Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Simon Rozman <simon@rozman.si>
To: Stefan Puch <s.puch@web.de>,
	"wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: RE: Actual plans for Windows client: PostUp/PreDown possible?
Date: Wed, 11 Nov 2020 13:23:54 +0000
Message-ID: <224c7eee418740ccb94cc6839aadbbfe@rozman.si> (raw)
In-Reply-To: <b75d1ae6-9c37-99ec-1ef2-1166df108be6@web.de>

Hi,

Stefan, your feedback is greatly appreciated.

> While I like your suggested "always-on" solution for fixed desktop PCs I
> don't like the "work-around" for client laptops. A Task Scheduler which
> is trying every 3 minute to set a wiregurad tunnel when you are sitting
> in a train using a mobile connecting is nothing I'd like to see.

The "wg set peer endpoint" is very lightweight and makes no network requests. Nor it burns CPU/battery. It merely resets an IP address (4 bytes for IPv4, 16 for IPv6) inside the WireGuard tunnel peer list. Would have been even nicer if Task Scheduler could have a trigger "network connection changed". 

> I think
> there are also other scenarios where you just want to "click Connect
> button" on demand. E.g. when your company has multiple locations and you
> don't want (or cannot) use multiple VPN connections a the same time you
> will always have the "somewhat broken"
> network drives in the windows explorer too, since they weren't
> disconnected within a PreDown script.

Each WireGuard tunnel supports multiple peers (i.e. multiple company endpoints). 10.0.0.0/16 is office A, 10.1.0.0/16 is office B, etc. Just list them all in your tunnel config and your laptop should reach all those networks.

Maybe "tunnel" is not the best word to describe it. Imagine it as a "network", or a "mesh".

> Another problem (which I skipped so far) is related in point 4. of your
> suggestion and as I see this a also discussed within another thread here
> on the mailinglist. While a simple network drive can of cause be setp to
> a fixed IP adress to drive z: using fixed adresse is IMHO not a good
> solution.
> Like Yves Goergen pointed out in the thread "Add local DNS forwarder to
> Windows client" I'd like an option to add the remote DNS server to the
> serach list so that that I don't have to keep IP adresses in mind. But I
> think this discussion should be shifted to the other thread.

You may. But once you do add DNS line to your tunnel config, your client will exclusively use that DNS. All local and others are blocked. If your company DNS server does the forwarding too, this shouldn't be a problem. The down side is, you cannot access local LAN resources by name. But that is discussed in another thread, indeed.

Regards,
Simon


      reply	other threads:[~2020-11-11 13:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-04 23:14 Stefan Puch
2020-11-11  5:45 ` Simon Rozman
2020-11-11  9:50   ` Stefan Puch
2020-11-11 13:23     ` Simon Rozman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=224c7eee418740ccb94cc6839aadbbfe@rozman.si \
    --to=simon@rozman.si \
    --cc=s.puch@web.de \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git