From: "Tomcsanyi, Domonkos" <domi@tomcsanyi.net>
To: jrun <darwinskernel@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: wg trunk (TM) traffic isolation: VRF vs netns
Date: Tue, 22 Dec 2020 20:23:25 +0100 [thread overview]
Message-ID: <58C6C0BE-F073-459F-92C6-F37CA78F4E24@tomcsanyi.net> (raw)
In-Reply-To: <20201220192149.bojbghrxm6g3yq7q@p51>
Hi,
Using different network ranges for different groups of people + applying correct iptables rules shall be a simple solution, utilizing a single WG interface. People will get a static IP assigned in their respective range, so they are not allowed to use anything else as source address, so cannot circumvent iptables.
Cheers,
Domi
> 22.12.2020 dátummal, 16:36 időpontban jrun <darwinskernel@gmail.com> írta:
>
>
> hello,
>
> my use case is, if possible, is to provide vpn to friends and family and also
> peering with other wg nodes (work etc). this obviously needs traffic isolation
> and i have though about it for a while but don't have definitive answer.
>
> 1. on way i thought of doing is to have a point-to-point (dedicated wg interface
> for each user) solution.
>
> 2. the other is to group interfaces based on the category of users (think friends
> vs family vs even work).
>
> they both probably need writing up something for set-up and tear-down each of
> interfaces which should be fine but both would need a way of isolating traffic;
> either between indivitual user's interface or between group interfaces. there is
> also the question of ACL'ing the site-to-site traffic for each group and/or
> user.
>
> for this i've looked into VRF and netns; this has been brought up before
> here and other place but i don't seem to be able to read the conclusion:
> https://lists.zx2c4.com/pipermail/wireguard/2017-September/001706.html
>
> from outside it looks like cumulus devs like their VRF, and wireguard devs lean
> recommend using netns
>
> https://www.wireguard.com/netns/
>
> that^ link is not a solution for me but i can think of ways to use netns for
> my case.
>
>
> thoughts?
>
> - jrun
next prev parent reply other threads:[~2020-12-22 19:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-20 19:21 jrun
2020-12-22 19:23 ` Tomcsanyi, Domonkos [this message]
2020-12-23 13:55 ` Matthias Urlichs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58C6C0BE-F073-459F-92C6-F37CA78F4E24@tomcsanyi.net \
--to=domi@tomcsanyi.net \
--cc=darwinskernel@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).