Re: Question about AllowedIPs and proper "mesh" setup

From: "KeXianbin(http://diyism.com)" <kexianbin@diyism.com>
To: lars.francke@gmail.com
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Question about AllowedIPs and proper "mesh" setup
Date: Wed, 7 Nov 2018 09:55:40 +0800	[thread overview]
Message-ID: <CAKVinOVUNtoVOFiDYk5GmnTyoPUU2e0T_vJ_MzYyBtV5vKOKQA@mail.gmail.com> (raw)
In-Reply-To: <CAD-Ua_hRW4RyOMrP3jX3hAAVLJCLHXYPvYY_PaK0y-=r_HhTQQ@mail.gmail.com>

You could seperate the 2 subnet into two wireguard interfaces, for
example  10.0.0.0/24  in wg0.conf, while 10.0.1.0/24 in wg1.conf
On Wed, Nov 7, 2018 at 3:47 AM Lars Francke <lars.francke@gmail.com> wrote:
>
> Hi,
>
> I've been playing around with WireGuard recently. Thank you for all your work on it.
>
> It all mostly works but I have one thing that I can't grasp properly:
>
> My setup are a bunch of servers that need to communicate securely over an unsecured network. Like a mesh. So I have three servers and each of them has a connection to the other two (i.e. two Peers). This all works beautifully.
>
> Now I want to add an outside client into the mix (e.g. my laptop). I want to be able to connect to just one of those hosts and have that host forward my packages to the others.
>
> I can get it to work if I pick _one_ specific jump host but I haven't managed to set it up in a way that I can connect to any of them.
>
> (I'm leaving out Private & Public Key, Ports and Endpoints to make the examples shorter.
>
> Client wg0.conf:
> [Interface]
> Address = 10.0.1.1
>
> # Server 1
> [Peer]
> AllowedIPs = 10.0.0.1/24
>
>
> Server 1 wg0.conf:
> [Interface]
> Address    = 10.0.0.1
>
> # Client
> [Peer]
> AllowedIPs = 10.0.1.1/32
>
> # Server 2
> [Peer]
> AllowedIPs = 10.0.0.2, __10.0.1.1/32__
>
> # Server 3
> [Peer]
> AllowedIPs = 10.0.0.3, __10.0.1.1/32__
>
>
> Server 2 wg0.conf:
> [Interface]
> Address    = 10.0.0.2
>
> # Client
> [Peer]
> AllowedIPs = 10.0.1.1/32
>
> # Server 1
> [Peer]
> AllowedIPs = 10.0.0.1, __10.0.1.1/32__
>
> # Server 3
> [Peer]
> AllowedIPs = 10.0.0.3, __10.0.1.1/32__
>
>
> Server 3 etc. are similar.
> This way I can connect with my client to any of the Servers and I can ping them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I connect to server-1 I can not reach server-2 from my client (IP forwarding etc. is enabled).
>
> This only works when I remove the second IP from AllowedIPs (the one marked with underscores) from the server I connect to (e.g. server 1). The other servers (e.g. server 2 & 3) need it though because of course they'll see traffic from 10.0.1.1 being forwarded to them so it needs to be in their AllowedIPs.
>
> That means I can get everything to work if I pick one special host that Clients connect to.
>
> I might just fundamentally misunderstand how AllowedIPs works. Any help is greatly appreciated
>
>
> An unrelated question: Should wg-quick up be allowed to be called with just a file name?
> e.g. wg-quick up wg0.conf?
> I understand the man page that it should but I think the behavior is broken on MacOS/Darwin because it tries to cd into the file which fails.
>
>
> Cheers,
> Lars
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard