Question about AllowedIPs and proper "mesh" setup

Question about AllowedIPs and proper "mesh" setup

[Lars Francke]

[-- Attachment #1.1: Type: text/plain, Size: 2351 bytes --]

Hi,

I've been playing around with WireGuard recently. Thank you for all your
work on it.

It all mostly works but I have one thing that I can't grasp properly:

My setup are a bunch of servers that need to communicate securely over an
unsecured network. Like a mesh. So I have three servers and each of them
has a connection to the other two (i.e. two Peers). This all works
beautifully.

Now I want to add an outside client into the mix (e.g. my laptop). I want
to be able to connect to just one of those hosts and have that host forward
my packages to the others.

I can get it to work if I pick _one_ specific jump host but I haven't
managed to set it up in a way that I can connect to any of them.

(I'm leaving out Private & Public Key, Ports and Endpoints to make the
examples shorter.

Client wg0.conf:
[Interface]
Address = 10.0.1.1

# Server 1
[Peer]
AllowedIPs = 10.0.0.1/24


Server 1 wg0.conf:
[Interface]
Address    = 10.0.0.1

# Client
[Peer]
AllowedIPs = 10.0.1.1/32

# Server 2
[Peer]
AllowedIPs = 10.0.0.2, __10.0.1.1/32__

# Server 3
[Peer]
AllowedIPs = 10.0.0.3, __10.0.1.1/32__


Server 2 wg0.conf:
[Interface]
Address    = 10.0.0.2

# Client
[Peer]
AllowedIPs = 10.0.1.1/32

# Server 1
[Peer]
AllowedIPs = 10.0.0.1, __10.0.1.1/32__

# Server 3
[Peer]
AllowedIPs = 10.0.0.3, __10.0.1.1/32__


Server 3 etc. are similar.
This way I can connect with my client to any of the Servers and I can ping
them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I
connect to server-1 I can not reach server-2 from my client (IP forwarding
etc. is enabled).

This only works when I remove the second IP from AllowedIPs (the one marked
with underscores) from the server I connect to (e.g. server 1). The other
servers (e.g. server 2 & 3) need it though because of course they'll see
traffic from 10.0.1.1 being forwarded to them so it needs to be in their
AllowedIPs.

That means I can get everything to work if I pick one special host that
Clients connect to.

I might just fundamentally misunderstand how AllowedIPs works. Any help is
greatly appreciated


An unrelated question: Should wg-quick up be allowed to be called with just
a file name?
e.g. wg-quick up wg0.conf?
I understand the man page that it should but I think the behavior is broken
on MacOS/Darwin because it tries to cd into the file which fails.


Cheers,
Lars

[-- Attachment #1.2: Type: text/html, Size: 3802 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Question about AllowedIPs and proper "mesh" setup

[Matthias Urlichs]

On 06.11.18 09:01, Lars Francke wrote:
> I haven't managed to set it up in a way that I can connect to any of them.

You can't, at least not out-of-the-box. How would these other hosts know
how to reach your client?

You need some sort of route propagation protocol (a couple of them
exist) and some way to monitor the wireguard interface state (no code
that I know of exists that does this) and feed that into the routing
protocol (ditto).

-- 
-- Matthias Urlichs

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Question about AllowedIPs and proper "mesh" setup

[Phil Hofer]

[-- Attachment #1.1.1: Type: text/plain, Size: 833 bytes --]

> Now I want to add an outside client into the mix (e.g. my laptop). I want to be able to connect to just one of those hosts and have that host forward my packages to the others.
> I can get it to work if I pick _one_ specific jump host but I haven't managed to set it up in a way that I can connect to any of them.

You might consider setting up just one of your servers
as a gateway for a subnet dedicated to your client machine(s).
Then add routes on your servers to the gateway.

For example, set up 10.0.0.1 as the gateway to 10.0.1.0/24,
and set your client machine up as 10.0.1.1. Machines on
10.0.0.0/24 remain connected directly.

If you need to be able to route through any one of
your servers on an ad-hoc basis, then you'll need some
additional routing protocol magic, as Matthias suggested.

Cheers,
Phil

[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Question about AllowedIPs and proper "mesh" setup

[Lars Francke]

[-- Attachment #1.1: Type: text/plain, Size: 1448 bytes --]

Phil, Matthias,

thanks for the answers. I haven't received Matthias answer but I can see it
in the archive.

The reason I wanted to do it the way I initially described is laziness. I'm
setting up the machines using Ansible[0]. It'd be great if I didn't need
any special cases but it seems that that's going to be way easier than
figuring out another way (which doesn't even seem to exist yet) ;-)

Thank you both!

Cheers,
Lars

[0] <https://github.com/opencore/ansible_wireguard> (It's not beautiful but
it does what I need)

On Tue, Nov 6, 2018 at 9:16 PM Phil Hofer <phil@sunfi.sh> wrote:

> > Now I want to add an outside client into the mix (e.g. my laptop). I
> want to be able to connect to just one of those hosts and have that host
> forward my packages to the others.
> > I can get it to work if I pick _one_ specific jump host but I haven't
> managed to set it up in a way that I can connect to any of them.
>
> You might consider setting up just one of your servers
> as a gateway for a subnet dedicated to your client machine(s).
> Then add routes on your servers to the gateway.
>
> For example, set up 10.0.0.1 as the gateway to 10.0.1.0/24,
> and set your client machine up as 10.0.1.1. Machines on
> 10.0.0.0/24 remain connected directly.
>
> If you need to be able to route through any one of
> your servers on an ad-hoc basis, then you'll need some
> additional routing protocol magic, as Matthias suggested.
>
> Cheers,
> Phil

[-- Attachment #1.2: Type: text/html, Size: 2082 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Question about AllowedIPs and proper "mesh" setup

[KeXianbin(http://diyism.com)]

You could seperate the 2 subnet into two wireguard interfaces, for
example  10.0.0.0/24  in wg0.conf, while 10.0.1.0/24 in wg1.conf
On Wed, Nov 7, 2018 at 3:47 AM Lars Francke <lars.francke@gmail.com> wrote:
>
> Hi,
>
> I've been playing around with WireGuard recently. Thank you for all your work on it.
>
> It all mostly works but I have one thing that I can't grasp properly:
>
> My setup are a bunch of servers that need to communicate securely over an unsecured network. Like a mesh. So I have three servers and each of them has a connection to the other two (i.e. two Peers). This all works beautifully.
>
> Now I want to add an outside client into the mix (e.g. my laptop). I want to be able to connect to just one of those hosts and have that host forward my packages to the others.
>
> I can get it to work if I pick _one_ specific jump host but I haven't managed to set it up in a way that I can connect to any of them.
>
> (I'm leaving out Private & Public Key, Ports and Endpoints to make the examples shorter.
>
> Client wg0.conf:
> [Interface]
> Address = 10.0.1.1
>
> # Server 1
> [Peer]
> AllowedIPs = 10.0.0.1/24
>
>
> Server 1 wg0.conf:
> [Interface]
> Address    = 10.0.0.1
>
> # Client
> [Peer]
> AllowedIPs = 10.0.1.1/32
>
> # Server 2
> [Peer]
> AllowedIPs = 10.0.0.2, __10.0.1.1/32__
>
> # Server 3
> [Peer]
> AllowedIPs = 10.0.0.3, __10.0.1.1/32__
>
>
> Server 2 wg0.conf:
> [Interface]
> Address    = 10.0.0.2
>
> # Client
> [Peer]
> AllowedIPs = 10.0.1.1/32
>
> # Server 1
> [Peer]
> AllowedIPs = 10.0.0.1, __10.0.1.1/32__
>
> # Server 3
> [Peer]
> AllowedIPs = 10.0.0.3, __10.0.1.1/32__
>
>
> Server 3 etc. are similar.
> This way I can connect with my client to any of the Servers and I can ping them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I connect to server-1 I can not reach server-2 from my client (IP forwarding etc. is enabled).
>
> This only works when I remove the second IP from AllowedIPs (the one marked with underscores) from the server I connect to (e.g. server 1). The other servers (e.g. server 2 & 3) need it though because of course they'll see traffic from 10.0.1.1 being forwarded to them so it needs to be in their AllowedIPs.
>
> That means I can get everything to work if I pick one special host that Clients connect to.
>
> I might just fundamentally misunderstand how AllowedIPs works. Any help is greatly appreciated
>
>
> An unrelated question: Should wg-quick up be allowed to be called with just a file name?
> e.g. wg-quick up wg0.conf?
> I understand the man page that it should but I think the behavior is broken on MacOS/Darwin because it tries to cd into the file which fails.
>
>
> Cheers,
> Lars
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Question about AllowedIPs and proper "mesh" setup

[Brian]

If you're familiar with iptables at all, this was my solution:

1) On your peer's nat table, enable masquerading on your wg interface
(you can do this as a PostUp in your wg config):

iptables -A POSTROUTING -o wg0 -j MASQUERADE

2) On peers, enable packet forwarding in sysctl if necessary:

net.ipv4.conf.wg0.forwarding = 1  (or just net.ipv4.conf.all.forwarding = 1)

3) On your laptop, pick the peer you want to connect to and put the
whole range of your wireguard IP space as its AllowedIPs.  The other
peers don't need to be in your laptop's wireguard config at all.


Once you do that, your laptop will send all its traffic to the peer you
chose, which will then act as a router and "route" the packets back into
its wireguard interface and to the intended other peer.

You can even go over multiple hops this way to access an entire network
connected to another peer if you have packet forwarding and masquerading
set up on both peers (the peer sharing the network needs iptables
masquerading and packet forwarding on the shared network's interface
also), and you put the destination network ip space in your laptop's
peer's AllowedIPs.

-Brian

On 11/6/18 3:41 PM, Lars Francke wrote:
> Phil, Matthias,
>
> thanks for the answers. I haven't received Matthias answer but I can
> see it in the archive.
>
> The reason I wanted to do it the way I initially described is
> laziness. I'm setting up the machines using Ansible[0]. It'd be great
> if I didn't need any special cases but it seems that that's going to
> be way easier than figuring out another way (which doesn't even seem
> to exist yet) ;-)
>
> Thank you both!
>
> Cheers,
> Lars
>
> [0] <https://github.com/opencore/ansible_wireguard> (It's not
> beautiful but it does what I need)
>
> On Tue, Nov 6, 2018 at 9:16 PM Phil Hofer <phil@sunfi.sh> wrote:
>
>     > Now I want to add an outside client into the mix (e.g. my
>     laptop). I want to be able to connect to just one of those hosts
>     and have that host forward my packages to the others.
>     > I can get it to work if I pick _one_ specific jump host but I
>     haven't managed to set it up in a way that I can connect to any of
>     them.
>
>     You might consider setting up just one of your servers
>     as a gateway for a subnet dedicated to your client machine(s).
>     Then add routes on your servers to the gateway.
>
>     For example, set up 10.0.0.1 as the gateway to 10.0.1.0/24
>     <http://10.0.1.0/24>,
>     and set your client machine up as 10.0.1.1. Machines on
>     10.0.0.0/24 <http://10.0.0.0/24> remain connected directly.
>
>     If you need to be able to route through any one of
>     your servers on an ad-hoc basis, then you'll need some
>     additional routing protocol magic, as Matthias suggested.
>
>     Cheers,
>     Phil
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard