From: Lars Francke <lars.francke@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Question about AllowedIPs and proper "mesh" setup
Date: Tue, 6 Nov 2018 09:01:02 +0100 [thread overview]
Message-ID: <CAD-Ua_hRW4RyOMrP3jX3hAAVLJCLHXYPvYY_PaK0y-=r_HhTQQ@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 2351 bytes --]
Hi,
I've been playing around with WireGuard recently. Thank you for all your
work on it.
It all mostly works but I have one thing that I can't grasp properly:
My setup are a bunch of servers that need to communicate securely over an
unsecured network. Like a mesh. So I have three servers and each of them
has a connection to the other two (i.e. two Peers). This all works
beautifully.
Now I want to add an outside client into the mix (e.g. my laptop). I want
to be able to connect to just one of those hosts and have that host forward
my packages to the others.
I can get it to work if I pick _one_ specific jump host but I haven't
managed to set it up in a way that I can connect to any of them.
(I'm leaving out Private & Public Key, Ports and Endpoints to make the
examples shorter.
Client wg0.conf:
[Interface]
Address = 10.0.1.1
# Server 1
[Peer]
AllowedIPs = 10.0.0.1/24
Server 1 wg0.conf:
[Interface]
Address = 10.0.0.1
# Client
[Peer]
AllowedIPs = 10.0.1.1/32
# Server 2
[Peer]
AllowedIPs = 10.0.0.2, __10.0.1.1/32__
# Server 3
[Peer]
AllowedIPs = 10.0.0.3, __10.0.1.1/32__
Server 2 wg0.conf:
[Interface]
Address = 10.0.0.2
# Client
[Peer]
AllowedIPs = 10.0.1.1/32
# Server 1
[Peer]
AllowedIPs = 10.0.0.1, __10.0.1.1/32__
# Server 3
[Peer]
AllowedIPs = 10.0.0.3, __10.0.1.1/32__
Server 3 etc. are similar.
This way I can connect with my client to any of the Servers and I can ping
them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I
connect to server-1 I can not reach server-2 from my client (IP forwarding
etc. is enabled).
This only works when I remove the second IP from AllowedIPs (the one marked
with underscores) from the server I connect to (e.g. server 1). The other
servers (e.g. server 2 & 3) need it though because of course they'll see
traffic from 10.0.1.1 being forwarded to them so it needs to be in their
AllowedIPs.
That means I can get everything to work if I pick one special host that
Clients connect to.
I might just fundamentally misunderstand how AllowedIPs works. Any help is
greatly appreciated
An unrelated question: Should wg-quick up be allowed to be called with just
a file name?
e.g. wg-quick up wg0.conf?
I understand the man page that it should but I think the behavior is broken
on MacOS/Darwin because it tries to cd into the file which fails.
Cheers,
Lars
[-- Attachment #1.2: Type: text/html, Size: 3802 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next reply other threads:[~2018-11-06 19:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 8:01 Lars Francke [this message]
2018-11-06 20:04 ` Question about AllowedIPs and proper "mesh" setup Matthias Urlichs
2018-11-06 20:16 ` Phil Hofer
2018-11-06 20:41 ` Lars Francke
2018-11-08 19:33 ` Brian
2018-11-07 1:55 ` KeXianbin(http://diyism.com)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD-Ua_hRW4RyOMrP3jX3hAAVLJCLHXYPvYY_PaK0y-=r_HhTQQ@mail.gmail.com' \
--to=lars.francke@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).