From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Adrian Sevcenco <adrian.sev@gmail.com>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: wg addconf :: AllowedIPs gets deleted with the additions of peers
Date: Tue, 26 Jun 2018 12:56:53 +0200 [thread overview]
Message-ID: <87o9fxn7d6.fsf@toke.dk> (raw)
In-Reply-To: <b4b972dc-7852-4b43-0015-2963437e1de3@gmail.com>
Adrian Sevcenco <adrian.sev@gmail.com> writes:
> On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>>=20
>>> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
>>>> Adrian Sevcenco <adrian.sev@gmail.com> writes:
>>>>
>>>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
>>>>> added with addconf
>>>>
>>>> You can't have the same AllowedIPs for two different peers... :)
>>>
>>> Err... so, it's a bug or a feature?
>>=20
>> A feature. The AllowedIPs controls which IP addresses will be routed to
>> that peer. They refer to addresses inside the tunnel. So depending on
>> your setup you'd specify the single IP you assign each peer, or possibly
>> any subnets behind that peer you want routed through the tunnel.
> Then, how can i set a default allow everything for each peer? Should i=20
> make a different tunnel for each peer?
Yes, if you want point-to-point links where all traffic is sent to a
single other peer, you'll need separate interfaces.
If you want a road warrior type setup, where client devices connect to a
server and use that as a default gateway, you'd assign each client a
single IP (inside the tunnel) and put that in each peer config's
allowedips. The clients can then all have 0.0.0.0/0 as allowedip of the
server.
> But given your explanation i still feel that it is a bug that when an=20
> AllowIPs is declared with the addition of a second peer the declaration=20
> from the first peer gets erased ...
Well, the UI can be surprising, sure, but the alternative would be to
report an error if you try to set the same allowedIP on different peers,
which is not necessarily better. And it's not a bug in that it is
intentional behaviour ;)
> It should be either a global setting per tunnel OR an individual setting=
=20
> per peer (in which case it should stay set)
I think the point of confusion is that it is called 'allowedips', but it
really means 'ips that are allowed from this peer *and* routed to this
peer'. I.e., it is also a routing table. See
https://www.wireguard.com/#cryptokey-routing
-Toke
prev parent reply other threads:[~2018-06-26 10:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-25 19:51 Adrian Sevcenco
2018-06-25 19:55 ` Toke Høiland-Jørgensen
2018-06-25 20:00 ` Adrian Sevcenco
2018-06-25 20:37 ` Toke Høiland-Jørgensen
2018-06-26 7:34 ` Adrian Sevcenco
2018-06-26 7:44 ` Eric Light
2018-06-26 8:13 ` Matthias Urlichs
2018-06-26 10:56 ` Toke Høiland-Jørgensen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o9fxn7d6.fsf@toke.dk \
--to=toke@toke.dk \
--cc=adrian.sev@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).