Multiple peers

Multiple peers

[Gianluca Gabrielli]

Hi everybody,

I have five peers, and I want that each peer can talk with all the other pe=
ers. Moreover let's say that one of these peer will acts as a server and as=
 a gateway, while the other four will be only clients.=20
I wonder if I need to copy/paste all peers' public key on all the other pee=
rs' configuration, or I can just configure each peer to connect to the serv=
er and then allow peers talking with other peers passing through this serve=
r?
(Something similar to client-to-client option on OpenVPN)

I don't care about firewall rules to configure the server to NAT clients' c=
onnections, my question is just about wireguard configuration.

Cheers,
Gianluca

Re: Multiple peers

[condor+wireguard-mailinglist]

Hi Gianluca,

 > I wonder if I need to copy/paste all peers' public key on all the 
other peers' configuration, or I can just configure each peer to connect 
to the server and then allow peers talking with other peers passing 
through this server?

If you want each peer to have a 1:1 connection to each other peer, then 
– yes. But to maintain such a mesh will be quite a bit of work…

The easier solution should be to use the server as a hub. Make sure the 
AllowedIPs on the “clients” permit the subnet IP range you will be 
using, e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for 
each peer should reflect the single address (/32) you are setting as 
interface address on the peer's side.

To glue, add an iptables rule:
iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT


Kind regards,
Peter

Re: Multiple peers

[Tim Sedlmeyer]

Another option instead of using the iptables rule is to create a
network namespace
and assign the wireguard interface to it.

ip netns add mesh
ip link add wg0 type wireguard
ip link set wg0 netns mesh
ip -n mesh addr add x.x.x.x/24 dev wg0
ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf
ip -n mesh link set wg0 up

I prefer this because it isolates any mesh network routing and firewall
configuration from that of the physical interfaces of the hub server.
You don't have to
worry about a routing or firewall misconfiguration on the hub leading
to the traffic from
the vpn network going on to the hub server's underlying network.

Also if you want to provide a service to the VPN network from the
server you can run
the process in the mesh network namespace or inside a container with
only an interface
in the mesh namespace available to it.

On Tue, Mar 13, 2018 at 1:35 PM,
<condor+wireguard-mailinglist@mailbox.org> wrote:
> Hi Gianluca,
>
>> I wonder if I need to copy/paste all peers' public key on all the other
>> peers' configuration, or I can just configure each peer to connect to th=
e
>> server and then allow peers talking with other peers passing through thi=
s
>> server?
>
> If you want each peer to have a 1:1 connection to each other peer, then =
=E2=80=93
> yes. But to maintain such a mesh will be quite a bit of work=E2=80=A6
>
> The easier solution should be to use the server as a hub. Make sure the
> AllowedIPs on the =E2=80=9Cclients=E2=80=9D permit the subnet IP range yo=
u will be using,
> e.g. 192.168.10.0/24. The =E2=80=9Cserver's=E2=80=9D setting for AllowedI=
Ps for each peer
> should reflect the single address (/32) you are setting as interface addr=
ess
> on the peer's side.
>
> To glue, add an iptables rule:
> iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT
>
>
> Kind regards,
> Peter
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Multiple peers

[Gianluca Gabrielli]

Thanks to both of you guys, really helpful! Especially **Network Namespace*=
* is a great feature that I didn't know before.

Cheers,
Gianluca

Re: Multiple peers

[Germano Massullo]

Hi Gianluca, you may want to read also this example I explained in Ninux
mailing list
https://www.mail-archive.com/wireless@ml.ninux.org/msg20983.html

Best regards