* Suggestion for WireGuard
@ 2021-08-30 13:19 Kassem Omega
2021-09-02 4:10 ` Guy Godfroy
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Kassem Omega @ 2021-08-30 13:19 UTC (permalink / raw)
To: wireguard
Hi,
I sent this before a couple of times to the mailing list but either it
didn't go through or it is forbidden somehow? I never got any decision
from the list moderator that it is forbidden to send suggestions at
all. Hopefully someone can answer with anything.
I was wondering if there is any chance of adding the opposite of
AllowedIPs option to WireGuard?
Currently, WireGuard has a whitelist option only that specifies which
IPs to go through it, however I believe adding the blacklist option
would be beneficial and easier to configure.
The use case: allowing all traffic to go through WireGuard except
specific ranges.
Right now to do this I must use this long list of ranges to achieve this:
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
172.0.0.0/12, 172.16.0.0/24, 172.32.0.0/11, 172.64.0.0/10,
172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9,
192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15,
192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8,
194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
However, if the DisallowedIPs option is available, I'd simply use:
DisallowedIPs = 192.168.0.0/16, 10.0.0.0/8
What do you think?
Thank you.
Kassem
^ permalink raw reply [flat|nested] 4+ messages in thread
* Suggestion for WireGuard
2021-08-30 13:19 Suggestion for WireGuard Kassem Omega
@ 2021-09-02 4:10 ` Guy Godfroy
2021-09-02 4:54 ` Feng Li
2021-09-02 13:46 ` Lonnie Abelbeck
2 siblings, 0 replies; 4+ messages in thread
From: Guy Godfroy @ 2021-09-02 4:10 UTC (permalink / raw)
To: wireguard
Hello,
I'm not implied in wireguard dev, but I thinks that wouldn't match wireguard mechanism. Indeed AllowedIP isn't only about routing, it is used to match a cryptographic fingerprint to a given IP. Also, having multiple peers containing such thing as DisallowedIP could lead to nonsense.
What don't you use the firewall to block the IP range instead?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Suggestion for WireGuard
2021-08-30 13:19 Suggestion for WireGuard Kassem Omega
2021-09-02 4:10 ` Guy Godfroy
@ 2021-09-02 4:54 ` Feng Li
2021-09-02 13:46 ` Lonnie Abelbeck
2 siblings, 0 replies; 4+ messages in thread
From: Feng Li @ 2021-09-02 4:54 UTC (permalink / raw)
To: Kassem Omega; +Cc: WireGuard mailing list
I have asked this question some months ago like you,
and don't get my answer, this is a workaround from me
to calculate the AllowedIPs, maybe can help you:
```
#!/usr/bin/python
import ipaddress
def address_exclude(rr, r1):
out = []
for r in rr:
if r1.subnet_of(r):
out += list(r.address_exclude(r1))
else:
out.append(r)
return out
def calc_exclude(includes, excludes):
includes_addr = [ ipaddress.ip_network(i) for i in includes ]
excludes_addr = [ ipaddress.ip_network(e) for e in excludes ]
for e in excludes_addr:
includes_addr = address_exclude(includes_addr, e)
strs = [str(i) for i in includes_addr]
print("AllowedIPs = " + ",".join(strs))
calc_exclude(includes=['0.0.0.0/0'], excludes=['192.168.0.0/16', '10.0.0.0/8'])
```
I have asked this question here too:
https://www.reddit.com/r/WireGuard/comments/m44fi5/enhance_the_allowedips/
On Wed, Sep 1, 2021 at 9:50 PM Kassem Omega <kassemomega@gmail.com> wrote:
>
> Hi,
>
> I sent this before a couple of times to the mailing list but either it
> didn't go through or it is forbidden somehow? I never got any decision
> from the list moderator that it is forbidden to send suggestions at
> all. Hopefully someone can answer with anything.
>
> I was wondering if there is any chance of adding the opposite of
> AllowedIPs option to WireGuard?
>
> Currently, WireGuard has a whitelist option only that specifies which
> IPs to go through it, however I believe adding the blacklist option
> would be beneficial and easier to configure.
>
> The use case: allowing all traffic to go through WireGuard except
> specific ranges.
>
> Right now to do this I must use this long list of ranges to achieve this:
>
> AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
> 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
> 172.0.0.0/12, 172.16.0.0/24, 172.32.0.0/11, 172.64.0.0/10,
> 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9,
> 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15,
> 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8,
> 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
>
> However, if the DisallowedIPs option is available, I'd simply use:
>
> DisallowedIPs = 192.168.0.0/16, 10.0.0.0/8
>
> What do you think?
>
> Thank you.
> Kassem
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Suggestion for WireGuard
2021-08-30 13:19 Suggestion for WireGuard Kassem Omega
2021-09-02 4:10 ` Guy Godfroy
2021-09-02 4:54 ` Feng Li
@ 2021-09-02 13:46 ` Lonnie Abelbeck
2 siblings, 0 replies; 4+ messages in thread
From: Lonnie Abelbeck @ 2021-09-02 13:46 UTC (permalink / raw)
To: Kassem Omega; +Cc: WireGuard mailing list
> On Aug 30, 2021, at 8:19 AM, Kassem Omega <kassemomega@gmail.com> wrote:
>
> snip...
>
> The use case: allowing all traffic to go through WireGuard except
> specific ranges.
>
> Right now to do this I must use this long list of ranges to achieve this:
>
> AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
> 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
> 172.0.0.0/12, 172.16.0.0/24, 172.32.0.0/11, 172.64.0.0/10,
> 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9,
> 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15,
> 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8,
> 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
>
> However, if the DisallowedIPs option is available, I'd simply use:
>
> DisallowedIPs = 192.168.0.0/16, 10.0.0.0/8
For the IPv4-only case, there is a handy C based tool: iprange [1]
For your example: Allow: 0.0.0.0/0 Disallow: 192.168.0.0/16, 10.0.0.0/8
$ cat allow.ipset
0.0.0.0/0
$ cat disallow.ipset
192.168.0.0/16
10.0.0.0/8
$ iprange allow.ipset --exclude-next disallow.ipset
0.0.0.0/5
8.0.0.0/7
11.0.0.0/8
12.0.0.0/6
16.0.0.0/4
32.0.0.0/3
64.0.0.0/2
128.0.0.0/2
192.0.0.0/9
192.128.0.0/11
192.160.0.0/13
192.169.0.0/16
192.170.0.0/15
192.172.0.0/14
192.176.0.0/12
192.192.0.0/10
193.0.0.0/8
194.0.0.0/7
196.0.0.0/6
200.0.0.0/5
208.0.0.0/4
224.0.0.0/3
The output is optimized and sorted.
Lonnie
[1] https://github.com/firehol/iprange
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-02 13:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-30 13:19 Suggestion for WireGuard Kassem Omega
2021-09-02 4:10 ` Guy Godfroy
2021-09-02 4:54 ` Feng Li
2021-09-02 13:46 ` Lonnie Abelbeck
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).