WireGuard Archive on lore.kernel.org
 help / Atom feed
* Behaviour of multiple Allowed-IPs 0.0.0.0/0 or ::0/0?
@ 2018-12-27 16:27 Rene 'Renne' Bartsch, B.Sc. Informatics
  2018-12-27 19:23 ` Samuel Holland
  0 siblings, 1 reply; 2+ messages in thread
From: Rene 'Renne' Bartsch, B.Sc. Informatics @ 2018-12-27 16:27 UTC (permalink / raw)
  To: wireguard

Hi,

how does Wireguard behave with multiple peers with Allowed-IPs 0.0.0.0/0 or ::0/0?

Regards,

Renne
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Behaviour of multiple Allowed-IPs 0.0.0.0/0 or ::0/0?
  2018-12-27 16:27 Behaviour of multiple Allowed-IPs 0.0.0.0/0 or ::0/0? Rene 'Renne' Bartsch, B.Sc. Informatics
@ 2018-12-27 19:23 ` Samuel Holland
  0 siblings, 0 replies; 2+ messages in thread
From: Samuel Holland @ 2018-12-27 19:23 UTC (permalink / raw)
  To: Rene 'Renne' Bartsch, B.Sc. Informatics, wireguard

On 12/27/18 10:27, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> how does Wireguard behave with multiple peers with Allowed-IPs 0.0.0.0/0 or 
> ::0/0?

That's not allowed. To quote the WireGuard homepage: "when sending packets, the
list of allowed IPs behaves as a sort of routing table, and when receiving
packets, the list of allowed IPs behaves as a sort of access control list."

If two peers had the same network "0.0.0.0/0" in AllowedIPs, how would you
choose which peer to send packets to? You can't, so WireGuard prohibits
duplicating AllowedIPs networks across peers. If you add "0.0.0.0/0" to the
AllowedIPs of one peer, it is removed from the AllowedIPs of every other peer.
(So the end result is that the last peer in the configuration file ends up with
the AllowedIPs of 0.0.0.0/0).

If you have static allocation of internal IP addresses, then you don't want
AllowedIPs of 0.0.0.0/0. If Host A is always assigned IP 10.1.2.3, then its
AllowedIPs only need to be 10.1.2.3. Host B can have AllowedIPs of 10.1.2.4 etc.
and they don't overlap.

On the other hand, if you want to do dynamic routing or multipath, the best
solution for now is to have a separate WireGuard interface for each peer. Then
you can use 0.0.0.0/0, because routing decisions are made at the kernel routing
layer, not by WireGuard.

Hope that helps,
Samuel
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-27 16:27 Behaviour of multiple Allowed-IPs 0.0.0.0/0 or ::0/0? Rene 'Renne' Bartsch, B.Sc. Informatics
2018-12-27 19:23 ` Samuel Holland

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox