Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Aaron Bolton" <aaron@bukn.net>
To: "'Eric Light'" <eric@ericlight.com>
Cc: <wireguard@lists.zx2c4.com>
Subject: RE: AllowedIPs
Date: Sun, 30 Aug 2020 10:55:12 +0100	[thread overview]
Message-ID: <001b01d67eb3$a7d0e7e0$f772b7a0$@bukn.net> (raw)
In-Reply-To: <f6af6006-10fa-40bf-a7b2-bd01b323e85d@www.fastmail.com>

What would be best way to bring up and down the wireguard interface without using wg-quick 

-----Original Message-----
From: Eric Light <eric@ericlight.com> 
Sent: 30 August 2020 10:01
To: Aaron Bolton <aaron@bukn.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: AllowedIPs

Ah yep, I haven't done that before, but Quagga has made many appearance on this list... And you're right, that's pretty much the time when folks stop working with wg-quick!  :-D 

Good luck!

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Sun, 30 Aug 2020, at 20:56, Aaron Bolton wrote:
> Yes, this does thanks
> 
> I plan on using Quagga for BGP over WireGuard tunnels so I guess I 
> need to avoid wg-quick if that makes changes to the routing table and 
> firewall as I want to manage those my self
> 
> > On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
> >
> > I believe it's both, in a way.
> >
> > As far as wg is concerned, the AllowedIPs is effectively an ACL.  
> > Any traffic hitting your wireguard interface from an IP not within 
> > the AllowedIPs will either be dropped on decryption, or won't even 
> > be decrypted.  (It's one of these, but I can't remember which)
> >
> > On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
> >
> > Hope this helps  :)
> >
> > E
> >
> > --------------------------------------------
> > Q: Why is this email five sentences or less?
> > A: http://five.sentenc.es
> >
> >> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> >> I’m trying to understand AllowedIPs better is it effectively a ACL 
> >> that day what is allowed down the tunnel or is it mechanism to 
> >> configure what addresses get routed down the tunnel?
> >>
> >> Thanks in advance
> >>
>


  reply	other threads:[~2020-08-30  9:55 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-29 16:07 AllowedIPs Aaron Bolton
2020-08-29 23:16 ` AllowedIPs Eric Light
2020-08-30  8:56   ` AllowedIPs Aaron Bolton
2020-08-30  9:00     ` AllowedIPs Eric Light
2020-08-30  9:55       ` Aaron Bolton [this message]
2020-08-30 10:04         ` AllowedIPs Eric Light
2020-08-30 10:34           ` AllowedIPs Aaron Bolton
2020-08-30 11:01         ` AllowedIPs Tomcsanyi, Domonkos
2020-08-30 19:08     ` AllowedIPs Eddie
2020-08-30 19:52       ` AllowedIPs Aaron Bolton
2023-10-21  1:29 AllowedIPs Darryl Yeoh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='001b01d67eb3$a7d0e7e0$f772b7a0$@bukn.net' \
    --to=aaron@bukn.net \
    --cc=eric@ericlight.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).