From: Aaron Jones <aaronmdjones@gmail.com>
To: Roman Mamedov <rm@romanrm.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Reconciling "cryptokey-based" and regular routing
Date: Fri, 16 Mar 2018 17:35:21 +0000 [thread overview]
Message-ID: <775e120b-b0cc-bf79-f4e1-b555dd5a5fab@gmail.com> (raw)
In-Reply-To: <20180316220111.594ee06f@natsu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 16/03/18 17:01, Roman Mamedov wrote:
> Hello,
>
> I need to have multiple gateways on my WG network that can provide
> access to the entire IPv4 (or IPv6) Internet, for redundancy and
> load-balancing purposes.
>
> In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on
> more than one peer. Then I would add routes into the regular
> routing table for various destinations,
>
> ip -4 route add 8.8.8.8 via 10.0.0.1 ip -4 route add 8.8.4.4 via
> 10.0.0.2
>
> or
>
> ip -4 route add default \ nexthop via 10.0.0.1 weight 1 \ nexthop
> via 10.0.0.2 weight 1
>
> or whatever.
WireGuard is a layer 3 interface; there is no ARP/NDP or other layer 2
semantics. This means "via foo" doesn't mean anything and is pointless.
> But as documentation and some testing show, this can't really work
> in WG's "cryptokey-routing" system. If multiple hosts have
> 0.0.0.0/0 as allowed IPs, WG just sends everything to a random one
> of them (the first one?), disregarding all of the routing table
> settings from the examples above.
If you add a duplicate AllowedIPs to a peer, it will remove it from the
previous peer, so the "order" is "most recently-configured".
> Is there any possibility to still use multiple routers like that?
Use multiple WireGuard interfaces.
- --
Aaron Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJarABUAAoJEIrwc3SIqzAS3K0P/j3RSFF1ba+1r+hi5TEGc5aJ
RdbMHptnuyMseNZ2YluipgMMxapQ5dv0jd90zWvqAnL+Sg5rWjl7J3IrMByOmW+1
SJsKUiqTbrscQmJKYHgElxDEmDO294DR51GXJdh3+RvUbXy/dqGwkRbm2WH1qc7c
URH5/Pz734fLyFJ/ISDPzHRYhxqj9d8+W9sylR9QW6y4Lo4s31H6K42qplNdoQIL
gRvyTDCFzRhetOeolRb1Rq0wc/BF/OpoqijS4U+hkwB+o0cXZqFL4iGoGM8ePStQ
zGT3nBQfLENAlCP2JJ0Jfu2Lbo9efO1lY1dDDR/y7HsukkwSKEE6hTQPhei9S1J8
pI8r0C225hrr/1G3acpBKZ5TRrFyatlwbyXPvFx49ntW5w+1wbiKe9HEKRBNFmSz
37VT7s5ahwT3GaWOFuLrWGfqlz7Z2FnDXq9zLaKWF/IcdXuuMAfcpUvt8UIeNJi7
Vfe9tgwIz4RdIkd/tv9vKY9O5FEV3ui99P8naZQk3aHnbcerQ9KXsNyUvBZeAIzk
NQL8xbL8fKx8f+r7jUZTPrQp/6m6uB+YvXwmZnB9aWCgBqNMuAmgU6PwKHUyYc86
4SRUtm3lsJRuSATJZJAM48AnMEeGdR0cdiLnY5Q+EqTHY/vAxFspC9P8YZtHA5ZC
cr0oFDndYvwyRtarOsQq
=V9Ys
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2018-03-16 17:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 17:01 Roman Mamedov
2018-03-16 17:22 ` Tim Sedlmeyer
2018-03-16 17:35 ` Aaron Jones [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=775e120b-b0cc-bf79-f4e1-b555dd5a5fab@gmail.com \
--to=aaronmdjones@gmail.com \
--cc=rm@romanrm.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).