* what to do when the peers use different IPs to transmit and receive @ 2018-09-16 12:21 Raffaele Spazzoli 2018-09-16 16:54 ` Ivan Labáth 0 siblings, 1 reply; 7+ messages in thread From: Raffaele Spazzoli @ 2018-09-16 12:21 UTC (permalink / raw) To: wireguard [-- Attachment #1: Type: text/plain, Size: 2244 bytes --] Hi, I am trying to build an encrypted tunnel between two Kubernetes clusters. The distribution of Kubernetes that I use is OpenShift, so I'll make my examples in OpenShift although the problem that I'm seeing is really more general. The nodes that comprise the cluster in OpenShift have an IP in what we'll call the enterprise network. Also they establish between each other an SDN. The SDN will have a separate CIDR from the enterprise network and the pods that OpenShift starts receive an SDN IP. Each node manages a subnet of the SDN CIDR. What I'd like to do is to make the IPs of two different OpenShift SDNs routable over and encrypted tunnel. In my design each node of cluster A sees as its VPN peers the nodes of cluster B. So this creates a sort of a meshed VPN. Wireguard fits very well this series of requirements, but I have an issue. Normally the nodes of a cluster are not directly exposed to the internet. This is for security reasons. Whether the cluster is in the cloud or on premise, normally what customers do is to use private internal addresses. To access the cluster one can use VIPs. Especially in the cloud Kubernetes makes it easy to create VIPs in an automated fashion. VIP are public IPs that can be used to loadbalanced backed services. UDP VIPS are supported. So if we assume that the two clusters that we want to connect using wireguard are in two different geographies and can only be talk over the internet and through VIPs, then the IP that a node uses for its outbound connection is not the same that its peer need to use for its inbound connections. Each node can have a dedicated VIP that peers need to use for its inbound connection and then it will use the node's private IP for its outbound connection. In this situation wiregaurd assumes that the peer has changed IP (built-in roaming feature) and it updates the peer endpoint value. This doesn't work for my setup. What can I do to fix this issue? Or alternatively would it be reasonable to add a flag to make a peer configuration immutable? Thanks, Raffaele Raffaele Spazzoli Senior Architect - OpenShift <https://www.openshift.com>, Containers and PaaS Practice <https://www.redhat.com/en/services/consulting/paas> Tel: +1 216-258-7717 [-- Attachment #2: Type: text/html, Size: 3043 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what to do when the peers use different IPs to transmit and receive 2018-09-16 12:21 what to do when the peers use different IPs to transmit and receive Raffaele Spazzoli @ 2018-09-16 16:54 ` Ivan Labáth 2018-09-16 18:56 ` Raffaele Spazzoli 0 siblings, 1 reply; 7+ messages in thread From: Ivan Labáth @ 2018-09-16 16:54 UTC (permalink / raw) To: Raffaele Spazzoli; +Cc: wireguard Hi, On Sun, Sep 16, 2018 at 08:21:02AM -0400, Raffaele Spazzoli wrote: > ... then the IP that a node uses for its outbound > connection is not the same that its peer need to use for its inbound > connections. Who uses what for whose connection? You lost me here. Looks like a broken network to me. Does TCP even work? Anyway, SNAT/DNAT should be able to fix things up, if you want to go that route. Regards, Ivan ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what to do when the peers use different IPs to transmit and receive 2018-09-16 16:54 ` Ivan Labáth @ 2018-09-16 18:56 ` Raffaele Spazzoli 2018-09-16 23:08 ` Raffaele Spazzoli 0 siblings, 1 reply; 7+ messages in thread From: Raffaele Spazzoli @ 2018-09-16 18:56 UTC (permalink / raw) To: Ivan Labáth; +Cc: wireguard [-- Attachment #1: Type: text/plain, Size: 1712 bytes --] I'll try to make an example cluster 1 node 1 has private IP1 and VIP1 cluster 2 node 2 has private IP2 and VIP2 each node uses it's private ip for outbound connections. each node can receive inbound connection on its VIP. so the wireguard config file for node1 is going to look like: [peer] endpoint: VIP2:port and for node 2: [peer] endpoint: VIP1: port the problem is that after the handshake, wireguard updates the config to the following (for example for node2): [peer] endpoint: IP1:port but IP2 cannot route to IP1... I think a well configured SNAT rule may work, although is not elegant because it forces the cluster to exchange information about their private IPs. This should not be needed and in the cloud private IPs are ephemeral.... anyway thanks for the advice, I am going to try to use it in my prototype. I still think there is need for a better technical approach for a long term solution. Thanks, Raffaele Raffaele Spazzoli Senior Architect - OpenShift <https://www.openshift.com>, Containers and PaaS Practice <https://www.redhat.com/en/services/consulting/paas> Tel: +1 216-258-7717 On Sun, Sep 16, 2018 at 12:54 PM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote: > Hi, > > On Sun, Sep 16, 2018 at 08:21:02AM -0400, Raffaele Spazzoli wrote: > > ... then the IP that a node uses for its outbound > > connection is not the same that its peer need to use for its inbound > > connections. > > Who uses what for whose connection? You lost me here. > Looks like a broken network to me. Does TCP even work? > > Anyway, SNAT/DNAT should be able to fix things up, if you want to go > that route. > > Regards, > Ivan > [-- Attachment #2: Type: text/html, Size: 3333 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what to do when the peers use different IPs to transmit and receive 2018-09-16 18:56 ` Raffaele Spazzoli @ 2018-09-16 23:08 ` Raffaele Spazzoli 2018-09-17 9:16 ` Ivan Labáth 0 siblings, 1 reply; 7+ messages in thread From: Raffaele Spazzoli @ 2018-09-16 23:08 UTC (permalink / raw) To: Ivan Labáth; +Cc: wireguard [-- Attachment #1: Type: text/plain, Size: 8078 bytes --] Ivan, I tried the SNAT idea, and still have issue. here is an example configuration of one of the nodes: [Interface] ListenPort = 5555 PrivateKey = --- [Peer] PublicKey = H09cwQeUUly2AIdTAhyr5zvzFK9bED0NYiKgJultYwE= AllowedIPs = 10.128.2.0/23 Endpoint = 192.168.99.12:31112 PersistentKeepalive = 25 [Peer] PublicKey = 5nC5cyDg9WZ/2R3CPEbM+fSXzsn5Yx1mX48iizdfdHU= AllowedIPs = 10.128.0.0/23 Endpoint = 192.168.99.14:32188 PersistentKeepalive = 25 [Peer] PublicKey = MzFg1tMaLUFC3kD9maiZZAHWywfCDyPlYF1zu6Dj30E= AllowedIPs = 10.130.0.0/23 Endpoint = 192.168.99.13:31992 PersistentKeepalive = 25 [Peer] PublicKey = s7/lxyvFQCxE+KBoUJ/9vpPgLZ6pTdYUCsJ/snp3mUk= AllowedIPs = 10.129.0.0/23 Endpoint = 192.168.99.15:30305 PersistentKeepalive = 25 [Peer] PublicKey = SuO927DbGm2h2I8hcf24LvYWglKp+4wGAuiyisin/yY= AllowedIPs = 10.131.0.0/23 Endpoint = 192.168.99.7:31714 PersistentKeepalive = 25 [Peer] PublicKey = a+tK21LKdsBkQNqmqdRpvS9HLpz2W8rwDijTPkXEc0Q= AllowedIPs = 10.129.2.0/23 Endpoint = 192.168.99.6:31165 PersistentKeepalive = 25 the private IP to VIP map for the peers of this node is: 10.128.2.10-192.168.99.12 10.128.1.94-192.168.99.14 10.130.0.136-192.168.99.13 10.129.1.158-192.168.99.15 10.131.0.199-192.168.99.7 10.129.2.217-192.168.99.6 I create the following iptables rules: sh-4.2# iptables -t nat -n -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination SNAT udp -- 10.128.2.10 0.0.0.0/0 udp dpt:5555 to: 192.168.99.12:5555 SNAT udp -- 10.128.1.94 0.0.0.0/0 udp dpt:5555 to: 192.168.99.14:5555 SNAT udp -- 10.130.0.136 0.0.0.0/0 udp dpt:5555 to: 192.168.99.13:5555 SNAT udp -- 10.129.1.158 0.0.0.0/0 udp dpt:5555 to: 192.168.99.15:5555 SNAT udp -- 10.131.0.199 0.0.0.0/0 udp dpt:5555 to: 192.168.99.7:5555 SNAT udp -- 10.129.2.217 0.0.0.0/0 udp dpt:5555 to: 192.168.99.6:5555 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination after the handshake the configuration changes to: sh-4.2# wg interface: sdn-tunnel public key: gCFgNjOpObU71Vmjub/R9KIn3MHgzXnKtrh9Tf+W628= private key: (hidden) listening port: 5555 peer: s7/lxyvFQCxE+KBoUJ/9vpPgLZ6pTdYUCsJ/snp3mUk= endpoint: 10.134.0.1:1033 allowed ips: 10.129.0.0/23 latest handshake: 31 seconds ago transfer: 180 B received, 452 B sent persistent keepalive: every 25 seconds peer: MzFg1tMaLUFC3kD9maiZZAHWywfCDyPlYF1zu6Dj30E= endpoint: 10.134.0.1:1032 allowed ips: 10.130.0.0/23 latest handshake: 37 seconds ago transfer: 212 B received, 272 B sent persistent keepalive: every 25 seconds peer: 5nC5cyDg9WZ/2R3CPEbM+fSXzsn5Yx1mX48iizdfdHU= endpoint: 10.134.0.1:1031 allowed ips: 10.128.0.0/23 latest handshake: 39 seconds ago transfer: 180 B received, 304 B sent persistent keepalive: every 25 seconds peer: a+tK21LKdsBkQNqmqdRpvS9HLpz2W8rwDijTPkXEc0Q= endpoint: 192.168.99.6:31165 allowed ips: 10.129.2.0/23 latest handshake: 41 seconds ago transfer: 156 B received, 180 B sent persistent keepalive: every 25 seconds peer: H09cwQeUUly2AIdTAhyr5zvzFK9bED0NYiKgJultYwE= endpoint: 192.168.99.12:31112 allowed ips: 10.128.2.0/23 latest handshake: 41 seconds ago transfer: 156 B received, 180 B sent persistent keepalive: every 25 seconds peer: SuO927DbGm2h2I8hcf24LvYWglKp+4wGAuiyisin/yY= endpoint: 192.168.99.7:31714 allowed ips: 10.131.0.0/23 latest handshake: 41 seconds ago transfer: 156 B received, 180 B sent persistent keepalive: every 25 seconds as you can see some of the endpoint's addresses have changed. the first three are not correct anymore. After the introduction of the iptables rules they change to an IP that makes no sense to me 10.134.0.1 finally here are a few seconds of tcpdump in case it helps: sh-4.2# tcpdump -i eth0 -nn -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:07:01.045331 IP (tos 0x0, ttl 64, id 27711, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 192.168.99.6.31165: UDP, length 32 23:07:01.045363 IP (tos 0x0, ttl 64, id 53835, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 192.168.99.7.31714: UDP, length 32 23:07:01.045411 IP (tos 0x0, ttl 64, id 27009, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 192.168.99.12.31112: UDP, length 32 23:07:02.758694 IP (tos 0x0, ttl 61, id 19309, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.1.1031 > 10.134.0.72.5555: UDP, length 32 23:07:04.053339 IP (tos 0x0, ttl 64, id 36786, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 10.134.0.1.1032: UDP, length 32 23:07:07.765375 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.134.0.72 tell 10.134.0.1, length 28 23:07:07.765394 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.134.0.72 is-at 0a:58:0a:86:00:48, length 28 23:07:10.938921 IP (tos 0x0, ttl 61, id 33093, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.1.1033 > 10.134.0.72.5555: UDP, length 32 23:07:26.069271 IP (tos 0x0, ttl 64, id 37778, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 192.168.99.6.31165: UDP, length 32 23:07:26.069271 IP (tos 0x0, ttl 64, id 59175, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 192.168.99.7.31714: UDP, length 32 23:07:26.069303 IP (tos 0x0, ttl 64, id 49067, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 192.168.99.12.31112: UDP, length 32 23:07:27.797284 IP (tos 0x0, ttl 64, id 57007, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.72.5555 > 10.134.0.1.1031: UDP, length 32 23:07:29.079935 IP (tos 0x0, ttl 61, id 18743, offset 0, flags [none], proto UDP (17), length 60) 10.134.0.1.1032 > 10.134.0.72.5555: UDP, length 32 Thanks, Raffaele Raffaele Spazzoli Senior Architect - OpenShift <https://www.openshift.com>, Containers and PaaS Practice <https://www.redhat.com/en/services/consulting/paas> Tel: +1 216-258-7717 On Sun, Sep 16, 2018 at 2:56 PM, Raffaele Spazzoli <rspazzol@redhat.com> wrote: > I'll try to make an example > cluster 1 node 1 has private IP1 and VIP1 > cluster 2 node 2 has private IP2 and VIP2 > > each node uses it's private ip for outbound connections. > each node can receive inbound connection on its VIP. > > so the wireguard config file for node1 is going to look like: > > [peer] > endpoint: VIP2:port > > and for node 2: > [peer] > endpoint: VIP1: port > > the problem is that after the handshake, wireguard updates the config to > the following (for example for node2): > [peer] > endpoint: IP1:port > > but IP2 cannot route to IP1... > > I think a well configured SNAT rule may work, although is not elegant > because it forces the cluster to exchange information about their private > IPs. > This should not be needed and in the cloud private IPs are ephemeral.... > > anyway thanks for the advice, I am going to try to use it in my > prototype. > > I still think there is need for a better technical approach for a long > term solution. > > > Thanks, > Raffaele > > Raffaele Spazzoli > Senior Architect - OpenShift <https://www.openshift.com>, Containers > and PaaS Practice <https://www.redhat.com/en/services/consulting/paas> > Tel: +1 216-258-7717 > > > > On Sun, Sep 16, 2018 at 12:54 PM, Ivan Labáth <labawi-wg@matrix-dream.net> > wrote: > >> Hi, >> >> On Sun, Sep 16, 2018 at 08:21:02AM -0400, Raffaele Spazzoli wrote: >> > ... then the IP that a node uses for its outbound >> > connection is not the same that its peer need to use for its inbound >> > connections. >> >> Who uses what for whose connection? You lost me here. >> Looks like a broken network to me. Does TCP even work? >> >> Anyway, SNAT/DNAT should be able to fix things up, if you want to go >> that route. >> >> Regards, >> Ivan >> > > [-- Attachment #2: Type: text/html, Size: 21109 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what to do when the peers use different IPs to transmit and receive 2018-09-16 23:08 ` Raffaele Spazzoli @ 2018-09-17 9:16 ` Ivan Labáth 2018-09-17 11:10 ` Raffaele Spazzoli 0 siblings, 1 reply; 7+ messages in thread From: Ivan Labáth @ 2018-09-17 9:16 UTC (permalink / raw) Cc: wireguard On Sun, Sep 16, 2018 at 07:08:58PM -0400, Raffaele Spazzoli wrote: > sh-4.2# iptables -t nat -n -L Chain PREROUTING (policy ACCEPT) target prot > opt source destination Chain INPUT (policy ACCEPT) target prot opt source > destination SNAT udp -- 10.128.2.10 0.0.0.0/0 udp dpt:5555 to: > 192.168.99.12:5555 SNAT udp -- 10.128.1.94 0.0.0.0/0 udp dpt:5555 to: > 192.168.99.14:5555 SNAT udp -- 10.130.0.136 0.0.0.0/0 udp dpt:5555 to: > 192.168.99.13:5555 SNAT udp -- 10.129.1.158 0.0.0.0/0 udp dpt:5555 to: > 192.168.99.15:5555 SNAT udp -- 10.131.0.199 0.0.0.0/0 udp dpt:5555 to: > 192.168.99.7:5555 SNAT udp -- 10.129.2.217 0.0.0.0/0 udp dpt:5555 to: > 192.168.99.6:5555 Chain OUTPUT (policy ACCEPT) target prot opt source > destination Chain POSTROUTING (policy ACCEPT) target prot opt source > destination Please try to have no or reasonable line wrapping. If you are applying SNAT on your source node, you are setting the source address, which should be set to the reachable address for the replies to come to. In your case VIP. If you are setting it on the destination, you are IMO doing it wrong. Same thing applies to TCP and most typical protocol, nothing special about wireguard here. If you have a middlebox doing DNAT, it would normaly be expected for it or something else to do SNAT in the reverse direction. Or, if your node has both adresses assigned, then it might be a case of improperly set source address on outgoing packets (e.g. your routing might need tuning). Regards, Ivan ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what to do when the peers use different IPs to transmit and receive 2018-09-17 9:16 ` Ivan Labáth @ 2018-09-17 11:10 ` Raffaele Spazzoli 2018-09-25 21:16 ` Ivan Labáth 0 siblings, 1 reply; 7+ messages in thread From: Raffaele Spazzoli @ 2018-09-17 11:10 UTC (permalink / raw) To: Ivan Labáth; +Cc: wireguard [-- Attachment #1: Type: text/plain, Size: 2422 bytes --] Ivan, sorry for the formatting, it seemed right on my email editor (gmail). I cannot do SNAT at the source because the packet would be dropped if it didn't come from the actual IP of the VM. So I am doing SNAT at the destination. why do you say I am doing it wrong? I know it would be ideal to do it at the source, but should it work when done at the destination? Thanks, Raffaele Raffaele Spazzoli Senior Architect - OpenShift <https://www.openshift.com>, Containers and PaaS Practice <https://www.redhat.com/en/services/consulting/paas> Tel: +1 216-258-7717 On Mon, Sep 17, 2018 at 5:16 AM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote: > On Sun, Sep 16, 2018 at 07:08:58PM -0400, Raffaele Spazzoli wrote: > > sh-4.2# iptables -t nat -n -L Chain PREROUTING (policy ACCEPT) target > prot > > opt source destination Chain INPUT (policy ACCEPT) target prot opt source > > destination SNAT udp -- 10.128.2.10 0.0.0.0/0 udp dpt:5555 to: > > 192.168.99.12:5555 SNAT udp -- 10.128.1.94 0.0.0.0/0 udp dpt:5555 to: > > 192.168.99.14:5555 SNAT udp -- 10.130.0.136 0.0.0.0/0 udp dpt:5555 to: > > 192.168.99.13:5555 SNAT udp -- 10.129.1.158 0.0.0.0/0 udp dpt:5555 to: > > 192.168.99.15:5555 SNAT udp -- 10.131.0.199 0.0.0.0/0 udp dpt:5555 to: > > 192.168.99.7:5555 SNAT udp -- 10.129.2.217 0.0.0.0/0 udp dpt:5555 to: > > 192.168.99.6:5555 Chain OUTPUT (policy ACCEPT) target prot opt source > > destination Chain POSTROUTING (policy ACCEPT) target prot opt source > > destination > > Please try to have no or reasonable line wrapping. > > If you are applying SNAT on your source node, you are setting > the source address, which should be set to the reachable address > for the replies to come to. In your case VIP. > If you are setting it on the destination, you are IMO doing it wrong. > > Same thing applies to TCP and most typical protocol, nothing special > about wireguard here. > > If you have a middlebox doing DNAT, it would normaly be expected > for it or something else to do SNAT in the reverse direction. > Or, if your node has both adresses assigned, then it might be > a case of improperly set source address on outgoing packets > (e.g. your routing might need tuning). > > Regards, > Ivan > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > [-- Attachment #2: Type: text/html, Size: 4349 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: what to do when the peers use different IPs to transmit and receive 2018-09-17 11:10 ` Raffaele Spazzoli @ 2018-09-25 21:16 ` Ivan Labáth 0 siblings, 0 replies; 7+ messages in thread From: Ivan Labáth @ 2018-09-25 21:16 UTC (permalink / raw) To: Raffaele Spazzoli; +Cc: wireguard Hi, I guess SNAT-ing on the destination node should work. Still, without a compelling use case, it seems like a broken network to me. You will have packets in transit with an unroutable/incorrect source address, among other possible issues. ICMP signalling won't work. I think TCP wouldn't work with such a setup, or even most udp protocols. Do you use other services over this type of network? Also, please note that iptables rules can affect network performance, especially if there are many of them and haphazardly placed. For debugging iptables rules I would suggest adding -v, so you can see the number of matched packets (caveats apply in NAT). Regards, Ivan Labáth On Mon, Sep 17, 2018 at 07:10:05AM -0400, Raffaele Spazzoli wrote: > Ivan, > > sorry for the formatting, it seemed right on my email editor (gmail). > I cannot do SNAT at the source because the packet would be dropped if it > didn't come from the actual IP of the VM. > So I am doing SNAT at the destination. why do you say I am doing it wrong? > I know it would be ideal to do it at the source, but should it work when > done at the destination? > > Thanks, > Raffaele > > Raffaele Spazzoli > Senior Architect - OpenShift <https://www.openshift.com>, Containers > and PaaS Practice <https://www.redhat.com/en/services/consulting/paas> > Tel: +1 216-258-7717 > > > > On Mon, Sep 17, 2018 at 5:16 AM, Ivan Labáth <labawi-wg@matrix-dream.net> > wrote: > > > On Sun, Sep 16, 2018 at 07:08:58PM -0400, Raffaele Spazzoli wrote: > > > sh-4.2# iptables -t nat -n -L Chain PREROUTING (policy ACCEPT) target > > prot > > > opt source destination Chain INPUT (policy ACCEPT) target prot opt source > > > destination SNAT udp -- 10.128.2.10 0.0.0.0/0 udp dpt:5555 to: > > > 192.168.99.12:5555 SNAT udp -- 10.128.1.94 0.0.0.0/0 udp dpt:5555 to: > > > 192.168.99.14:5555 SNAT udp -- 10.130.0.136 0.0.0.0/0 udp dpt:5555 to: > > > 192.168.99.13:5555 SNAT udp -- 10.129.1.158 0.0.0.0/0 udp dpt:5555 to: > > > 192.168.99.15:5555 SNAT udp -- 10.131.0.199 0.0.0.0/0 udp dpt:5555 to: > > > 192.168.99.7:5555 SNAT udp -- 10.129.2.217 0.0.0.0/0 udp dpt:5555 to: > > > 192.168.99.6:5555 Chain OUTPUT (policy ACCEPT) target prot opt source > > > destination Chain POSTROUTING (policy ACCEPT) target prot opt source > > > destination > > > > Please try to have no or reasonable line wrapping. > > > > If you are applying SNAT on your source node, you are setting > > the source address, which should be set to the reachable address > > for the replies to come to. In your case VIP. > > If you are setting it on the destination, you are IMO doing it wrong. > > > > Same thing applies to TCP and most typical protocol, nothing special > > about wireguard here. > > > > If you have a middlebox doing DNAT, it would normaly be expected > > for it or something else to do SNAT in the reverse direction. > > Or, if your node has both adresses assigned, then it might be > > a case of improperly set source address on outgoing packets > > (e.g. your routing might need tuning). > > > > Regards, > > Ivan > > _______________________________________________ > > WireGuard mailing list > > WireGuard@lists.zx2c4.com > > https://lists.zx2c4.com/mailman/listinfo/wireguard > > _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-09-25 21:17 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-09-16 12:21 what to do when the peers use different IPs to transmit and receive Raffaele Spazzoli 2018-09-16 16:54 ` Ivan Labáth 2018-09-16 18:56 ` Raffaele Spazzoli 2018-09-16 23:08 ` Raffaele Spazzoli 2018-09-17 9:16 ` Ivan Labáth 2018-09-17 11:10 ` Raffaele Spazzoli 2018-09-25 21:16 ` Ivan Labáth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).