Development discussion of WireGuard
 help / color / mirror / Atom feed
* AllowedIPs
@ 2020-08-29 16:07 Aaron Bolton
  2020-08-29 23:16 ` AllowedIPs Eric Light
  0 siblings, 1 reply; 11+ messages in thread
From: Aaron Bolton @ 2020-08-29 16:07 UTC (permalink / raw)
  To: wireguard

I’m trying to understand AllowedIPs better is it effectively a ACL
that day what is allowed down the tunnel or is it mechanism to
configure what addresses get routed down the tunnel?

Thanks in advance

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: AllowedIPs
  2020-08-29 16:07 AllowedIPs Aaron Bolton
@ 2020-08-29 23:16 ` Eric Light
  2020-08-30  8:56   ` AllowedIPs Aaron Bolton
  0 siblings, 1 reply; 11+ messages in thread
From: Eric Light @ 2020-08-29 23:16 UTC (permalink / raw)
  To: wireguard

I believe it's both, in a way.

As far as wg is concerned, the AllowedIPs is effectively an ACL.  Any traffic hitting your wireguard interface from an IP not within the AllowedIPs will either be dropped on decryption, or won't even be decrypted.  (It's one of these, but I can't remember which)

On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.

Hope this helps  :)

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> I’m trying to understand AllowedIPs better is it effectively a ACL
> that day what is allowed down the tunnel or is it mechanism to
> configure what addresses get routed down the tunnel?
> 
> Thanks in advance
>

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: AllowedIPs
  2020-08-29 23:16 ` AllowedIPs Eric Light
@ 2020-08-30  8:56   ` Aaron Bolton
  2020-08-30  9:00     ` AllowedIPs Eric Light
  2020-08-30 19:08     ` AllowedIPs Eddie
  0 siblings, 2 replies; 11+ messages in thread
From: Aaron Bolton @ 2020-08-30  8:56 UTC (permalink / raw)
  To: Eric Light; +Cc: wireguard

Yes, this does thanks

I plan on using Quagga for BGP over WireGuard tunnels so I guess I
need to avoid wg-quick if that makes changes to the routing table and
firewall as I want to manage those my self

> On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
>
> I believe it's both, in a way.
>
> As far as wg is concerned, the AllowedIPs is effectively an ACL.  Any traffic hitting your wireguard interface from an IP not within the AllowedIPs will either be dropped on decryption, or won't even be decrypted.  (It's one of these, but I can't remember which)
>
> On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
>
> Hope this helps  :)
>
> E
>
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
>
>> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
>> I’m trying to understand AllowedIPs better is it effectively a ACL
>> that day what is allowed down the tunnel or is it mechanism to
>> configure what addresses get routed down the tunnel?
>>
>> Thanks in advance
>>

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: AllowedIPs
  2020-08-30  8:56   ` AllowedIPs Aaron Bolton
@ 2020-08-30  9:00     ` Eric Light
  2020-08-30  9:55       ` AllowedIPs Aaron Bolton
  2020-08-30 19:08     ` AllowedIPs Eddie
  1 sibling, 1 reply; 11+ messages in thread
From: Eric Light @ 2020-08-30  9:00 UTC (permalink / raw)
  To: Aaron Bolton; +Cc: wireguard

Ah yep, I haven't done that before, but Quagga has made many appearance on this list... And you're right, that's pretty much the time when folks stop working with wg-quick!  :-D 

Good luck!

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Sun, 30 Aug 2020, at 20:56, Aaron Bolton wrote:
> Yes, this does thanks
> 
> I plan on using Quagga for BGP over WireGuard tunnels so I guess I
> need to avoid wg-quick if that makes changes to the routing table and
> firewall as I want to manage those my self
> 
> > On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
> >
> > I believe it's both, in a way.
> >
> > As far as wg is concerned, the AllowedIPs is effectively an ACL.  Any traffic hitting your wireguard interface from an IP not within the AllowedIPs will either be dropped on decryption, or won't even be decrypted.  (It's one of these, but I can't remember which)
> >
> > On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
> >
> > Hope this helps  :)
> >
> > E
> >
> > --------------------------------------------
> > Q: Why is this email five sentences or less?
> > A: http://five.sentenc.es
> >
> >> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> >> I’m trying to understand AllowedIPs better is it effectively a ACL
> >> that day what is allowed down the tunnel or is it mechanism to
> >> configure what addresses get routed down the tunnel?
> >>
> >> Thanks in advance
> >>
>

^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: AllowedIPs
  2020-08-30  9:00     ` AllowedIPs Eric Light
@ 2020-08-30  9:55       ` Aaron Bolton
  2020-08-30 10:04         ` AllowedIPs Eric Light
  2020-08-30 11:01         ` AllowedIPs Tomcsanyi, Domonkos
  0 siblings, 2 replies; 11+ messages in thread
From: Aaron Bolton @ 2020-08-30  9:55 UTC (permalink / raw)
  To: 'Eric Light'; +Cc: wireguard

What would be best way to bring up and down the wireguard interface without using wg-quick 

-----Original Message-----
From: Eric Light <eric@ericlight.com> 
Sent: 30 August 2020 10:01
To: Aaron Bolton <aaron@bukn.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: AllowedIPs

Ah yep, I haven't done that before, but Quagga has made many appearance on this list... And you're right, that's pretty much the time when folks stop working with wg-quick!  :-D 

Good luck!

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Sun, 30 Aug 2020, at 20:56, Aaron Bolton wrote:
> Yes, this does thanks
> 
> I plan on using Quagga for BGP over WireGuard tunnels so I guess I 
> need to avoid wg-quick if that makes changes to the routing table and 
> firewall as I want to manage those my self
> 
> > On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
> >
> > I believe it's both, in a way.
> >
> > As far as wg is concerned, the AllowedIPs is effectively an ACL.  
> > Any traffic hitting your wireguard interface from an IP not within 
> > the AllowedIPs will either be dropped on decryption, or won't even 
> > be decrypted.  (It's one of these, but I can't remember which)
> >
> > On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
> >
> > Hope this helps  :)
> >
> > E
> >
> > --------------------------------------------
> > Q: Why is this email five sentences or less?
> > A: http://five.sentenc.es
> >
> >> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> >> I’m trying to understand AllowedIPs better is it effectively a ACL 
> >> that day what is allowed down the tunnel or is it mechanism to 
> >> configure what addresses get routed down the tunnel?
> >>
> >> Thanks in advance
> >>
>


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: AllowedIPs
  2020-08-30  9:55       ` AllowedIPs Aaron Bolton
@ 2020-08-30 10:04         ` Eric Light
  2020-08-30 10:34           ` AllowedIPs Aaron Bolton
  2020-08-30 11:01         ` AllowedIPs Tomcsanyi, Domonkos
  1 sibling, 1 reply; 11+ messages in thread
From: Eric Light @ 2020-08-30 10:04 UTC (permalink / raw)
  To: Aaron Bolton; +Cc: wireguard

Probably worth having a poke around the source code for wg-quick; it's just bash, and it can really show you what's happening far better than I can! :) 

If you have a look at the "up" and "down" commands in there, you should learn everything you need to know. 

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Sun, 30 Aug 2020, at 21:55, Aaron Bolton wrote:
> What would be best way to bring up and down the wireguard interface 
> without using wg-quick 
> 
> -----Original Message-----
> From: Eric Light <eric@ericlight.com> 
> Sent: 30 August 2020 10:01
> To: Aaron Bolton <aaron@bukn.net>
> Cc: wireguard@lists.zx2c4.com
> Subject: Re: AllowedIPs
> 
> Ah yep, I haven't done that before, but Quagga has made many appearance 
> on this list... And you're right, that's pretty much the time when 
> folks stop working with wg-quick!  :-D 
> 
> Good luck!
> 
> E
> 
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
> 
> On Sun, 30 Aug 2020, at 20:56, Aaron Bolton wrote:
> > Yes, this does thanks
> > 
> > I plan on using Quagga for BGP over WireGuard tunnels so I guess I 
> > need to avoid wg-quick if that makes changes to the routing table and 
> > firewall as I want to manage those my self
> > 
> > > On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
> > >
> > > I believe it's both, in a way.
> > >
> > > As far as wg is concerned, the AllowedIPs is effectively an ACL.  
> > > Any traffic hitting your wireguard interface from an IP not within 
> > > the AllowedIPs will either be dropped on decryption, or won't even 
> > > be decrypted.  (It's one of these, but I can't remember which)
> > >
> > > On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
> > >
> > > Hope this helps  :)
> > >
> > > E
> > >
> > > --------------------------------------------
> > > Q: Why is this email five sentences or less?
> > > A: http://five.sentenc.es
> > >
> > >> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> > >> I’m trying to understand AllowedIPs better is it effectively a ACL 
> > >> that day what is allowed down the tunnel or is it mechanism to 
> > >> configure what addresses get routed down the tunnel?
> > >>
> > >> Thanks in advance
> > >>
> >
> 
>

^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: AllowedIPs
  2020-08-30 10:04         ` AllowedIPs Eric Light
@ 2020-08-30 10:34           ` Aaron Bolton
  0 siblings, 0 replies; 11+ messages in thread
From: Aaron Bolton @ 2020-08-30 10:34 UTC (permalink / raw)
  To: 'Eric Light'; +Cc: wireguard

Perfect :) thanks I didn't realise it was just a bash file 

-----Original Message-----
From: Eric Light <eric@ericlight.com> 
Sent: 30 August 2020 11:04
To: Aaron Bolton <aaron@bukn.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: AllowedIPs

Probably worth having a poke around the source code for wg-quick; it's just bash, and it can really show you what's happening far better than I can! :) 

If you have a look at the "up" and "down" commands in there, you should learn everything you need to know. 

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Sun, 30 Aug 2020, at 21:55, Aaron Bolton wrote:
> What would be best way to bring up and down the wireguard interface 
> without using wg-quick
> 
> -----Original Message-----
> From: Eric Light <eric@ericlight.com>
> Sent: 30 August 2020 10:01
> To: Aaron Bolton <aaron@bukn.net>
> Cc: wireguard@lists.zx2c4.com
> Subject: Re: AllowedIPs
> 
> Ah yep, I haven't done that before, but Quagga has made many 
> appearance on this list... And you're right, that's pretty much the 
> time when folks stop working with wg-quick!  :-D
> 
> Good luck!
> 
> E
> 
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
> 
> On Sun, 30 Aug 2020, at 20:56, Aaron Bolton wrote:
> > Yes, this does thanks
> > 
> > I plan on using Quagga for BGP over WireGuard tunnels so I guess I 
> > need to avoid wg-quick if that makes changes to the routing table 
> > and firewall as I want to manage those my self
> > 
> > > On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
> > >
> > > I believe it's both, in a way.
> > >
> > > As far as wg is concerned, the AllowedIPs is effectively an ACL.  
> > > Any traffic hitting your wireguard interface from an IP not within 
> > > the AllowedIPs will either be dropped on decryption, or won't even 
> > > be decrypted.  (It's one of these, but I can't remember which)
> > >
> > > On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
> > >
> > > Hope this helps  :)
> > >
> > > E
> > >
> > > --------------------------------------------
> > > Q: Why is this email five sentences or less?
> > > A: http://five.sentenc.es
> > >
> > >> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> > >> I’m trying to understand AllowedIPs better is it effectively a 
> > >> ACL that day what is allowed down the tunnel or is it mechanism 
> > >> to configure what addresses get routed down the tunnel?
> > >>
> > >> Thanks in advance
> > >>
> >
> 
>


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: AllowedIPs
  2020-08-30  9:55       ` AllowedIPs Aaron Bolton
  2020-08-30 10:04         ` AllowedIPs Eric Light
@ 2020-08-30 11:01         ` Tomcsanyi, Domonkos
  1 sibling, 0 replies; 11+ messages in thread
From: Tomcsanyi, Domonkos @ 2020-08-30 11:01 UTC (permalink / raw)
  To: Aaron Bolton; +Cc: Eric Light, wireguard

Maybe using the ip command, e.g. ip link set dev wg0 up/down?

Cheers,
Domi

> 2020. aug. 30. dátummal, 11:56 időpontban Aaron Bolton <aaron@bukn.net> írta:
> 
> What would be best way to bring up and down the wireguard interface without using wg-quick 
> 
> -----Original Message-----
> From: Eric Light <eric@ericlight.com> 
> Sent: 30 August 2020 10:01
> To: Aaron Bolton <aaron@bukn.net>
> Cc: wireguard@lists.zx2c4.com
> Subject: Re: AllowedIPs
> 
> Ah yep, I haven't done that before, but Quagga has made many appearance on this list... And you're right, that's pretty much the time when folks stop working with wg-quick!  :-D 
> 
> Good luck!
> 
> E
> 
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
> 
>> On Sun, 30 Aug 2020, at 20:56, Aaron Bolton wrote:
>> Yes, this does thanks
>> 
>> I plan on using Quagga for BGP over WireGuard tunnels so I guess I 
>> need to avoid wg-quick if that makes changes to the routing table and 
>> firewall as I want to manage those my self
>> 
>>>> On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
>>> 
>>> I believe it's both, in a way.
>>> 
>>> As far as wg is concerned, the AllowedIPs is effectively an ACL.  
>>> Any traffic hitting your wireguard interface from an IP not within 
>>> the AllowedIPs will either be dropped on decryption, or won't even 
>>> be decrypted.  (It's one of these, but I can't remember which)
>>> 
>>> On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
>>> 
>>> Hope this helps  :)
>>> 
>>> E
>>> 
>>> --------------------------------------------
>>> Q: Why is this email five sentences or less?
>>> A: http://five.sentenc.es
>>> 
>>>> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
>>>> I’m trying to understand AllowedIPs better is it effectively a ACL 
>>>> that day what is allowed down the tunnel or is it mechanism to 
>>>> configure what addresses get routed down the tunnel?
>>>> 
>>>> Thanks in advance
>>>> 
>> 
> 

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: AllowedIPs
  2020-08-30  8:56   ` AllowedIPs Aaron Bolton
  2020-08-30  9:00     ` AllowedIPs Eric Light
@ 2020-08-30 19:08     ` Eddie
  2020-08-30 19:52       ` AllowedIPs Aaron Bolton
  1 sibling, 1 reply; 11+ messages in thread
From: Eddie @ 2020-08-30 19:08 UTC (permalink / raw)
  Cc: wireguard

Wouldn't using Table = off do everything you need, without touching the 
routing.

Cheers.

On 8/30/2020 1:56 AM, Aaron Bolton wrote:
> Yes, this does thanks
>
> I plan on using Quagga for BGP over WireGuard tunnels so I guess I
> need to avoid wg-quick if that makes changes to the routing table and
> firewall as I want to manage those my self
>
>> On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
>>
>> I believe it's both, in a way.
>>
>> As far as wg is concerned, the AllowedIPs is effectively an ACL.  Any traffic hitting your wireguard interface from an IP not within the AllowedIPs will either be dropped on decryption, or won't even be decrypted.  (It's one of these, but I can't remember which)
>>
>> On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
>>
>> Hope this helps  :)
>>
>> E
>>
>> --------------------------------------------
>> Q: Why is this email five sentences or less?
>> A: http://five.sentenc.es
>>
>>> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
>>> I’m trying to understand AllowedIPs better is it effectively a ACL
>>> that day what is allowed down the tunnel or is it mechanism to
>>> configure what addresses get routed down the tunnel?
>>>
>>> Thanks in advance
>>>


^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: AllowedIPs
  2020-08-30 19:08     ` AllowedIPs Eddie
@ 2020-08-30 19:52       ` Aaron Bolton
  0 siblings, 0 replies; 11+ messages in thread
From: Aaron Bolton @ 2020-08-30 19:52 UTC (permalink / raw)
  To: stunnel; +Cc: wireguard

Funny you suggest that :) I just found that option a couple of hours ago 

-----Original Message-----
From: WireGuard <wireguard-bounces@lists.zx2c4.com> On Behalf Of Eddie
Sent: 30 August 2020 20:09
Cc: wireguard@lists.zx2c4.com
Subject: Re: AllowedIPs

Wouldn't using Table = off do everything you need, without touching the routing.

Cheers.

On 8/30/2020 1:56 AM, Aaron Bolton wrote:
> Yes, this does thanks
>
> I plan on using Quagga for BGP over WireGuard tunnels so I guess I 
> need to avoid wg-quick if that makes changes to the routing table and 
> firewall as I want to manage those my self
>
>> On 30 Aug 2020, at 00:16, Eric Light <eric@ericlight.com> wrote:
>>
>> I believe it's both, in a way.
>>
>> As far as wg is concerned, the AllowedIPs is effectively an ACL.  Any 
>> traffic hitting your wireguard interface from an IP not within the 
>> AllowedIPs will either be dropped on decryption, or won't even be 
>> decrypted.  (It's one of these, but I can't remember which)
>>
>> On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.
>>
>> Hope this helps  :)
>>
>> E
>>
>> --------------------------------------------
>> Q: Why is this email five sentences or less?
>> A: http://five.sentenc.es
>>
>>> On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
>>> I’m trying to understand AllowedIPs better is it effectively a ACL 
>>> that day what is allowed down the tunnel or is it mechanism to 
>>> configure what addresses get routed down the tunnel?
>>>
>>> Thanks in advance
>>>



^ permalink raw reply	[flat|nested] 11+ messages in thread

* AllowedIPs
@ 2023-10-21  1:29 Darryl Yeoh
  0 siblings, 0 replies; 11+ messages in thread
From: Darryl Yeoh @ 2023-10-21  1:29 UTC (permalink / raw)
  To: wireguard

Hi lists,

I've a Debian 11 box in my LAN set up as a WG client. When I set:

AllowedIPs 0.0.0.0/0, ::/0


everything works.


However when I set:

AllowedIPs 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1


nothing works. Like ping/dig/curl just hangs until I hit Ctrl+c to 
return to prompt.


When I test this config on my Android phone, it works with both of the 
AllowedIPs.

Seems odd. Any ideas ?


Regards,

-Darryl


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2023-12-20  5:25 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-29 16:07 AllowedIPs Aaron Bolton
2020-08-29 23:16 ` AllowedIPs Eric Light
2020-08-30  8:56   ` AllowedIPs Aaron Bolton
2020-08-30  9:00     ` AllowedIPs Eric Light
2020-08-30  9:55       ` AllowedIPs Aaron Bolton
2020-08-30 10:04         ` AllowedIPs Eric Light
2020-08-30 10:34           ` AllowedIPs Aaron Bolton
2020-08-30 11:01         ` AllowedIPs Tomcsanyi, Domonkos
2020-08-30 19:08     ` AllowedIPs Eddie
2020-08-30 19:52       ` AllowedIPs Aaron Bolton
2023-10-21  1:29 AllowedIPs Darryl Yeoh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).