[WireGuard] Nesting WireGuard tunnels

[WireGuard] Nesting WireGuard tunnels

[Justin Kilpatrick]

I won't bore you with the details but I'm working on a project where nesting Wireguard tunnels is an attractive solution to a thorny problem. 

It looks like this. 

A <--Tunnel A on port 51821--> B <--Tunnel B on port 51820--> C 

Where A is sending packets addressed to the internal endpoint of  Tunnel B on port 51821 and B forwards them along. 

I see the correct packets come out of the Tunnel B interface at the destination, but they never seem to go into the Tunnel A endpoint on Device C. If I had to make a guess I'd say that since WireGuard is in-kernel it will never listen on devices that aren't physical nics. 

For the short term I've solved this problem by having Device C use a keepalive to Device A, which has only a single tunnel. The NAT traversal code then figures out how to navigate the nested tunnels on Device C to form a bi-directional connection.

My questions are. 

1) Is capability for nesting a feature that the community is interested in?
2) Can it be implemented in a sane way?
3) If the above two points are true, I'd appreciate some pointers about how to get started on a patch.  

-- 
  Justin Kilpatrick
  justin@altheamesh.com

Re: [WireGuard] Nesting WireGuard tunnels

[Jason A. Donenfeld]

Hi Justin,

WireGuard listens on all ports, so this shouldn't be a problem to do
with multiple interfaces.

It does not currently support tunneling packets from one peer through
another, because it's difficult to avoid loops that way, but if you
think this would be useful it could be worked out in greater detail.

Regards,
Jason