WireGuard Archive on lore.kernel.org
 help / Atom feed
* Support ip6tables-like network masks for allowed-ips besides CIDR
@ 2019-01-14  5:51 dllud
  0 siblings, 0 replies; 1+ messages in thread
From: dllud @ 2019-01-14  5:51 UTC (permalink / raw)
  To: wireguard

Hi everyone,

Would it be possible for wireguard to support ip6tables-like network
masks [1] for the allowed-ips besides CIDR masks?
With CIDR we are limited to variable suffixes. While with network masks
we could have variable prefixes, suffixes or any combination.

[1] https://linux.die.net/man/8/ip6tables


Use case (why does it matter to me): I have a client-server setup where
I would like to allow the client peers to choose any IPv6 they wish as
long as they honor a given suffix. Collision are avoided by having an
unique suffix for each client. With CIDR I can only make clients honor a

The long story
On my home network I reserved two IPv6 subnets for Wireguard clients:
- a private one, eg. fdaa:aaaa:aaaa:aabb::/64 (never changes);
- a public one, eg. 2001:aaaa:aaaa:aabb::/64 which is a subnet of the
subnet attributed by my ISP (the positions marked with aa's change
regularly according to the dynamic assigning done by my ISP).

Attributing public IPv6 addresses to the wireguard clients allows them
to reach the Internet through the tunnel with no need for NAT.

Currently, there seems to be no way of dynamically attributing IPs to
clients. (Or is there some kind of DHCPv6 over Wireguard?) Thus, to keep
my Cryptokey Routing Table working properly I have to update it on both
server and clients whenever my ISP attributes me a different subnet
(power outages, router restarts, etc.).
This is easy on the clients, which connect and disconnect regularly. I
just need a small script to connect to the wireguard server, that gets
the current public subnet (from Dynamic DNS) before setting the public
IPv6 for tunnel interface.
Things are nastier on the server side though, which is an OpenWrt
router. I would need a cron/procd job hammering OpenWrt config files
whenever a change is detected.
Network masks would be a much cleaner solution on this setup and
probably many others.

Note: I trust all my client peers (which are just me, on other computers
outside my home network).


Thanks for building wireguard and specially for publishing it as
open-source. You have a great piece of software here. Much appreciated.


WireGuard mailing list

^ permalink raw reply	[flat|nested] 1+ messages in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-14  5:51 Support ip6tables-like network masks for allowed-ips besides CIDR dllud

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/ public-inbox