[ wireguard-dev ] About configuring allowedip

[ wireguard-dev ] About configuring allowedip

[Nicolas Prochazka]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

Hello, i'm trying to do this with wireguard, withtout success :

peer1 ---> peer2   : config ok , works
peer3 ---> peer1  : config ok , works
peer3 --->peer1 ---> peer2  : not ok .

I suspect allowed-ip configuration, but all my tests does not works.
perhaps I must create two wireguard interface on peer 1 and do
forwarding/routing ?
i'm using ipv6 as internal ip.

so my question is :
- two interface ?
- specifiq magic allowedip ?
( allowed ip is confusing for, it is using for routing and for evicting
paquet ? )

Regards,
Nicolas

[-- Attachment #2: Type: text/html, Size: 793 bytes --]

Re: [ wireguard-dev ] About configuring allowedip

[Dan Lüdtke]

Nicolas: Could you provide the configuration files? Because from your =
little graphic or schema I can not even derive what you are configuring. =
I guess there is something overlapping prefixes maybe?

Jason: I think we are approaching the point in time when there will be a =
-dev and a -users ML :)


> On 23 Feb 2017, at 14:03, Nicolas Prochazka =
<nicolas.prochazka@gmail.com> wrote:
>=20
> Hello, i'm trying to do this with wireguard, withtout success :=20
>=20
> peer1 ---> peer2   : config ok , works
> peer3 ---> peer1  : config ok , works=20
> peer3 --->peer1 ---> peer2  : not ok .
>=20
> I suspect allowed-ip configuration, but all my tests does not works.
> perhaps I must create two wireguard interface on peer 1 and do =
forwarding/routing ?=20
> i'm using ipv6 as internal ip.
>=20
> so my question is :=20
> - two interface ?
> - specifiq magic allowedip ?
> ( allowed ip is confusing for, it is using for routing and for =
evicting paquet ? )
>=20
> Regards,=20
> Nicolas=20
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [ wireguard-dev ] About configuring allowedip

[Baptiste Jonglez]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

On Thu, Feb 23, 2017 at 02:03:37PM +0100, Nicolas Prochazka wrote:
> Hello, i'm trying to do this with wireguard, withtout success :
> 
> peer1 ---> peer2   : config ok , works
> peer3 ---> peer1  : config ok , works
> peer3 --->peer1 ---> peer2  : not ok .
> 
> I suspect allowed-ip configuration, but all my tests does not works.
> perhaps I must create two wireguard interface on peer 1 and do
> forwarding/routing ?
> i'm using ipv6 as internal ip.

It should work with a single interface for both peers, but you need to
activate forwarding in the kernel:

    # sysctl net.ipv6.conf.default.forwarding=1

> so my question is :
> - two interface ?
> - specifiq magic allowedip ?
> ( allowed ip is confusing for, it is using for routing and for evicting
> paquet ? )
> 
> Regards,
> Nicolas

> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [ wireguard-dev ] About configuring allowedip

[Nicolas Prochazka]

[-- Attachment #1: Type: text/plain, Size: 2864 bytes --]

hello again,
my configuration ,
ping peer 1-->peer 2  : ok   ( on ipv6 wg0 )
ping peer 3 --> peer 1 : ok
ping peer3 --peer1--->peer2 : not ok .


On peer 1 , forwarding is setting
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.forwarding = 1


Peer 1 : wg configuration

interface: wg0
  public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
  private key: (hidden)
  listening port: 6081

peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=
  endpoint: 52.49.x.x:6081
  allowed ips: ::/0
  latest handshake: 8 seconds ago
  transfer: 71.29 KiB received, 60.28 KiB sent
  persistent keepalive: every 25 seconds

peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=
  endpoint: 10.10.0.69:6081
  allowed ips: fd00::baae:edff:fe72:5094/128
  latest handshake: 45 seconds ago
  transfer: 5.49 KiB received, 6.36 KiB sent


Peer 3 :


interface: wg0
  public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=
  private key: (hidden)
  listening port: 6081

peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
  endpoint: 10.10.99.230:6081
  allowed ips: ::/0
  latest handshake: 33 seconds ago
  transfer: 4.92 KiB received, 7.55 KiB sent
  persistent keepalive: every 25 seconds


Peer 2 :

interface: wg0
  public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=
  private key: (hidden)
  listening port: 6081

peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
  endpoint: 77.156.x.x:58943
  allowed ips: fd00::eea8:6bff:fef9:23bc/128
  latest handshake: 1 minute, 43 seconds ago
  transfer: 52.59 KiB received, 79.01 KiB sent


2017-02-23 14:41 GMT+01:00 Dan Lüdtke <mail@danrl.com>:

> Nicolas: Could you provide the configuration files? Because from your
> little graphic or schema I can not even derive what you are configuring. I
> guess there is something overlapping prefixes maybe?
>
> Jason: I think we are approaching the point in time when there will be a
> -dev and a -users ML :)
>
>
> > On 23 Feb 2017, at 14:03, Nicolas Prochazka <nicolas.prochazka@gmail.com>
> wrote:
> >
> > Hello, i'm trying to do this with wireguard, withtout success :
> >
> > peer1 ---> peer2   : config ok , works
> > peer3 ---> peer1  : config ok , works
> > peer3 --->peer1 ---> peer2  : not ok .
> >
> > I suspect allowed-ip configuration, but all my tests does not works.
> > perhaps I must create two wireguard interface on peer 1 and do
> forwarding/routing ?
> > i'm using ipv6 as internal ip.
> >
> > so my question is :
> > - two interface ?
> > - specifiq magic allowedip ?
> > ( allowed ip is confusing for, it is using for routing and for evicting
> paquet ? )
> >
> > Regards,
> > Nicolas
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
>
>

[-- Attachment #2: Type: text/html, Size: 4320 bytes --]

Re: [ wireguard-dev ] About configuring allowedip

[Dan Lüdtke]

Nicolas,

I draw your network including the allowed_ips restrictions.

> ping peer3 --peer1--->peer2 : not ok .

This can not work! Peer 2 does not accept the source address from Peer =
3. Please review your allowed_ips settings. Draw the things on paper, =
make PostIt notes representing the packets including their destination =
address and source address. Draw a little "firewall" on the tunnels =
(whitelist is allowed_ips, all the rest gets dropped!) and see if the =
PostIt can make it through with it's source address. Yes, this sounds =
like child play, but it works. I have taught complex firewalling and VPN =
setups to lawyers and law makers this way. It helps understanding, if a =
simple diagram does not cut it.

Allowed IPs is probably the most complex thing WireGuard has to offer =
from a user perspective. Rename it to Allowed Source Addrresses in your =
head it becomes clearer.

HTH

Dan

> On 24 Feb 2017, at 11:41, Nicolas Prochazka =
<nicolas.prochazka@gmail.com> wrote:
>=20
> hello again,=20
> my configuration ,=20
> ping peer 1-->peer 2  : ok   ( on ipv6 wg0 )=20
> ping peer 3 --> peer 1 : ok=20
> ping peer3 --peer1--->peer2 : not ok .
>=20
>=20
> On peer 1 , forwarding is setting
> net.ipv6.conf.all.forwarding =3D 1
> net.ipv4.conf.all.forwarding =3D 1
>=20
>=20
> Peer 1 : wg configuration =20
>=20
> interface: wg0
>   public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=3D
>   private key: (hidden)
>   listening port: 6081
>=20
> peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=3D
>   endpoint: 52.49.x.x:6081
>   allowed ips: ::/0
>   latest handshake: 8 seconds ago
>   transfer: 71.29 KiB received, 60.28 KiB sent
>   persistent keepalive: every 25 seconds
>=20
> peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=3D
>   endpoint: 10.10.0.69:6081
>   allowed ips: fd00::baae:edff:fe72:5094/128
>   latest handshake: 45 seconds ago
>   transfer: 5.49 KiB received, 6.36 KiB sent
>=20
>=20
> Peer 3 :=20
>=20
>=20
> interface: wg0
>   public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=3D
>   private key: (hidden)
>   listening port: 6081
>=20
> peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=3D
>   endpoint: 10.10.99.230:6081
>   allowed ips: ::/0
>   latest handshake: 33 seconds ago
>   transfer: 4.92 KiB received, 7.55 KiB sent
>   persistent keepalive: every 25 seconds
>=20
>=20
> Peer 2 :=20
>=20
> interface: wg0
>   public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=3D
>   private key: (hidden)
>   listening port: 6081
>=20
> peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=3D
>   endpoint: 77.156.x.x:58943
>   allowed ips: fd00::eea8:6bff:fef9:23bc/128
>   latest handshake: 1 minute, 43 seconds ago
>   transfer: 52.59 KiB received, 79.01 KiB sent
>=20
>=20
> 2017-02-23 14:41 GMT+01:00 Dan L=C3=BCdtke <mail@danrl.com>:
> Nicolas: Could you provide the configuration files? Because from your =
little graphic or schema I can not even derive what you are configuring. =
I guess there is something overlapping prefixes maybe?
>=20
> Jason: I think we are approaching the point in time when there will be =
a -dev and a -users ML :)
>=20
>=20
> > On 23 Feb 2017, at 14:03, Nicolas Prochazka =
<nicolas.prochazka@gmail.com> wrote:
> >
> > Hello, i'm trying to do this with wireguard, withtout success :
> >
> > peer1 ---> peer2   : config ok , works
> > peer3 ---> peer1  : config ok , works
> > peer3 --->peer1 ---> peer2  : not ok .
> >
> > I suspect allowed-ip configuration, but all my tests does not works.
> > perhaps I must create two wireguard interface on peer 1 and do =
forwarding/routing ?
> > i'm using ipv6 as internal ip.
> >
> > so my question is :
> > - two interface ?
> > - specifiq magic allowedip ?
> > ( allowed ip is confusing for, it is using for routing and for =
evicting paquet ? )
> >
> > Regards,
> > Nicolas
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
>=20
>=20

Re: [ wireguard-dev ] About configuring allowedip

[Nicolas Prochazka]

[-- Attachment #1: Type: text/plain, Size: 4467 bytes --]

ok thanks,
what is confusing me it that allowed ip is for :
- authorized source packet
- routing outgoing packet
and we can set allowedips with a lot of ip / netmask
Regards,
Nicolas

2017-02-24 14:10 GMT+01:00 Dan Lüdtke <mail@danrl.com>:

> Nicolas,
>
> I draw your network including the allowed_ips restrictions.
>
> > ping peer3 --peer1--->peer2 : not ok .
>
> This can not work! Peer 2 does not accept the source address from Peer 3.
> Please review your allowed_ips settings. Draw the things on paper, make
> PostIt notes representing the packets including their destination address
> and source address. Draw a little "firewall" on the tunnels (whitelist is
> allowed_ips, all the rest gets dropped!) and see if the PostIt can make it
> through with it's source address. Yes, this sounds like child play, but it
> works. I have taught complex firewalling and VPN setups to lawyers and law
> makers this way. It helps understanding, if a simple diagram does not cut
> it.
>
> Allowed IPs is probably the most complex thing WireGuard has to offer from
> a user perspective. Rename it to Allowed Source Addrresses in your head it
> becomes clearer.
>
> HTH
>
> Dan
>
> > On 24 Feb 2017, at 11:41, Nicolas Prochazka <nicolas.prochazka@gmail.com>
> wrote:
> >
> > hello again,
> > my configuration ,
> > ping peer 1-->peer 2  : ok   ( on ipv6 wg0 )
> > ping peer 3 --> peer 1 : ok
> > ping peer3 --peer1--->peer2 : not ok .
> >
> >
> > On peer 1 , forwarding is setting
> > net.ipv6.conf.all.forwarding = 1
> > net.ipv4.conf.all.forwarding = 1
> >
> >
> > Peer 1 : wg configuration
> >
> > interface: wg0
> >   public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
> >   private key: (hidden)
> >   listening port: 6081
> >
> > peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=
> >   endpoint: 52.49.x.x:6081
> >   allowed ips: ::/0
> >   latest handshake: 8 seconds ago
> >   transfer: 71.29 KiB received, 60.28 KiB sent
> >   persistent keepalive: every 25 seconds
> >
> > peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=
> >   endpoint: 10.10.0.69:6081
> >   allowed ips: fd00::baae:edff:fe72:5094/128
> >   latest handshake: 45 seconds ago
> >   transfer: 5.49 KiB received, 6.36 KiB sent
> >
> >
> > Peer 3 :
> >
> >
> > interface: wg0
> >   public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=
> >   private key: (hidden)
> >   listening port: 6081
> >
> > peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
> >   endpoint: 10.10.99.230:6081
> >   allowed ips: ::/0
> >   latest handshake: 33 seconds ago
> >   transfer: 4.92 KiB received, 7.55 KiB sent
> >   persistent keepalive: every 25 seconds
> >
> >
> > Peer 2 :
> >
> > interface: wg0
> >   public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=
> >   private key: (hidden)
> >   listening port: 6081
> >
> > peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
> >   endpoint: 77.156.x.x:58943
> >   allowed ips: fd00::eea8:6bff:fef9:23bc/128
> >   latest handshake: 1 minute, 43 seconds ago
> >   transfer: 52.59 KiB received, 79.01 KiB sent
> >
> >
> > 2017-02-23 14:41 GMT+01:00 Dan Lüdtke <mail@danrl.com>:
> > Nicolas: Could you provide the configuration files? Because from your
> little graphic or schema I can not even derive what you are configuring. I
> guess there is something overlapping prefixes maybe?
> >
> > Jason: I think we are approaching the point in time when there will be a
> -dev and a -users ML :)
> >
> >
> > > On 23 Feb 2017, at 14:03, Nicolas Prochazka <
> nicolas.prochazka@gmail.com> wrote:
> > >
> > > Hello, i'm trying to do this with wireguard, withtout success :
> > >
> > > peer1 ---> peer2   : config ok , works
> > > peer3 ---> peer1  : config ok , works
> > > peer3 --->peer1 ---> peer2  : not ok .
> > >
> > > I suspect allowed-ip configuration, but all my tests does not works.
> > > perhaps I must create two wireguard interface on peer 1 and do
> forwarding/routing ?
> > > i'm using ipv6 as internal ip.
> > >
> > > so my question is :
> > > - two interface ?
> > > - specifiq magic allowedip ?
> > > ( allowed ip is confusing for, it is using for routing and for
> evicting paquet ? )
> > >
> > > Regards,
> > > Nicolas
> > > _______________________________________________
> > > WireGuard mailing list
> > > WireGuard@lists.zx2c4.com
> > > https://lists.zx2c4.com/mailman/listinfo/wireguard
> >
> >
>
>

[-- Attachment #2: Type: text/html, Size: 6065 bytes --]