* Re: Explanation of multiple addresses in config
[not found] ` <CAPWNY8VCYCUy7B_6D-WbPFcAYVopO9D97Ykp_35MdKQUk_Z26Q@mail.gmail.com>
@ 2020-01-10 11:22 ` Michael Brookes
0 siblings, 0 replies; 2+ messages in thread
From: Michael Brookes @ 2020-01-10 11:22 UTC (permalink / raw)
To: Mantas Mikulėnas, wireguard
Thanks very much, your response helped me understand what was
happening and fixed it.
I understand the concept of AllowedIPs, but expected that when doing
wg-quick up it would install all the routes as needed, if I explain
with a config called allpeer.conf:
[Interface]
PrivateKey = private
Address = 10.19.50.100/24
Address = 10.88.118.166/16
Address = 172.30.118.166/16
[Peer]
PublicKey = olmRgZ8zHuq+ms8MYBflOXQscj9icsKo99UmSuwqWAA=
AllowedIPs = 10.200.96.0/20
Endpoint = ep1:51820
PersistentKeepalive = 25
[Peer]
PublicKey = PemOwzCRmpCOL+crUm5rK63vYhh5ibPflJbEhtbJLCC=
AllowedIPs = 172.27.0.0/16,10.88.0.0/16,10.100.0.0/16
Endpoint = ep2:51820
PersistentKeepalive = 25
[Peer]
PublicKey = DAAEZhn4xMkURkHllFmYSkfeQpaMXPxUHDJH6FybsEE=
AllowedIPs = 10.201.16.0/20
Endpoint = ep3:51820
PersistentKeepalive = 25
[Peer]
PublicKey = m+qU4tNSNXzMINohA1rr66aqUX6qVFjZhKAstZOqlDD=
AllowedIPs = 10.19.50.0/24, 10.0.0.0/24
Endpoint = ep4:51820
PersistentKeepalive = 10
Doing wg-quick up allpeer.conf I get these routes installed:
10.0.0.0/24 dev allpeer scope link
10.19.50.0/24 dev allpeer proto kernel scope link src 10.19.50.100
10.88.0.0/16 dev allpeer proto kernel scope link src 10.88.118.166
10.100.0.0/16 dev allpeer scope link
10.200.96.0/20 dev allpeer scope link
10.201.16.0/20 dev allpeer scope link
172.27.0.0/16 dev allpeer scope link
172.30.0.0/16 dev allpeer proto kernel scope link src 172.30.118.166
Which makes the peer with endpoint ep4 work, the others do not due to
packets using the wrong source address as explained in the OP.
If I remove these routes:
10.100.0.0/16 dev allpeer scope link
10.200.96.0/20 dev allpeer scope link
10.201.16.0/20 dev allpeer scope link
172.27.0.0/16 dev allpeer scope link
and manually add routes like you suggested, for example:
ip route add 10.201.16.0/20 dev allpeer src 172.30.118.166
ip route add 172.27.0.0/16 dev allpeer src 10.88.118.166
all peers work, which is great.
Many thanks again
On Thu, 9 Jan 2020 at 06:58, Mantas Mikulėnas <grawity@gmail.com> wrote:
>
> On Thu, Jan 9, 2020 at 8:04 AM Michael Brookes <mgsb81@gmail.com> wrote:
>>
>> Hello
>>
>> The manpage for wg-quick states one can use Address multiple times in
>> the Interface section of a config. I've tried this but it yields
>> unexpected results. Here is my config which I'm using on my Ubuntu
>> laptop:
>>
>> [Interface]
>> PrivateKey = <key>
>> Address = 10.19.49.103/24
>> Address = 10.88.118.166/16
>>
>> [Peer]
>> PublicKey = FgVLScjX29jwnXXbHStFpNKcFqbaiNK6LuSWFglrWCo=
>> AllowedIPs = 172.18.1.0/24, 10.19.49.0/24
>> Endpoint = endpoint1:51820
>> PersistentKeepalive = 10
>>
>> [Peer]
>> PublicKey = itXrReVj+wuecrSs+VNnEEkpc7wHb8QhXQtMQUBrOj8=
>> AllowedIPs = 172.27.0.0/16,10.88.0.0/16
>> Endpoint = endpoint2:51820
>> PersistentKeepalive = 25
>>
>> wg-quick up <config> gives me an interface with both addresses
>> assigned, 10.19.49.103 is listed first, 10.88.118.166 listed second in
>> the ip addr output.
>> Running tcpdump in parallel on both peer endpoints and my latop, I
>> ping an address in the ranges the second peer lists in its AllowedIPs,
>> for example 172.27.3.141.
>> tcpdump on the wireguard interfaces shows the following:
>>
>> 10.19.49.103 -> 172.27.3.141: : ICMP echo request
>>
>> I can see the peer itXrReV... receiving the echo request but it's
>> coming from the first Address listed in the config and endpoint2 only
>> has 10.88/16 addresses in it's AllowedIPs.
>>
>> Any insight into what's happening would be gratefully received, I've
>> tried asking a couple of times but not had any feedback, I suspect I
>> am fundamentally misunderstanding something here.
>
>
> Honestly this sounds quite normal. The kernel's network stack chooses the source address without any internal knowledge about WireGuard's configuration.
>
> I think you're confused about the purpose of WireGuard's AllowedIPs=. It only defines acceptable *remote* addresses for that peer (destinations for outbound, sources for inbound); it does not restrict what *local* address you will use.
>
> You can tell Linux to prefer one source address or the other, by adding routes with the 'src' keyword in `ip route` (RTA_PREFSRC attribute). For example:
>
> ip route add 172.18.1.0/24 dev wg0 src 10.19.49.103
> ip route add 172.27.0.0/16 dev wg0 src 10.88.118.166
>
> --
> Mantas Mikulėnas
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 2+ messages in thread