WireGuard Archive on lore.kernel.org
 help / Atom feed
* Wireguard + anycast
@ 2019-01-03 22:36 Edward Vielmetti
  2019-01-04  3:17 ` David Cowden
  2019-01-04  8:30 ` Henning Reich
  0 siblings, 2 replies; 4+ messages in thread
From: Edward Vielmetti @ 2019-01-03 22:36 UTC (permalink / raw)
  To: WireGuard

[-- Attachment #1.1: Type: text/plain, Size: 820 bytes --]

A little thought experiment which I haven't tried yet.

Using anycast, a single IP address can be routed to multiple machines in a
data center or around the world.

Is it at all possible that anycast and Wireguard would play together
nicely? In particular, is it plausible that you could give a client an
anycast address of a server to use as its endpoint, and that when it picked
the correct / closest one that it would do the right thing?

The naive approach would be to have all of the anycast devices share the
same private/public key pair, but that has a bad smell. And I don't know
what would happen if your routing changed in mid-connection.

(anycast is the technology used to give name servers a single global
address, like Google's 8.8.8.8 DNS)

-- 
Edward Vielmetti +1 734 330 2465
edward.vielmetti@gmail.com

[-- Attachment #1.2: Type: text/html, Size: 1244 bytes --]

<div dir="ltr">A little thought experiment which I haven&#39;t tried yet.<div><br></div><div>Using anycast, a single IP address can be routed to multiple machines in a data center or around the world.</div><div><br></div><div>Is it at all possible that anycast and Wireguard would play together nicely? In particular, is it plausible that you could give a client an anycast address of a server to use as its endpoint, and that when it picked the correct / closest one that it would do the right thing?</div><div><br></div><div>The naive approach would be to have all of the anycast devices share the same private/public key pair, but that has a bad smell. And I don&#39;t know what would happen if your routing changed in mid-connection.</div><div><br></div><div>(anycast is the technology used to give name servers a single global address, like Google&#39;s 8.8.8.8 DNS)<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><span>Edward Vielmetti <span id="gc-number-93" class="gc-cs-link" title="Call with Google Voice">+1 734 330 2465</span></span><div><a href="mailto:edward.vielmetti@gmail.com" target="_blank">edward.vielmetti@gmail.com</a></div><div><br></div></div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Wireguard + anycast
  2019-01-03 22:36 Wireguard + anycast Edward Vielmetti
@ 2019-01-04  3:17 ` David Cowden
  2019-01-05 17:39   ` Phil Hofer
  2019-01-04  8:30 ` Henning Reich
  1 sibling, 1 reply; 4+ messages in thread
From: David Cowden @ 2019-01-04  3:17 UTC (permalink / raw)
  To: Edward Vielmetti; +Cc: WireGuard

[-- Attachment #1.1: Type: text/plain, Size: 1272 bytes --]

If Wireguard let you configure a list of allowed keys for a peer (instead
of a single key) that would be a logical solution without much extra
complexity at all I imagine.

On Thu, Jan 3, 2019 at 2:39 PM Edward Vielmetti <edward.vielmetti@gmail.com>
wrote:

> A little thought experiment which I haven't tried yet.
>
> Using anycast, a single IP address can be routed to multiple machines in a
> data center or around the world.
>
> Is it at all possible that anycast and Wireguard would play together
> nicely? In particular, is it plausible that you could give a client an
> anycast address of a server to use as its endpoint, and that when it picked
> the correct / closest one that it would do the right thing?
>
> The naive approach would be to have all of the anycast devices share the
> same private/public key pair, but that has a bad smell. And I don't know
> what would happen if your routing changed in mid-connection.
>
> (anycast is the technology used to give name servers a single global
> address, like Google's 8.8.8.8 DNS)
>
> --
> Edward Vielmetti +1 734 330 2465
> edward.vielmetti@gmail.com
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 2150 bytes --]

<div dir="ltr">If Wireguard let you configure a list of allowed keys for a peer (instead of a single key) that would be a logical solution without much extra complexity at all I imagine.<br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 3, 2019 at 2:39 PM Edward Vielmetti &lt;<a href="mailto:edward.vielmetti@gmail.com">edward.vielmetti@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">A little thought experiment which I haven&#39;t tried yet.<div><br></div><div>Using anycast, a single IP address can be routed to multiple machines in a data center or around the world.</div><div><br></div><div>Is it at all possible that anycast and Wireguard would play together nicely? In particular, is it plausible that you could give a client an anycast address of a server to use as its endpoint, and that when it picked the correct / closest one that it would do the right thing?</div><div><br></div><div>The naive approach would be to have all of the anycast devices share the same private/public key pair, but that has a bad smell. And I don&#39;t know what would happen if your routing changed in mid-connection.</div><div><br></div><div>(anycast is the technology used to give name servers a single global address, like Google&#39;s 8.8.8.8 DNS)<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_6052099409359437970gmail_signature"><span>Edward Vielmetti <span id="gmail-m_6052099409359437970gc-number-93" class="gmail-m_6052099409359437970gc-cs-link" title="Call with Google Voice">+1 734 330 2465</span></span><div><a href="mailto:edward.vielmetti@gmail.com" target="_blank">edward.vielmetti@gmail.com</a></div><div><br></div></div></div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Wireguard + anycast
  2019-01-03 22:36 Wireguard + anycast Edward Vielmetti
  2019-01-04  3:17 ` David Cowden
@ 2019-01-04  8:30 ` Henning Reich
  1 sibling, 0 replies; 4+ messages in thread
From: Henning Reich @ 2019-01-04  8:30 UTC (permalink / raw)
  To: Edward Vielmetti; +Cc: WireGuard

[-- Attachment #1.1: Type: text/plain, Size: 1843 bytes --]

I think you could add multiple peers with the same (anycast) Endpoint but
different Key-Pairs (see the try of an example below).
Your DNS will select the IP for the closed one, and WG will try to connect
with each Key until success.
Or did I missing some important point?


cat /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.2/24
ListenPort = 12345
PrivateKey = YIYTN0Hil/32QWTo3F1fTVc3SDkgncXLHbGFlCgIQnM=

# anycast-Server 1
[Peer]
PublicKey = K+m7KQWy78JIAL7+8oFUdgrlBQdS8NZ2IPJu1rPTsnQ=
AllowedIPs = 172.16.0.1/24, 192.168.178.0/24
Endpoint = my.anycast.com:12345

# anycast-Server 2
[Peer]
PublicKey = O79QWUAdNFbWFIuWeKp3264BL3RuWKF+WFO21r2tAo=
AllowedIPs = 172.16.0.1/24, 192.168.178.0/24
Endpoint = my.anycast.com:12345


Am Do., 3. Jan. 2019 um 23:38 Uhr schrieb Edward Vielmetti <
edward.vielmetti@gmail.com>:

> A little thought experiment which I haven't tried yet.
>
> Using anycast, a single IP address can be routed to multiple machines in a
> data center or around the world.
>
> Is it at all possible that anycast and Wireguard would play together
> nicely? In particular, is it plausible that you could give a client an
> anycast address of a server to use as its endpoint, and that when it picked
> the correct / closest one that it would do the right thing?
>
> The naive approach would be to have all of the anycast devices share the
> same private/public key pair, but that has a bad smell. And I don't know
> what would happen if your routing changed in mid-connection.
>
> (anycast is the technology used to give name servers a single global
> address, like Google's 8.8.8.8 DNS)
>
> --
> Edward Vielmetti +1 734 330 2465
> edward.vielmetti@gmail.com
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 3357 bytes --]

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">I think you could add multiple peers with the same (anycast) Endpoint but different Key-Pairs (see the try of an example below). <br>Your DNS will select the IP for the closed one, and WG will try to connect with each Key until success.<br>Or did I missing some important point?</div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">cat /etc/wireguard/wg0.conf<br>[Interface]<br>Address = <a href="http://172.16.0.2/24">172.16.0.2/24</a><br>ListenPort = 12345<br>PrivateKey = YIYTN0Hil/32QWTo3F1fTVc3SDkgncXLHbGFlCgIQnM=<br></div><div dir="ltr"><br></div><div># anycast-Server 1<br></div><div dir="ltr">[Peer]<br>PublicKey = K+m7KQWy78JIAL7+8oFUdgrlBQdS8NZ2IPJu1rPTsnQ=<br>AllowedIPs = <a href="http://172.16.0.1/24">172.16.0.1/24</a>, <a href="http://192.168.178.0/24">192.168.178.0/24</a><br>Endpoint = <a href="http://my.anycast.com:12345">my.anycast.com:12345</a><br></div><div dir="ltr"><br></div><div dir="ltr"># anycast-Server 2<br>[Peer]<br>PublicKey = O79QWUAdNFbWFIuWeKp3264BL3RuWKF+WFO21r2tAo=<br>AllowedIPs = <a href="http://172.16.0.1/24">172.16.0.1/24</a>, <a href="http://192.168.178.0/24">192.168.178.0/24</a><br>Endpoint = <a href="http://my.anycast.com:12345">my.anycast.com:12345</a><br><br></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Am Do., 3. Jan. 2019 um 23:38 Uhr schrieb Edward Vielmetti &lt;<a href="mailto:edward.vielmetti@gmail.com">edward.vielmetti@gmail.com</a>&gt;:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">A little thought experiment which I haven&#39;t tried yet.<div><br></div><div>Using anycast, a single IP address can be routed to multiple machines in a data center or around the world.</div><div><br></div><div>Is it at all possible that anycast and Wireguard would play together nicely? In particular, is it plausible that you could give a client an anycast address of a server to use as its endpoint, and that when it picked the correct / closest one that it would do the right thing?</div><div><br></div><div>The naive approach would be to have all of the anycast devices share the same private/public key pair, but that has a bad smell. And I don&#39;t know what would happen if your routing changed in mid-connection.</div><div><br></div><div>(anycast is the technology used to give name servers a single global address, like Google&#39;s 8.8.8.8 DNS)<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-7529213214564369591gmail_signature"><span>Edward Vielmetti <span id="gmail-m_-7529213214564369591gc-number-93" class="gmail-m_-7529213214564369591gc-cs-link" title="Call with Google Voice">+1 734 330 2465</span></span><div><a href="mailto:edward.vielmetti@gmail.com" target="_blank">edward.vielmetti@gmail.com</a></div><div><br></div></div></div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Wireguard + anycast
  2019-01-04  3:17 ` David Cowden
@ 2019-01-05 17:39   ` Phil Hofer
  0 siblings, 0 replies; 4+ messages in thread
From: Phil Hofer @ 2019-01-05 17:39 UTC (permalink / raw)
  To: David Cowden; +Cc: Edward Vielmetti, WireGuard

[-- Attachment #1.1.1: Type: text/plain, Size: 706 bytes --]


> If Wireguard let you configure a list of allowed keys for a peer (instead of a single key) that would be a logical solution without much extra complexity at all I imagine.

As a handshake initiator, you wouldn't know which key to use.
Similarly, when receiving a handshake initiation, you wouldn't
know which key to use to authenticate the handshake. You'd
have to fall back to trial decryption/encryption, which I
think is a non-starter.

The one-to-one correspondence of IP ranges to keys is
baked into the protocol pretty deeply. I'd say this is one
of those simplifying assumptions that Wireguard makes over
IPsec and friends that makes it easier to configure and
administrate.

-Phil

[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-03 22:36 Wireguard + anycast Edward Vielmetti
2019-01-04  3:17 ` David Cowden
2019-01-05 17:39   ` Phil Hofer
2019-01-04  8:30 ` Henning Reich

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox