That's always been
the case, wireguard or no wireguard.

-- 
-- Matthias Urlichs

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
  2018-06-26  7:34       ` Adrian Sevcenco
  2018-06-26  7:44         ` Eric Light
  2018-06-26  8:13         ` Matthias Urlichs
@ 2018-06-26 10:56         ` Toke Høiland-Jørgensen
  2 siblings, 0 replies; 8+ messages in thread
From: Toke Høiland-Jørgensen @ 2018-06-26 10:56 UTC (permalink / raw)
  To: Adrian Sevcenco, WireGuard mailing list

Adrian Sevcenco <adrian.sev@gmail.com> writes:

> On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>>=20
>>> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
>>>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>>>>
>>>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
>>>>> added with addconf
>>>>
>>>> You can't have the same AllowedIPs for two different peers... :)
>>>
>>> Err... so, it's a bug or a feature?
>>=20
>> A feature. The AllowedIPs controls which IP addresses will be routed to
>> that peer. They refer to addresses inside the tunnel. So depending on
>> your setup you'd specify the single IP you assign each peer, or possibly
>> any subnets behind that peer you want routed through the tunnel.
> Then, how can i set a default allow everything for each peer? Should i=20
> make a different tunnel for each peer?

Yes, if you want point-to-point links where all traffic is sent to a
single other peer, you'll need separate interfaces.

If you want a road warrior type setup, where client devices connect to a
server and use that as a default gateway, you'd assign each client a
single IP (inside the tunnel) and put that in each peer config's
allowedips. The clients can then all have 0.0.0.0/0 as allowedip of the
server.

> But given your explanation i still feel that it is a bug that when an=20
> AllowIPs is declared with the addition of a second peer the declaration=20
> from the first peer gets erased ...

Well, the UI can be surprising, sure, but the alternative would be to
report an error if you try to set the same allowedIP on different peers,
which is not necessarily better. And it's not a bug in that it is
intentional behaviour ;)

> It should be either a global setting per tunnel OR an individual setting=
=20
> per peer (in which case it should stay set)

I think the point of confusion is that it is called 'allowedips', but it
really means 'ips that are allowed from this peer *and* routed to this
peer'. I.e., it is also a routing table. See
https://www.wireguard.com/#cryptokey-routing


-Toke

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-25 19:51 wg addconf :: AllowedIPs gets deleted with the additions of peers Adrian Sevcenco
2018-06-25 19:55 ` Toke Høiland-Jørgensen
2018-06-25 20:00   ` Adrian Sevcenco
2018-06-25 20:37     ` Toke Høiland-Jørgensen
2018-06-26  7:34       ` Adrian Sevcenco
2018-06-26  7:44         ` Eric Light
2018-06-26  8:13         ` Matthias Urlichs
2018-06-26 10:56         ` Toke Høiland-Jørgensen

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox