Development discussion of WireGuard
 help / color / Atom feed
* [PROPOSAL] wg-quick ip rule priority
@ 2020-04-05 17:37 vrein
  2020-04-10  7:39 ` aranea
  0 siblings, 1 reply; 2+ messages in thread
From: vrein @ 2020-04-05 17:37 UTC (permalink / raw)


Hi everyone!
I have some tiny proposal for wg-quick utility: adding priority for iproute2 routing rules

For linux.bash this should be as easy as this:
https://gitea.tort.icu/vrein/wireguard-tools/commit/0947dc76770a5d81ba39340ebe9189b80a92584c

My personal use case:
? I have two peers: A, B

A: allowed ips: 0.0.0.0/0, ::/0
B: allowed ips: 10.5.0.0/24

And I need have connection to every peer.
If those peers are added to the single interface - wg0,
? then all traffic would be intercepted with A peer "allowed ips" mask.


Quick fix for this, which I implemented on my pc
? is to add `ip rule` with priority lower than 32766 but higher than 0
? and higher than other wg interface for peer B.

So there is two interfaces:
? wg0 - which intercepts all traffic
? wg1 - routes all traffic for 10.5.0.0/24 subnet

Here what I have on my PC:
0:????? from all lookup local
125:??? from all fwmark 0xca58 lookup main
125:??? from all to 10.5.0.0/24 lookup 51800
10000:? not from all fwmark 0xca6c lookup 51820
10000:? from all lookup main suppress_prefixlength 0
32766:? from all lookup main
32767:? from all lookup default

Routing rules for wg1 could be added with `(Post|Pre)Up' directive.


PS:
Somehow, connectivity with both A and B peers were worked in single wg0 interface some time ago,
? but after few updates this feature stopped working.

Thank you for attention!




^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PROPOSAL] wg-quick ip rule priority
  2020-04-05 17:37 [PROPOSAL] wg-quick ip rule priority vrein
@ 2020-04-10  7:39 ` aranea
  0 siblings, 0 replies; 2+ messages in thread
From: aranea @ 2020-04-10  7:39 UTC (permalink / raw)


On Sun, Apr 05, 2020 at 07:37:18PM +0200, vrein at tuta.io wrote:
> Hi everyone!
> I have some tiny proposal for wg-quick utility: adding priority for iproute2 routing rules
> 
> For linux.bash this should be as easy as this:
> https://gitea.tort.icu/vrein/wireguard-tools/commit/0947dc76770a5d81ba39340ebe9189b80a92584c

While I don't think it'd be a bad idea to support configurable rule
priorities if they're useful to someone, they shouldn't be neccessary
for the use case you described -- you can avoid the separate routing
rules for wg1 altogether.

All you should need to do is to add "FwMark = 51820" (or some other
arbitrary value, as long as it's identical for both wg tunnels) to the
config files of both wg interfaces. Then you end up with these ip rules
(taken from your post rather than an actual test):

0:????? from all lookup local
32764:? from all lookup main suppress_prefixlength 0
32765:? not from all fwmark 0xca6c lookup 51820
32766:? from all lookup main
32767:? from all lookup default

Furthermore, wg-quick would add an "0.0.0.0/0 dev wg0" route to table
51820, and "10.5.0.0/24 dev wg1" to the main table.

This would result in encrypted traffic using the routes in the main
table, traffic to 10.5.0.0/24 the wg1 tunnel, and everything else the
wg0 tunnel, exactly as intended by you.

> PS:
> Somehow, connectivity with both A and B peers were worked in single wg0 interface some time ago,
> ? but after few updates this feature stopped working.

It should indeed be possible to have both of these peers on the same wg
interface. If you're running into issues with that, please elaborate on
them here or pay us a visit on IRC (#wireguard on Freenode).


Luis


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-05 17:37 [PROPOSAL] wg-quick ip rule priority vrein
2020-04-10  7:39 ` aranea

Development discussion of WireGuard

Archives are clonable: git clone --mirror http://inbox.vuxu.org/wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git