Development discussion of WireGuard
 help / color / mirror / Atom feed
* Confused about AllowedIPs meaning?
@ 2020-07-26 10:57 Gunnar Niels
  2020-07-28 16:30 ` Lonnie Abelbeck
                   ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: Gunnar Niels @ 2020-07-26 10:57 UTC (permalink / raw)
  To: wireguard

Hello, I'm new to wireguard and have been experimenting with it in my home lab.
I'm interesting in using it to join two home networks (192.168.2.0/24 and
192.168.4.0/24). They're typical home networks in two physically different
locations, each with their own gateways to the internet. I'd like for the
machines on each network to use their default gateway for internet access, but
configure things so they use a simple linux machine (raspberry pi) to route
to the other subnet over wireguard is the destination is the opposite subnet.

One wireguard node is exposed via an endpoint with a dns A record (I'm port
forwarding to the internal machine). On the other subnet, the rpi node is behind
NAT and pointed to that endpoint.

I have been able to get the wireguard nodes to connect and route machines on
their opposite networks, but I haven't been able to get non-wireguard nodes
to communicate with non-wireguard nodes across the tunnel. I have a few questions
I'm trying to clear up:

* Is it true that there isn't really a notion of a server/client from wireguard's
perspective, they're really just nodes, and I've applied the semantic designation
of the node behind the endpoint as a server, and the node behind the NAT as the client?

* Here's my "server" config on 192.168.2.0/24:

===

[Interface]
Address = 10.2.0.1/24
ListenPort = 34777
PrivateKey = <server_priv_key>

[Peer]
PublicKey = <client_pub_key>
AllowedIPs = 10.2.0.2/32

===

Here's my "client" config on 192.168.4.0/24

===

[Interface]
Address = 10.2.0.2/24
PrivateKey = <client_priv_key>

[Peer]
PublicKey = <server_pub_key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server_host>:34777
PersistentKeepalive = 15

===


The simplicity of the wireguard config is one of the best features about it,
but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
field configuring? I'm not sure how to configure these fields for my use-case.
I'm guessing the server configuration is explicitly whitelisting the client,
but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
I should have my subnets as part of this field, but I'm not sure where because
I'm not sure exactly what the field represents.

If someone could elaborate on it and point me in the right direction given my
objective, that would be much appreciated!

-GN


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-26 10:57 Confused about AllowedIPs meaning? Gunnar Niels
@ 2020-07-28 16:30 ` Lonnie Abelbeck
  2020-07-28 21:12 ` Tomcsanyi, Domonkos
  2020-07-29 10:40 ` John Sager
  2 siblings, 0 replies; 12+ messages in thread
From: Lonnie Abelbeck @ 2020-07-28 16:30 UTC (permalink / raw)
  To: Gunnar Niels; +Cc: WireGuard mailing list



> On Jul 26, 2020, at 5:57 AM, Gunnar Niels <gunnar.s.niels@gmail.com> wrote:
> 
> The simplicity of the wireguard config is one of the best features about it,
> but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
> field configuring? I'm not sure how to configure these fields for my use-case.

Possibly this link will help you:

Cryptokey Routing
https://www.wireguard.com/#cryptokey-routing

"At the heart of WireGuard is a concept called Cryptokey Routing,
which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel.
..."


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-26 10:57 Confused about AllowedIPs meaning? Gunnar Niels
  2020-07-28 16:30 ` Lonnie Abelbeck
@ 2020-07-28 21:12 ` Tomcsanyi, Domonkos
  2020-07-28 21:33   ` Rich Brown
  2020-07-29 10:40 ` John Sager
  2 siblings, 1 reply; 12+ messages in thread
From: Tomcsanyi, Domonkos @ 2020-07-28 21:12 UTC (permalink / raw)
  To: Gunnar Niels; +Cc: wireguard


> 2020. júl. 28. dátummal, 18:02 időpontban Gunnar Niels <gunnar.s.niels@gmail.com> írta:
> 
> Hello, I'm new to wireguard and have been experimenting with it in my home lab.
> I'm interesting in using it to join two home networks (192.168.2.0/24 and
> 192.168.4.0/24). They're typical home networks in two physically different
> locations, each with their own gateways to the internet. I'd like for the
> machines on each network to use their default gateway for internet access, but
> configure things so they use a simple linux machine (raspberry pi) to route
> to the other subnet over wireguard is the destination is the opposite subnet.
> 
> One wireguard node is exposed via an endpoint with a dns A record (I'm port
> forwarding to the internal machine). On the other subnet, the rpi node is behind
> NAT and pointed to that endpoint.
> 
> I have been able to get the wireguard nodes to connect and route machines on
> their opposite networks, but I haven't been able to get non-wireguard nodes
> to communicate with non-wireguard nodes across the tunnel. I have a few questions
> I'm trying to clear up:
> 
> * Is it true that there isn't really a notion of a server/client from wireguard's
> perspective, they're really just nodes, and I've applied the semantic designation
> of the node behind the endpoint as a server, and the node behind the NAT as the client?
> 
> * Here's my "server" config on 192.168.2.0/24:
> 
> ===
> 
> [Interface]
> Address = 10.2.0.1/24
> ListenPort = 34777
> PrivateKey = <server_priv_key>
> 
> [Peer]
> PublicKey = <client_pub_key>
> AllowedIPs = 10.2.0.2/32
> 
> ===
> 
> Here's my "client" config on 192.168.4.0/24
> 
> ===
> 
> [Interface]
> Address = 10.2.0.2/24
> PrivateKey = <client_priv_key>
> 
> [Peer]
> PublicKey = <server_pub_key>
> AllowedIPs = 0.0.0.0/0
> Endpoint = <server_host>:34777
> PersistentKeepalive = 15
> 
> ===
> 
> 
> The simplicity of the wireguard config is one of the best features about it,
> but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
> field configuring? I'm not sure how to configure these fields for my use-case.
> I'm guessing the server configuration is explicitly whitelisting the client,
> but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
> I should have my subnets as part of this field, but I'm not sure where because
> I'm not sure exactly what the field represents.
> 
> If someone could elaborate on it and point me in the right direction given my
> objective, that would be much appreciated!
> 
> -GN


I think mainly you need to decide whether you want to just route the traffic between the two networks or you want to use NAT as well.
In case you are just routing then you’d need at minimum the range of the other network, because after decrypting the source IP will be from that range. Otoh if you are using NAT you can just use an arbitrary IP address inbetween the two tunnel endpoints, because the traffic will be modified, just like when you go out to the interner via a router.
Also don’t forget to add the respective routes to either the local default gw or each host in case you are not using NAT - otherwise you won’t get any of the answers.
I hope this helped.

Cheers
Domi

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-28 21:12 ` Tomcsanyi, Domonkos
@ 2020-07-28 21:33   ` Rich Brown
  2020-07-29 16:11     ` M Rubon
  2020-07-29 22:18     ` Ivan Labáth
  0 siblings, 2 replies; 12+ messages in thread
From: Rich Brown @ 2020-07-28 21:33 UTC (permalink / raw)
  To: Tomcsanyi, Domonkos; +Cc: Gunnar Niels, wireguard

I'm new to WireGuard (and not an expert on routing), but here's my operational understanding of the definition of AllowedIPs:

---
AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer. 

When your computer is about to send a packet out, it compares the destination address with WireGuard's list of AllowedIPs. If there's a match, the packet goes out the WireGuard tunnel. Otherwise, the packet uses the default routing process.

In your case (joining private two networks together), you would list the subnet range(s) of the *other* network in *this* peer. If you want to send all traffic through the WireGuard tunnel (say, if you're in a coffee shop), you can include 0.0.0.0/0 (specifies all IPv4 addresses) and ::/0 (to specify all IPv6 addresses).
---

I would appreciate having someone else review that definition for correctness. (I also have a blog posting that talks about the WireGuard GUI on macOS - https://randomneuronsfiring.com/wireguard-on-macos/ Comments are welcome there, as well.) Thanks.

Rich

> On Jul 28, 2020, at 5:12 PM, Tomcsanyi, Domonkos <domi@tomcsanyi.net> wrote:
> 
> 
>> 2020. júl. 28. dátummal, 18:02 időpontban Gunnar Niels <gunnar.s.niels@gmail.com> írta:
>> 
>> Hello, I'm new to wireguard and have been experimenting with it in my home lab.
>> I'm interesting in using it to join two home networks (192.168.2.0/24 and
>> 192.168.4.0/24). They're typical home networks in two physically different
>> locations, each with their own gateways to the internet. I'd like for the
>> machines on each network to use their default gateway for internet access, but
>> configure things so they use a simple linux machine (raspberry pi) to route
>> to the other subnet over wireguard is the destination is the opposite subnet.
>> 
>> One wireguard node is exposed via an endpoint with a dns A record (I'm port
>> forwarding to the internal machine). On the other subnet, the rpi node is behind
>> NAT and pointed to that endpoint.
>> 
>> I have been able to get the wireguard nodes to connect and route machines on
>> their opposite networks, but I haven't been able to get non-wireguard nodes
>> to communicate with non-wireguard nodes across the tunnel. I have a few questions
>> I'm trying to clear up:
>> 
>> * Is it true that there isn't really a notion of a server/client from wireguard's
>> perspective, they're really just nodes, and I've applied the semantic designation
>> of the node behind the endpoint as a server, and the node behind the NAT as the client?
>> 
>> * Here's my "server" config on 192.168.2.0/24:
>> 
>> ===
>> 
>> [Interface]
>> Address = 10.2.0.1/24
>> ListenPort = 34777
>> PrivateKey = <server_priv_key>
>> 
>> [Peer]
>> PublicKey = <client_pub_key>
>> AllowedIPs = 10.2.0.2/32
>> 
>> ===
>> 
>> Here's my "client" config on 192.168.4.0/24
>> 
>> ===
>> 
>> [Interface]
>> Address = 10.2.0.2/24
>> PrivateKey = <client_priv_key>
>> 
>> [Peer]
>> PublicKey = <server_pub_key>
>> AllowedIPs = 0.0.0.0/0
>> Endpoint = <server_host>:34777
>> PersistentKeepalive = 15
>> 
>> ===
>> 
>> 
>> The simplicity of the wireguard config is one of the best features about it,
>> but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
>> field configuring? I'm not sure how to configure these fields for my use-case.
>> I'm guessing the server configuration is explicitly whitelisting the client,
>> but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
>> I should have my subnets as part of this field, but I'm not sure where because
>> I'm not sure exactly what the field represents.
>> 
>> If someone could elaborate on it and point me in the right direction given my
>> objective, that would be much appreciated!
>> 
>> -GN
> 
> 
> I think mainly you need to decide whether you want to just route the traffic between the two networks or you want to use NAT as well.
> In case you are just routing then you’d need at minimum the range of the other network, because after decrypting the source IP will be from that range. Otoh if you are using NAT you can just use an arbitrary IP address inbetween the two tunnel endpoints, because the traffic will be modified, just like when you go out to the interner via a router.
> Also don’t forget to add the respective routes to either the local default gw or each host in case you are not using NAT - otherwise you won’t get any of the answers.
> I hope this helped.
> 
> Cheers
> Domi


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-26 10:57 Confused about AllowedIPs meaning? Gunnar Niels
  2020-07-28 16:30 ` Lonnie Abelbeck
  2020-07-28 21:12 ` Tomcsanyi, Domonkos
@ 2020-07-29 10:40 ` John Sager
  2 siblings, 0 replies; 12+ messages in thread
From: John Sager @ 2020-07-29 10:40 UTC (permalink / raw)
  To: wireguard

So, are you running a RPi at each end as the Wireguard termination point? 
I'm assuming you can't run Wireguard on your border routers. If you could 
the config is easier, and you could if you used OpenWrt on the border 
routers. I'm also assuming that your border routers are wifi access points, 
so all your hosts connect there. So:

1) Give the RPi a static address on its home network, and a default route to 
its own border router. Put a static route in the border router to point to 
the RPi for the network address range at the *other* end. So all hosts 
connected to the border router go to the Internet for everything except the 
other network, which go to the RPi.

2) Put NAT rules in the border routers to point the Wireguard port to the 
RPi at its own end.

3) At RPi A set Wireguard to point to the Internet address & Wireguard port 
for Network B. Set AllowedIPs to the network B range.

4) Mirror (3) at the B end.

HTH John

On 26/07/2020 11:57, Gunnar Niels wrote:
> Hello, I'm new to wireguard and have been experimenting with it in my home lab.
> I'm interesting in using it to join two home networks (192.168.2.0/24 and
> 192.168.4.0/24). They're typical home networks in two physically different
> locations, each with their own gateways to the internet. I'd like for the
> machines on each network to use their default gateway for internet access, but
> configure things so they use a simple linux machine (raspberry pi) to route
> to the other subnet over wireguard is the destination is the opposite subnet.
> 
> One wireguard node is exposed via an endpoint with a dns A record (I'm port
> forwarding to the internal machine). On the other subnet, the rpi node is 
> behind
> NAT and pointed to that endpoint.
> 
> I have been able to get the wireguard nodes to connect and route machines on
> their opposite networks, but I haven't been able to get non-wireguard nodes
> to communicate with non-wireguard nodes across the tunnel. I have a few 
> questions
> I'm trying to clear up:
> 
> * Is it true that there isn't really a notion of a server/client from 
> wireguard's
> perspective, they're really just nodes, and I've applied the semantic 
> designation
> of the node behind the endpoint as a server, and the node behind the NAT as 
> the client?
> 
> * Here's my "server" config on 192.168.2.0/24:
> 
> ===
> 
> [Interface]
> Address = 10.2.0.1/24
> ListenPort = 34777
> PrivateKey = <server_priv_key>
> 
> [Peer]
> PublicKey = <client_pub_key>
> AllowedIPs = 10.2.0.2/32
> 
> ===
> 
> Here's my "client" config on 192.168.4.0/24
> 
> ===
> 
> [Interface]
> Address = 10.2.0.2/24
> PrivateKey = <client_priv_key>
> 
> [Peer]
> PublicKey = <server_pub_key>
> AllowedIPs = 0.0.0.0/0
> Endpoint = <server_host>:34777
> PersistentKeepalive = 15
> 
> ===
> 
> 
> The simplicity of the wireguard config is one of the best features about it,
> but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
> field configuring? I'm not sure how to configure these fields for my use-case.
> I'm guessing the server configuration is explicitly whitelisting the client,
> but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
> I should have my subnets as part of this field, but I'm not sure where because
> I'm not sure exactly what the field represents.
> 
> If someone could elaborate on it and point me in the right direction given my
> objective, that would be much appreciated!
> 
> -GN
> 

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-28 21:33   ` Rich Brown
@ 2020-07-29 16:11     ` M Rubon
  2020-07-29 16:27       ` Gunnar Niels
  2020-07-29 22:18     ` Ivan Labáth
  1 sibling, 1 reply; 12+ messages in thread
From: M Rubon @ 2020-07-29 16:11 UTC (permalink / raw)
  To: Rich Brown; +Cc: Tomcsanyi, Domonkos, Gunnar Niels, wireguard

I had similar questions about AllowedIPs

man wg    gives a slightly muddled definition of AllowedIPs
       AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses
with CIDR masks from which incoming traffic
       from this peer is allowed and to which outgoing traffic  for
this  peer  is  directed.

The following is my rewriten slightly clearer definition, based on the
information at https://www.wireguard.com/#cryptokey-routing,
       AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses
with CIDR masks which are allowed as
       destination addresses when sending via this peer and are
allowed as source addresses when receiving via this peer.

I hope this helps, and please correct me if any of this is wrong.

On Tue, 28 Jul 2020 at 17:45, Rich Brown <richb.hanover@gmail.com> wrote:
>
> I'm new to WireGuard (and not an expert on routing), but here's my operational understanding of the definition of AllowedIPs:
>
> ---
> AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer.
>
> When your computer is about to send a packet out, it compares the destination address with WireGuard's list of AllowedIPs. If there's a match, the packet goes out the WireGuard tunnel. Otherwise, the packet uses the default routing process.
>
> In your case (joining private two networks together), you would list the subnet range(s) of the *other* network in *this* peer. If you want to send all traffic through the WireGuard tunnel (say, if you're in a coffee shop), you can include 0.0.0.0/0 (specifies all IPv4 addresses) and ::/0 (to specify all IPv6 addresses).
> ---
>
> I would appreciate having someone else review that definition for correctness. (I also have a blog posting that talks about the WireGuard GUI on macOS - https://randomneuronsfiring.com/wireguard-on-macos/ Comments are welcome there, as well.) Thanks.
>
> Rich
>
> > On Jul 28, 2020, at 5:12 PM, Tomcsanyi, Domonkos <domi@tomcsanyi.net> wrote:
> >
> >
> >> 2020. júl. 28. dátummal, 18:02 időpontban Gunnar Niels <gunnar.s.niels@gmail.com> írta:
> >>
> >> Hello, I'm new to wireguard and have been experimenting with it in my home lab.
> >> I'm interesting in using it to join two home networks (192.168.2.0/24 and
> >> 192.168.4.0/24). They're typical home networks in two physically different
> >> locations, each with their own gateways to the internet. I'd like for the
> >> machines on each network to use their default gateway for internet access, but
> >> configure things so they use a simple linux machine (raspberry pi) to route
> >> to the other subnet over wireguard is the destination is the opposite subnet.
> >>
> >> One wireguard node is exposed via an endpoint with a dns A record (I'm port
> >> forwarding to the internal machine). On the other subnet, the rpi node is behind
> >> NAT and pointed to that endpoint.
> >>
> >> I have been able to get the wireguard nodes to connect and route machines on
> >> their opposite networks, but I haven't been able to get non-wireguard nodes
> >> to communicate with non-wireguard nodes across the tunnel. I have a few questions
> >> I'm trying to clear up:
> >>
> >> * Is it true that there isn't really a notion of a server/client from wireguard's
> >> perspective, they're really just nodes, and I've applied the semantic designation
> >> of the node behind the endpoint as a server, and the node behind the NAT as the client?
> >>
> >> * Here's my "server" config on 192.168.2.0/24:
> >>
> >> ===
> >>
> >> [Interface]
> >> Address = 10.2.0.1/24
> >> ListenPort = 34777
> >> PrivateKey = <server_priv_key>
> >>
> >> [Peer]
> >> PublicKey = <client_pub_key>
> >> AllowedIPs = 10.2.0.2/32
> >>
> >> ===
> >>
> >> Here's my "client" config on 192.168.4.0/24
> >>
> >> ===
> >>
> >> [Interface]
> >> Address = 10.2.0.2/24
> >> PrivateKey = <client_priv_key>
> >>
> >> [Peer]
> >> PublicKey = <server_pub_key>
> >> AllowedIPs = 0.0.0.0/0
> >> Endpoint = <server_host>:34777
> >> PersistentKeepalive = 15
> >>
> >> ===
> >>
> >>
> >> The simplicity of the wireguard config is one of the best features about it,
> >> but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
> >> field configuring? I'm not sure how to configure these fields for my use-case.
> >> I'm guessing the server configuration is explicitly whitelisting the client,
> >> but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
> >> I should have my subnets as part of this field, but I'm not sure where because
> >> I'm not sure exactly what the field represents.
> >>
> >> If someone could elaborate on it and point me in the right direction given my
> >> objective, that would be much appreciated!
> >>
> >> -GN
> >
> >
> > I think mainly you need to decide whether you want to just route the traffic between the two networks or you want to use NAT as well.
> > In case you are just routing then you’d need at minimum the range of the other network, because after decrypting the source IP will be from that range. Otoh if you are using NAT you can just use an arbitrary IP address inbetween the two tunnel endpoints, because the traffic will be modified, just like when you go out to the interner via a router.
> > Also don’t forget to add the respective routes to either the local default gw or each host in case you are not using NAT - otherwise you won’t get any of the answers.
> > I hope this helped.
> >
> > Cheers
> > Domi
>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-29 16:11     ` M Rubon
@ 2020-07-29 16:27       ` Gunnar Niels
  0 siblings, 0 replies; 12+ messages in thread
From: Gunnar Niels @ 2020-07-29 16:27 UTC (permalink / raw)
  To: M Rubon, Rich Brown; +Cc: Tomcsanyi, Domonkos, wireguard

On 7/29/20 12:11 PM, M Rubon wrote:
> AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses
> with CIDR masks which are allowed as
>         destination addresses when sending via this peer and are
> allowed as source addresses when receiving via this peer.

+1, the man page definition you cited is somewhat ambiguous; this is a more
explicit definition that clears up the ambiguity.

I really appreciate all the responses, it's been very helpful. I've waiting on
the hardware I've selected to ship before deploying the suggestions. I'm planning
on using a pfsense default gateway for both networks and running RPi 4s
with static addresses on both subnets as wireguard gateways between the two nets
(they have gigabit NICs which is a nice upgrade over my older 3s, especially
for this use-case). From some of the PFSense community discussions, it doesn't
look like they're ready to accept an official wireguard plugin, although there
are some community contributions.

I will report back after I've my hardware has arrived and I've had some time to
tinker.

-GN


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-28 21:33   ` Rich Brown
  2020-07-29 16:11     ` M Rubon
@ 2020-07-29 22:18     ` Ivan Labáth
  2020-07-30  0:57       ` Rich Brown
  1 sibling, 1 reply; 12+ messages in thread
From: Ivan Labáth @ 2020-07-29 22:18 UTC (permalink / raw)
  To: Rich Brown; +Cc: Tomcsanyi, Domonkos, Gunnar Niels, wireguard

On Tue, Jul 28, 2020 at 05:33:43PM -0400, Rich Brown wrote:
> AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer. 

The definition is close, but not precise. Assuming things haven't
changed much:

  AllowedIPs specifies the set of addresses that your WireGuard
host will send across the tunnel to its peer, and accept from
the peer.

AllowedIPs is not a set of addresses, but of networks, wherein
the peer with most specific match wins - as in a routing table.
Also, beware negations might not do what you expect.


Routing should work like so:

When a linux system is sending a packet, it first consults
the system routing table to choose the appropriate device.
Then, if the outgoing device is a wireguard tunnel, it
consults the routing table of the WG device to choose a peer.
WG device's routing table is constructed from peers' AllowedIPs.
When a peer is selected, the packet is encapsulated and sent
to the peer's latest enpoint. Then the system routing table
is again consulted, and hopefully a different outgoing device
is selected.

Note that the routing table is in fact a tree where the most
specific match wins - both the system one and wireguard's.
Also note that overlapping networks are allowed (e.g. 0.0.0.0/0,
and 10.0.0.0/8), but identical networks in a single WG device
are not allowed as neither would be more specific. The system
routing table would throw an error on such attempts, but wireguard
silently discards the old route keeping only the last one,
so you need to be careful here.


Such is basic routing. In more complicated scenarios:
 - routing rules select the routing table
 - iptables/nftables can change addresses, select devices, even clone packets
 - namespaces can nearly create an isolated network host/partition
and you can also have xfrm encapsulation, maybe vdevs do something..
All of this is either before the packet enters wireguard device
(where wireguard routing is done), and/or after the packet is
encapsulated/decapsulated (encrypted/decrypted) and processed again.


When a packet is received, the system may also check the routing
table for the source/peer address, and if the source device
doesn't match the routing table entry, the packet would be discarded
- so called reverse path filtering.
Initial lookup of the encapsulated packet source in the system
routing table is governed by the rp_filter setting.
When a packet is processed by wireguard, the inner, decapsulated
source is unconditionally checked for in the device routing table
and packet discarded if peer doesn't match - i.e. the peer's allowed
IPs must match, and also be the single most specific match.
After wireguard decapsulation, the inner packet is again processes
by the system, possibly checking the ips.


Regards,
Ivan

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-29 22:18     ` Ivan Labáth
@ 2020-07-30  0:57       ` Rich Brown
  2020-07-30 14:02         ` M Rubon
  0 siblings, 1 reply; 12+ messages in thread
From: Rich Brown @ 2020-07-30  0:57 UTC (permalink / raw)
  To: Ivan Labáth; +Cc: Tomcsanyi, Domonkos, Gunnar Niels, wireguard

These are helpful comments.

> On Jul 29, 2020, at 6:18 PM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote:
> 
> On Tue, Jul 28, 2020 at 05:33:43PM -0400, Rich Brown wrote:
>> AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer. 
> 
> The definition is close, but not precise. Assuming things haven't
> changed much:
> 
>  AllowedIPs specifies the set of addresses that your WireGuard
> host will send across the tunnel to its peer, and accept from
> the peer.

I think you and M. Rubon from earlier this afternoon are saying much the same thing. I like those definitions because they make it explicit that the AllowedIPs are used both for transmission (only packets with those destinations will be sent through the tunnel) and receipt (only those source addresses will be allowed back through the tunnel). 

But I believe these definitions still leave uncertainty:

- Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
- Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]

My goal is to produce a straightforward "can't fail" guide for people who simply want to set up a VPN from their laptop to their office or home network. (Of course, the definitions must be correct, but I want to leave out all the details and options that aren't essential for that simple case.) Is the following a "good enough" definition to include in a "Just Do This" guide? 

> AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses with CIDR masks which are allowed:
> - as destination addresses when sending via this peer and 
> - as source addresses when receiving via this peer.

Thanks.

Rich

[*] I think it is not necessary to specify the peer's Address in AllowedIPs. If it's not included, it won't be possible to interact with the peer using that address (since it's not in AllowedIPs). However, the peer will likely have an address that *is* in AllowedIPs, and that's how it will be accessible. True?

[**] I suspect it would be possible to assign each peer's Address from an existing subnet. But for simplicity, the I believe the guide should recommend a completely different subnet for the peers to avoid any confusion. True?

PS The remainder of the note is good/correct, but it muddies the water by bringing up lots options and special cases that don't apply to the simplest use cases.

> AllowedIPs is not a set of addresses, but of networks, wherein
> the peer with most specific match wins - as in a routing table.
> Also, beware negations might not do what you expect.
> 
> 
> Routing should work like so:
> 
> When a linux system is sending a packet, it first consults
> the system routing table to choose the appropriate device.
> Then, if the outgoing device is a wireguard tunnel, it
> consults the routing table of the WG device to choose a peer.
> WG device's routing table is constructed from peers' AllowedIPs.
> When a peer is selected, the packet is encapsulated and sent
> to the peer's latest enpoint. Then the system routing table
> is again consulted, and hopefully a different outgoing device
> is selected.
> 
> Note that the routing table is in fact a tree where the most
> specific match wins - both the system one and wireguard's.
> Also note that overlapping networks are allowed (e.g. 0.0.0.0/0,
> and 10.0.0.0/8), but identical networks in a single WG device
> are not allowed as neither would be more specific. The system
> routing table would throw an error on such attempts, but wireguard
> silently discards the old route keeping only the last one,
> so you need to be careful here.
> 
> 
> Such is basic routing. In more complicated scenarios:
> - routing rules select the routing table
> - iptables/nftables can change addresses, select devices, even clone packets
> - namespaces can nearly create an isolated network host/partition
> and you can also have xfrm encapsulation, maybe vdevs do something..
> All of this is either before the packet enters wireguard device
> (where wireguard routing is done), and/or after the packet is
> encapsulated/decapsulated (encrypted/decrypted) and processed again.
> 
> 
> When a packet is received, the system may also check the routing
> table for the source/peer address, and if the source device
> doesn't match the routing table entry, the packet would be discarded
> - so called reverse path filtering.
> Initial lookup of the encapsulated packet source in the system
> routing table is governed by the rp_filter setting.
> When a packet is processed by wireguard, the inner, decapsulated
> source is unconditionally checked for in the device routing table
> and packet discarded if peer doesn't match - i.e. the peer's allowed
> IPs must match, and also be the single most specific match.
> After wireguard decapsulation, the inner packet is again processes
> by the system, possibly checking the ips.
> 
> 
> Regards,
> Ivan


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-30  0:57       ` Rich Brown
@ 2020-07-30 14:02         ` M Rubon
  2020-07-30 18:08           ` Ivan Labáth
  0 siblings, 1 reply; 12+ messages in thread
From: M Rubon @ 2020-07-30 14:02 UTC (permalink / raw)
  To: Rich Brown; +Cc: Ivan Labáth, Tomcsanyi, Domonkos, Gunnar Niels, wireguard

>  - Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
> - Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]

The address of the peer does *not* need to be included in AllowedIPs.
If it is not there, the wg tunnel will still be created, but as
discussed the wg tunnel will only accept packets with a destination
address listed in AllowedIPs.

Following is the wg output when I have commented out the AllowedIPs
entry in the config file.  You will see the handshake is still
happening, though in this case the tunnel itself will accept no
packets.  It is an existing but sad tunnel :-(

peer: tndyLlE+lVFz/HIGs9BpjH....
  endpoint: 192.168.82.234:57331
  allowed ips: (none)
  latest handshake: 35 seconds ago
  transfer: 280 B received, 456 B sent
  persistent keepalive: every 25 seconds


On Wed, 29 Jul 2020 at 20:58, Rich Brown <richb.hanover@gmail.com> wrote:
>
> These are helpful comments.
>
> > On Jul 29, 2020, at 6:18 PM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote:
> >
> > On Tue, Jul 28, 2020 at 05:33:43PM -0400, Rich Brown wrote:
> >> AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer.
> >
> > The definition is close, but not precise. Assuming things haven't
> > changed much:
> >
> >  AllowedIPs specifies the set of addresses that your WireGuard
> > host will send across the tunnel to its peer, and accept from
> > the peer.
>
> I think you and M. Rubon from earlier this afternoon are saying much the same thing. I like those definitions because they make it explicit that the AllowedIPs are used both for transmission (only packets with those destinations will be sent through the tunnel) and receipt (only those source addresses will be allowed back through the tunnel).
>
> But I believe these definitions still leave uncertainty:
>
> - Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
> - Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]
>
> My goal is to produce a straightforward "can't fail" guide for people who simply want to set up a VPN from their laptop to their office or home network. (Of course, the definitions must be correct, but I want to leave out all the details and options that aren't essential for that simple case.) Is the following a "good enough" definition to include in a "Just Do This" guide?
>
> > AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses with CIDR masks which are allowed:
> > - as destination addresses when sending via this peer and
> > - as source addresses when receiving via this peer.
>
> Thanks.
>
> Rich
>
> [*] I think it is not necessary to specify the peer's Address in AllowedIPs. If it's not included, it won't be possible to interact with the peer using that address (since it's not in AllowedIPs). However, the peer will likely have an address that *is* in AllowedIPs, and that's how it will be accessible. True?
>
> [**] I suspect it would be possible to assign each peer's Address from an existing subnet. But for simplicity, the I believe the guide should recommend a completely different subnet for the peers to avoid any confusion. True?
>
> PS The remainder of the note is good/correct, but it muddies the water by bringing up lots options and special cases that don't apply to the simplest use cases.
>
> > AllowedIPs is not a set of addresses, but of networks, wherein
> > the peer with most specific match wins - as in a routing table.
> > Also, beware negations might not do what you expect.
> >
> >
> > Routing should work like so:
> >
> > When a linux system is sending a packet, it first consults
> > the system routing table to choose the appropriate device.
> > Then, if the outgoing device is a wireguard tunnel, it
> > consults the routing table of the WG device to choose a peer.
> > WG device's routing table is constructed from peers' AllowedIPs.
> > When a peer is selected, the packet is encapsulated and sent
> > to the peer's latest enpoint. Then the system routing table
> > is again consulted, and hopefully a different outgoing device
> > is selected.
> >
> > Note that the routing table is in fact a tree where the most
> > specific match wins - both the system one and wireguard's.
> > Also note that overlapping networks are allowed (e.g. 0.0.0.0/0,
> > and 10.0.0.0/8), but identical networks in a single WG device
> > are not allowed as neither would be more specific. The system
> > routing table would throw an error on such attempts, but wireguard
> > silently discards the old route keeping only the last one,
> > so you need to be careful here.
> >
> >
> > Such is basic routing. In more complicated scenarios:
> > - routing rules select the routing table
> > - iptables/nftables can change addresses, select devices, even clone packets
> > - namespaces can nearly create an isolated network host/partition
> > and you can also have xfrm encapsulation, maybe vdevs do something..
> > All of this is either before the packet enters wireguard device
> > (where wireguard routing is done), and/or after the packet is
> > encapsulated/decapsulated (encrypted/decrypted) and processed again.
> >
> >
> > When a packet is received, the system may also check the routing
> > table for the source/peer address, and if the source device
> > doesn't match the routing table entry, the packet would be discarded
> > - so called reverse path filtering.
> > Initial lookup of the encapsulated packet source in the system
> > routing table is governed by the rp_filter setting.
> > When a packet is processed by wireguard, the inner, decapsulated
> > source is unconditionally checked for in the device routing table
> > and packet discarded if peer doesn't match - i.e. the peer's allowed
> > IPs must match, and also be the single most specific match.
> > After wireguard decapsulation, the inner packet is again processes
> > by the system, possibly checking the ips.
> >
> >
> > Regards,
> > Ivan
>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-30 14:02         ` M Rubon
@ 2020-07-30 18:08           ` Ivan Labáth
  2020-07-30 21:03             ` Rich Brown
  0 siblings, 1 reply; 12+ messages in thread
From: Ivan Labáth @ 2020-07-30 18:08 UTC (permalink / raw)
  To: M Rubon; +Cc: Rich Brown, Tomcsanyi, Domonkos, Gunnar Niels, wireguard

To be clear, you should not put the endpoint address
in the allowed ips list. The endpoint address is
for routing over a "physical" network, while
the "allowed" ips are the ips traveling via the tunnel,
which have no relation to the endpoint address.


On Thu, Jul 30, 2020 at 10:02:10AM -0400, M Rubon wrote:
> >  - Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
> > - Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]
> 
> The address of the peer does *not* need to be included in AllowedIPs.
> If it is not there, the wg tunnel will still be created, but as
> discussed the wg tunnel will only accept packets with a destination
> address listed in AllowedIPs.
> 
> Following is the wg output when I have commented out the AllowedIPs
> entry in the config file.  You will see the handshake is still
> happening, though in this case the tunnel itself will accept no
> packets.  It is an existing but sad tunnel :-(
> 
> peer: tndyLlE+lVFz/HIGs9BpjH....
>   endpoint: 192.168.82.234:57331
>   allowed ips: (none)
>   latest handshake: 35 seconds ago
>   transfer: 280 B received, 456 B sent
>   persistent keepalive: every 25 seconds
> 
> 
> On Wed, 29 Jul 2020 at 20:58, Rich Brown <richb.hanover@gmail.com> wrote:
> >
> > These are helpful comments.
> >
> > > On Jul 29, 2020, at 6:18 PM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote:
> > >
> > > On Tue, Jul 28, 2020 at 05:33:43PM -0400, Rich Brown wrote:
> > >> AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer.
> > >
> > > The definition is close, but not precise. Assuming things haven't
> > > changed much:
> > >
> > >  AllowedIPs specifies the set of addresses that your WireGuard
> > > host will send across the tunnel to its peer, and accept from
> > > the peer.
> >
> > I think you and M. Rubon from earlier this afternoon are saying much the same thing. I like those definitions because they make it explicit that the AllowedIPs are used both for transmission (only packets with those destinations will be sent through the tunnel) and receipt (only those source addresses will be allowed back through the tunnel).
> >
> > But I believe these definitions still leave uncertainty:
> >
> > - Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
> > - Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]
> >
> > My goal is to produce a straightforward "can't fail" guide for people who simply want to set up a VPN from their laptop to their office or home network. (Of course, the definitions must be correct, but I want to leave out all the details and options that aren't essential for that simple case.) Is the following a "good enough" definition to include in a "Just Do This" guide?
> >
> > > AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses with CIDR masks which are allowed:
> > > - as destination addresses when sending via this peer and
> > > - as source addresses when receiving via this peer.
> >
> > Thanks.
> >
> > Rich
> >
> > [*] I think it is not necessary to specify the peer's Address in AllowedIPs. If it's not included, it won't be possible to interact with the peer using that address (since it's not in AllowedIPs). However, the peer will likely have an address that *is* in AllowedIPs, and that's how it will be accessible. True?
> >
> > [**] I suspect it would be possible to assign each peer's Address from an existing subnet. But for simplicity, the I believe the guide should recommend a completely different subnet for the peers to avoid any confusion. True?
> >
> > PS The remainder of the note is good/correct, but it muddies the water by bringing up lots options and special cases that don't apply to the simplest use cases.
> >
> > > AllowedIPs is not a set of addresses, but of networks, wherein
> > > the peer with most specific match wins - as in a routing table.
> > > Also, beware negations might not do what you expect.
> > >
> > >
> > > Routing should work like so:
> > >
> > > When a linux system is sending a packet, it first consults
> > > the system routing table to choose the appropriate device.
> > > Then, if the outgoing device is a wireguard tunnel, it
> > > consults the routing table of the WG device to choose a peer.
> > > WG device's routing table is constructed from peers' AllowedIPs.
> > > When a peer is selected, the packet is encapsulated and sent
> > > to the peer's latest enpoint. Then the system routing table
> > > is again consulted, and hopefully a different outgoing device
> > > is selected.
> > >
> > > Note that the routing table is in fact a tree where the most
> > > specific match wins - both the system one and wireguard's.
> > > Also note that overlapping networks are allowed (e.g. 0.0.0.0/0,
> > > and 10.0.0.0/8), but identical networks in a single WG device
> > > are not allowed as neither would be more specific. The system
> > > routing table would throw an error on such attempts, but wireguard
> > > silently discards the old route keeping only the last one,
> > > so you need to be careful here.
> > >
> > >
> > > Such is basic routing. In more complicated scenarios:
> > > - routing rules select the routing table
> > > - iptables/nftables can change addresses, select devices, even clone packets
> > > - namespaces can nearly create an isolated network host/partition
> > > and you can also have xfrm encapsulation, maybe vdevs do something..
> > > All of this is either before the packet enters wireguard device
> > > (where wireguard routing is done), and/or after the packet is
> > > encapsulated/decapsulated (encrypted/decrypted) and processed again.
> > >
> > >
> > > When a packet is received, the system may also check the routing
> > > table for the source/peer address, and if the source device
> > > doesn't match the routing table entry, the packet would be discarded
> > > - so called reverse path filtering.
> > > Initial lookup of the encapsulated packet source in the system
> > > routing table is governed by the rp_filter setting.
> > > When a packet is processed by wireguard, the inner, decapsulated
> > > source is unconditionally checked for in the device routing table
> > > and packet discarded if peer doesn't match - i.e. the peer's allowed
> > > IPs must match, and also be the single most specific match.
> > > After wireguard decapsulation, the inner packet is again processes
> > > by the system, possibly checking the ips.
> > >
> > >
> > > Regards,
> > > Ivan
> >

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Confused about AllowedIPs meaning?
  2020-07-30 18:08           ` Ivan Labáth
@ 2020-07-30 21:03             ` Rich Brown
  0 siblings, 0 replies; 12+ messages in thread
From: Rich Brown @ 2020-07-30 21:03 UTC (permalink / raw)
  To: Ivan Labáth; +Cc: M Rubon, Tomcsanyi, Domonkos, Gunnar Niels, wireguard

Thanks for these additional comments. 

> On Jul 30, 2020, at 2:08 PM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote:
> 
> To be clear, you should not put the endpoint address
> in the allowed ips list. The endpoint address is
> for routing over a "physical" network, while
> the "allowed" ips are the ips traveling via the tunnel,
> which have no relation to the endpoint address.

Now we're gettin' somewhere! I have updated my description to include all these thoughts: https://randomneuronsfiring.com/wireguard-on-macos/

Any further comments? (I asserted that the peer addresses should be in a unique subnet - True?) Many thanks,

Rich

> 
> 
> On Thu, Jul 30, 2020 at 10:02:10AM -0400, M Rubon wrote:
>>> - Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
>>> - Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]
>> 
>> The address of the peer does *not* need to be included in AllowedIPs.
>> If it is not there, the wg tunnel will still be created, but as
>> discussed the wg tunnel will only accept packets with a destination
>> address listed in AllowedIPs.
>> 
>> Following is the wg output when I have commented out the AllowedIPs
>> entry in the config file.  You will see the handshake is still
>> happening, though in this case the tunnel itself will accept no
>> packets.  It is an existing but sad tunnel :-(
>> 
>> peer: tndyLlE+lVFz/HIGs9BpjH....
>>  endpoint: 192.168.82.234:57331
>>  allowed ips: (none)
>>  latest handshake: 35 seconds ago
>>  transfer: 280 B received, 456 B sent
>>  persistent keepalive: every 25 seconds
>> 
>> 
>> On Wed, 29 Jul 2020 at 20:58, Rich Brown <richb.hanover@gmail.com> wrote:
>>> 
>>> These are helpful comments.
>>> 
>>>> On Jul 29, 2020, at 6:18 PM, Ivan Labáth <labawi-wg@matrix-dream.net> wrote:
>>>> 
>>>> On Tue, Jul 28, 2020 at 05:33:43PM -0400, Rich Brown wrote:
>>>>> AllowedIPs is the set of addresses that your WireGuard peer will send across the tunnel to its peer.
>>>> 
>>>> The definition is close, but not precise. Assuming things haven't
>>>> changed much:
>>>> 
>>>> AllowedIPs specifies the set of addresses that your WireGuard
>>>> host will send across the tunnel to its peer, and accept from
>>>> the peer.
>>> 
>>> I think you and M. Rubon from earlier this afternoon are saying much the same thing. I like those definitions because they make it explicit that the AllowedIPs are used both for transmission (only packets with those destinations will be sent through the tunnel) and receipt (only those source addresses will be allowed back through the tunnel).
>>> 
>>> But I believe these definitions still leave uncertainty:
>>> 
>>> - Should the definition of AllowedIPs mention the "Address" of the peer? That is, must the peer's Address be listed in AllowedIPs? [*]
>>> - Some guides state that the Address specified for this peer and the other peer should be chosen from a subnet different from any on the networks. Is this a recommendation? A requirement? [**]
>>> 
>>> My goal is to produce a straightforward "can't fail" guide for people who simply want to set up a VPN from their laptop to their office or home network. (Of course, the definitions must be correct, but I want to leave out all the details and options that aren't essential for that simple case.) Is the following a "good enough" definition to include in a "Just Do This" guide?
>>> 
>>>> AllowedIPs  — a comma-separated list of IP (v4 or v6) addresses with CIDR masks which are allowed:
>>>> - as destination addresses when sending via this peer and
>>>> - as source addresses when receiving via this peer.
>>> 
>>> Thanks.
>>> 
>>> Rich
>>> 
>>> [*] I think it is not necessary to specify the peer's Address in AllowedIPs. If it's not included, it won't be possible to interact with the peer using that address (since it's not in AllowedIPs). However, the peer will likely have an address that *is* in AllowedIPs, and that's how it will be accessible. True?
>>> 
>>> [**] I suspect it would be possible to assign each peer's Address from an existing subnet. But for simplicity, the I believe the guide should recommend a completely different subnet for the peers to avoid any confusion. True?
>>> 
>>> PS The remainder of the note is good/correct, but it muddies the water by bringing up lots options and special cases that don't apply to the simplest use cases.
>>> 
>>>> AllowedIPs is not a set of addresses, but of networks, wherein
>>>> the peer with most specific match wins - as in a routing table.
>>>> Also, beware negations might not do what you expect.
>>>> 
>>>> 
>>>> Routing should work like so:
>>>> 
>>>> When a linux system is sending a packet, it first consults
>>>> the system routing table to choose the appropriate device.
>>>> Then, if the outgoing device is a wireguard tunnel, it
>>>> consults the routing table of the WG device to choose a peer.
>>>> WG device's routing table is constructed from peers' AllowedIPs.
>>>> When a peer is selected, the packet is encapsulated and sent
>>>> to the peer's latest enpoint. Then the system routing table
>>>> is again consulted, and hopefully a different outgoing device
>>>> is selected.
>>>> 
>>>> Note that the routing table is in fact a tree where the most
>>>> specific match wins - both the system one and wireguard's.
>>>> Also note that overlapping networks are allowed (e.g. 0.0.0.0/0,
>>>> and 10.0.0.0/8), but identical networks in a single WG device
>>>> are not allowed as neither would be more specific. The system
>>>> routing table would throw an error on such attempts, but wireguard
>>>> silently discards the old route keeping only the last one,
>>>> so you need to be careful here.
>>>> 
>>>> 
>>>> Such is basic routing. In more complicated scenarios:
>>>> - routing rules select the routing table
>>>> - iptables/nftables can change addresses, select devices, even clone packets
>>>> - namespaces can nearly create an isolated network host/partition
>>>> and you can also have xfrm encapsulation, maybe vdevs do something..
>>>> All of this is either before the packet enters wireguard device
>>>> (where wireguard routing is done), and/or after the packet is
>>>> encapsulated/decapsulated (encrypted/decrypted) and processed again.
>>>> 
>>>> 
>>>> When a packet is received, the system may also check the routing
>>>> table for the source/peer address, and if the source device
>>>> doesn't match the routing table entry, the packet would be discarded
>>>> - so called reverse path filtering.
>>>> Initial lookup of the encapsulated packet source in the system
>>>> routing table is governed by the rp_filter setting.
>>>> When a packet is processed by wireguard, the inner, decapsulated
>>>> source is unconditionally checked for in the device routing table
>>>> and packet discarded if peer doesn't match - i.e. the peer's allowed
>>>> IPs must match, and also be the single most specific match.
>>>> After wireguard decapsulation, the inner packet is again processes
>>>> by the system, possibly checking the ips.
>>>> 
>>>> 
>>>> Regards,
>>>> Ivan
>>> 


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2020-07-31 14:19 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-26 10:57 Confused about AllowedIPs meaning? Gunnar Niels
2020-07-28 16:30 ` Lonnie Abelbeck
2020-07-28 21:12 ` Tomcsanyi, Domonkos
2020-07-28 21:33   ` Rich Brown
2020-07-29 16:11     ` M Rubon
2020-07-29 16:27       ` Gunnar Niels
2020-07-29 22:18     ` Ivan Labáth
2020-07-30  0:57       ` Rich Brown
2020-07-30 14:02         ` M Rubon
2020-07-30 18:08           ` Ivan Labáth
2020-07-30 21:03             ` Rich Brown
2020-07-29 10:40 ` John Sager

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).