* Wireguard on FreeBSD - a few questions
@ 2021-10-31 18:41 Frank Volf
2021-11-03 16:39 ` Kyle Evans
0 siblings, 1 reply; 3+ messages in thread
From: Frank Volf @ 2021-10-31 18:41 UTC (permalink / raw)
To: wireguard
Hi,
This weekend I installed Wireguard on FreeBSD 13.0 and until now
everything seems to work fine (I use the kernel module).
Installation and configuration was easy and connecting with the Android
app works great as well.
I do have a few questions.
1) Is it possible on FreeBSD to enable some kind of logging? I did made
a small configuration error with my first client and it was hard to find
the error, because there does not seem to be any logging at all. Some
logging information would be appreciated and probably wold have pointed
me faster to the fact that I needed to switch two keys in my config.
2) I noticed that Wireguard uses a wildcard to listen to all IP
addresses on my multi-homed machine on his dedicated UDP port. I would
prefer if Wireguard would only bind to the specific IP address on the
outside interface that is designated for that use. Is this possible?
3) Final question: is it possible on the server side to restrict the
destinations that clients can connect to it? I know, that I can set the
AllowedIPs on the client side to restrict that, but that setting can be
changed at the client side. It would be nice if I could restrict
destinations at the server side (so client X can only connect to an IP
address of an internal server that it needs access to but nothing else).
I can probably use a state full packet filtering firewall for this, but
it would it be possible to configure this on the Wireguard server side
as well?
That said, I'm pleased with the first test results of Wireguard on
FreeBSD and hopefully it keeps on running fine. Great product!
Kind regards,
Frank
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Wireguard on FreeBSD - a few questions
2021-10-31 18:41 Wireguard on FreeBSD - a few questions Frank Volf
@ 2021-11-03 16:39 ` Kyle Evans
2021-11-03 20:52 ` Frank Volf
0 siblings, 1 reply; 3+ messages in thread
From: Kyle Evans @ 2021-11-03 16:39 UTC (permalink / raw)
To: Frank Volf; +Cc: WireGuard mailing list
On Wed, Nov 3, 2021 at 5:55 AM Frank Volf <frank@deze.org> wrote:
>
>
> Hi,
>
> This weekend I installed Wireguard on FreeBSD 13.0 and until now
> everything seems to work fine (I use the kernel module).
> Installation and configuration was easy and connecting with the Android
> app works great as well.
>
Excellent, that's good to hear! :-)
> I do have a few questions.
>
> 1) Is it possible on FreeBSD to enable some kind of logging? I did made
> a small configuration error with my first client and it was hard to find
> the error, because there does not seem to be any logging at all. Some
> logging information would be appreciated and probably wold have pointed
> me faster to the fact that I needed to switch two keys in my config.
>
If you set 'debug' on the interface (`ifconfig wg0 debug`) then it'll
write some useful bits to syslog for your perusal.
> 2) I noticed that Wireguard uses a wildcard to listen to all IP
> addresses on my multi-homed machine on his dedicated UDP port. I would
> prefer if Wireguard would only bind to the specific IP address on the
> outside interface that is designated for that use. Is this possible?
>
> 3) Final question: is it possible on the server side to restrict the
> destinations that clients can connect to it? I know, that I can set the
> AllowedIPs on the client side to restrict that, but that setting can be
> changed at the client side. It would be nice if I could restrict
> destinations at the server side (so client X can only connect to an IP
> address of an internal server that it needs access to but nothing else).
> I can probably use a state full packet filtering firewall for this, but
> it would it be possible to configure this on the Wireguard server side
> as well?
>
For these last two, I'll defer to somebody else -- I'm not aware of
any such functionality on other platforms, but wireguard-freebsd will
follow suit if this is or will become an accepted concept elsewhere.
> That said, I'm pleased with the first test results of Wireguard on
> FreeBSD and hopefully it keeps on running fine. Great product!
>
Great, thanks for testing! =)
Kyle Evans
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Wireguard on FreeBSD - a few questions
2021-11-03 16:39 ` Kyle Evans
@ 2021-11-03 20:52 ` Frank Volf
0 siblings, 0 replies; 3+ messages in thread
From: Frank Volf @ 2021-11-03 20:52 UTC (permalink / raw)
To: Kyle Evans; +Cc: WireGuard mailing list
Hi Kyle,
>> 1) Is it possible on FreeBSD to enable some kind of logging? I did made
>> a small configuration error with my first client and it was hard to find
>> the error, because there does not seem to be any logging at all. Some
>> logging information would be appreciated and probably wold have pointed
>> me faster to the fact that I needed to switch two keys in my config.
>>
> If you set 'debug' on the interface (`ifconfig wg0 debug`) then it'll
> write some useful bits to syslog for your perusal.
O.k. good to know this. It would be even better if this was documented,
I think a if_wg manual page for FreeBSD would be appropriate.
>> 2) I noticed that Wireguard uses a wildcard to listen to all IP
>> addresses on my multi-homed machine on his dedicated UDP port. I would
>> prefer if Wireguard would only bind to the specific IP address on the
>> outside interface that is designated for that use. Is this possible?
I think it is useful if you could bind Wireguard to use/listen on a
specific IP address, instead of the wildcard.
For example, for my tests I used a secondary (alias) IP address on a
server as the entry point for Wireguard tunnels.
However, if the server starts a session to the client (or tries to check
if the client is still alive), it uses the primary interface address
instead.
Binding it to a specific IP address would solve this.
Kind regards,
Frank
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-03 20:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-31 18:41 Wireguard on FreeBSD - a few questions Frank Volf
2021-11-03 16:39 ` Kyle Evans
2021-11-03 20:52 ` Frank Volf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).