* wg addconf :: AllowedIPs gets deleted with the additions of peers @ 2018-06-25 19:51 Adrian Sevcenco 2018-06-25 19:55 ` Toke Høiland-Jørgensen 0 siblings, 1 reply; 8+ messages in thread From: Adrian Sevcenco @ 2018-06-25 19:51 UTC (permalink / raw) To: WireGuard mailing list Hi! It seems that AllowedIPs declaration gets erased when peers are added with addconf So, we have the interface : wg showconf wg0 [Interface] ListenPort = 43333 PrivateKey = <XXX> and we add a peer wg addconf wg0 hal.conf.p1 [Monday 25.06.18 22:48] root@sev : /etc/wireguard/peers_server $ wg showconf wg0 [Interface] ListenPort = 43333 PrivateKey = KLLZ9i4ffUeCv+e6cs7V7+jKM3KJtgaRkEbt52UCcEU= [Peer] PublicKey = /azluhJf0RYaIxu6rHRHx6+fKfivwOnKVp9Naefgsk0= AllowedIPs = 0.0.0.0/0 then we add a second peer : wg addconf wg0 x360.conf.p2 [Monday 25.06.18 22:49] root@sev : /etc/wireguard/peers_server $ wg showconf wg0 [Interface] ListenPort = 43333 PrivateKey = KLLZ9i4ffUeCv+e6cs7V7+jKM3KJtgaRkEbt52UCcEU= [Peer] PublicKey = /azluhJf0RYaIxu6rHRHx6+fKfivwOnKVp9Naefgsk0= Endpoint = 79.115.160.101:43333 [Peer] PublicKey = 0bC+LP/8fsjjn9RSdq+Bz1qdgPRV3CYE/4fEiOqjrC4= AllowedIPs = 0.0.0.0/0 the AllowedIPs declaration was erased from first peer.. the file contents : [Monday 25.06.18 22:49] root@sev : /etc/wireguard/peers_server $ cat hal.conf.p1 [Peer] PublicKey = /azluhJf0RYaIxu6rHRHx6+fKfivwOnKVp9Naefgsk0= AllowedIPs = 0.0.0.0/0 [Monday 25.06.18 22:50] root@sev : /etc/wireguard/peers_server $ cat x360.conf.p2 [Peer] PublicKey = 0bC+LP/8fsjjn9RSdq+Bz1qdgPRV3CYE/4fEiOqjrC4= AllowedIPs = 0.0.0.0/0 Thank you! Adrian ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-25 19:51 wg addconf :: AllowedIPs gets deleted with the additions of peers Adrian Sevcenco @ 2018-06-25 19:55 ` Toke Høiland-Jørgensen 2018-06-25 20:00 ` Adrian Sevcenco 0 siblings, 1 reply; 8+ messages in thread From: Toke Høiland-Jørgensen @ 2018-06-25 19:55 UTC (permalink / raw) To: Adrian Sevcenco, WireGuard mailing list Adrian Sevcenco <adrian.sev@gmail.com> writes: > Hi! It seems that AllowedIPs declaration gets erased when peers are > added with addconf You can't have the same AllowedIPs for two different peers... :) -Toke ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-25 19:55 ` Toke Høiland-Jørgensen @ 2018-06-25 20:00 ` Adrian Sevcenco 2018-06-25 20:37 ` Toke Høiland-Jørgensen 0 siblings, 1 reply; 8+ messages in thread From: Adrian Sevcenco @ 2018-06-25 20:00 UTC (permalink / raw) To: Toke Høiland-Jørgensen, WireGuard mailing list On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > Adrian Sevcenco <adrian.sev@gmail.com> writes: >=20 >> Hi! It seems that AllowedIPs declaration gets erased when peers are >> added with addconf >=20 > You can't have the same AllowedIPs for two different peers... :) Err... so, it's a bug or a feature? If it is a feature how can i make server accept whatever ip get the=20 client(s) in various networks? Thank you! Adrian ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-25 20:00 ` Adrian Sevcenco @ 2018-06-25 20:37 ` Toke Høiland-Jørgensen 2018-06-26 7:34 ` Adrian Sevcenco 0 siblings, 1 reply; 8+ messages in thread From: Toke Høiland-Jørgensen @ 2018-06-25 20:37 UTC (permalink / raw) To: Adrian Sevcenco, WireGuard mailing list Adrian Sevcenco <adrian.sev@gmail.com> writes: > On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >> Adrian Sevcenco <adrian.sev@gmail.com> writes: >>=20 >>> Hi! It seems that AllowedIPs declaration gets erased when peers are >>> added with addconf >>=20 >> You can't have the same AllowedIPs for two different peers... :) > > Err... so, it's a bug or a feature? A feature. The AllowedIPs controls which IP addresses will be routed to that peer. They refer to addresses inside the tunnel. So depending on your setup you'd specify the single IP you assign each peer, or possibly any subnets behind that peer you want routed through the tunnel. > If it is a feature how can i make server accept whatever ip get the=20 > client(s) in various networks? Changing IPs *on the outside* of the tunnel will be accepted automatically. The Endpoint specifier is only the initial address; if a device changes its IP, it'll just keep sending packets from the new IP, and because they are authenticated by the crypto, the other peer will accept them and change its notion of what IP the other peer is reachable at automatically. So as long as only one peer changes its IP at a time, roaming mostly just works :) -Toke ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-25 20:37 ` Toke Høiland-Jørgensen @ 2018-06-26 7:34 ` Adrian Sevcenco 2018-06-26 7:44 ` Eric Light ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Adrian Sevcenco @ 2018-06-26 7:34 UTC (permalink / raw) To: Toke Høiland-Jørgensen, WireGuard mailing list On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > Adrian Sevcenco <adrian.sev@gmail.com> writes: >=20 >> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >>> Adrian Sevcenco <adrian.sev@gmail.com> writes: >>> >>>> Hi! It seems that AllowedIPs declaration gets erased when peers are >>>> added with addconf >>> >>> You can't have the same AllowedIPs for two different peers... :) >> >> Err... so, it's a bug or a feature? >=20 > A feature. The AllowedIPs controls which IP addresses will be routed to= > that peer. They refer to addresses inside the tunnel. So depending on > your setup you'd specify the single IP you assign each peer, or possibl= y > any subnets behind that peer you want routed through the tunnel. Then, how can i set a default allow everything for each peer? Should i=20 make a different tunnel for each peer? But given your explanation i still feel that it is a bug that when an=20 AllowIPs is declared with the addition of a second peer the declaration=20 from the first peer gets erased ... It should be either a global setting per tunnel OR an individual setting = per peer (in which case it should stay set) Thank you!! Adrian >=20 >> If it is a feature how can i make server accept whatever ip get the >> client(s) in various networks? >=20 > Changing IPs *on the outside* of the tunnel will be accepted > automatically. The Endpoint specifier is only the initial address; if a= > device changes its IP, it'll just keep sending packets from the new IP,= > and because they are authenticated by the crypto, the other peer will > accept them and change its notion of what IP the other peer is > reachable at automatically. So as long as only one peer changes its IP > at a time, roaming mostly just works :) >=20 > -Toke >=20 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-26 7:34 ` Adrian Sevcenco @ 2018-06-26 7:44 ` Eric Light 2018-06-26 8:13 ` Matthias Urlichs 2018-06-26 10:56 ` Toke Høiland-Jørgensen 2 siblings, 0 replies; 8+ messages in thread From: Eric Light @ 2018-06-26 7:44 UTC (permalink / raw) To: Adrian Sevcenco; +Cc: wireguard Hi, Adrian! The reason you can't have the _same_ AllowedIPs for two different peers is = because that's what's used to set the routes. How can you set two differen= t routes for the same destination? So, because you're trying to set 0.0.0.0/0, there can only ever be one peer= at the end of that route. What you need to do is set a more precise range for the AllowedIPs. For ex= ample, 192.168.100.0/24 and 192.168.101.0/24 (for two hosts on different ne= tworks), or 192.168.88.200/32 and 192.168.88.201/32 (for two hosts on the s= ame network). Then if you want one host that just *everything else* tunnels through, you = can set a 0.0.0.0/0 - which behaves as your default route. Hope that helps :) Eric -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Tue, 26 Jun 2018, at 19:34, Adrian Sevcenco wrote: > On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > > Adrian Sevcenco <adrian.sev@gmail.com> writes: > >=20 > >> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > >>> Adrian Sevcenco <adrian.sev@gmail.com> writes: > >>> > >>>> Hi! It seems that AllowedIPs declaration gets erased when peers are > >>>> added with addconf > >>> > >>> You can't have the same AllowedIPs for two different peers... :) > >> > >> Err... so, it's a bug or a feature? > >=20 > > A feature. The AllowedIPs controls which IP addresses will be routed to > > that peer. They refer to addresses inside the tunnel. So depending on > > your setup you'd specify the single IP you assign each peer, or possibly > > any subnets behind that peer you want routed through the tunnel. > Then, how can i set a default allow everything for each peer? Should i=20 > make a different tunnel for each peer? > But given your explanation i still feel that it is a bug that when an=20 > AllowIPs is declared with the addition of a second peer the declaration=20 > from the first peer gets erased ... > It should be either a global setting per tunnel OR an individual setting= =20 > per peer (in which case it should stay set) >=20 > Thank you!! > Adrian >=20 > >=20 > >> If it is a feature how can i make server accept whatever ip get the > >> client(s) in various networks? > >=20 > > Changing IPs *on the outside* of the tunnel will be accepted > > automatically. The Endpoint specifier is only the initial address; if a > > device changes its IP, it'll just keep sending packets from the new IP, > > and because they are authenticated by the crypto, the other peer will > > accept them and change its notion of what IP the other peer is > > reachable at automatically. So as long as only one peer changes its IP > > at a time, roaming mostly just works :) > >=20 > > -Toke > >=20 >=20 >=20 > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-26 7:34 ` Adrian Sevcenco 2018-06-26 7:44 ` Eric Light @ 2018-06-26 8:13 ` Matthias Urlichs 2018-06-26 10:56 ` Toke Høiland-Jørgensen 2 siblings, 0 replies; 8+ messages in thread From: Matthias Urlichs @ 2018-06-26 8:13 UTC (permalink / raw) To: wireguard On 26.06.2018 09:34, Adrian Sevcenco wrote: > Then, how can i set a default allow everything for each peer? Should i > make a different tunnel for each peer? Why would you want to? You need IP routing information for each peer, just like you need their public key. You can't have two peers / networks / whatever with the same IP address or address range. That's always been the case, wireguard or no wireguard. -- -- Matthias Urlichs ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: wg addconf :: AllowedIPs gets deleted with the additions of peers 2018-06-26 7:34 ` Adrian Sevcenco 2018-06-26 7:44 ` Eric Light 2018-06-26 8:13 ` Matthias Urlichs @ 2018-06-26 10:56 ` Toke Høiland-Jørgensen 2 siblings, 0 replies; 8+ messages in thread From: Toke Høiland-Jørgensen @ 2018-06-26 10:56 UTC (permalink / raw) To: Adrian Sevcenco, WireGuard mailing list Adrian Sevcenco <adrian.sev@gmail.com> writes: > On 06/25/2018 11:37 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >> Adrian Sevcenco <adrian.sev@gmail.com> writes: >>=20 >>> On 06/25/2018 10:55 PM, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >>>> Adrian Sevcenco <adrian.sev@gmail.com> writes: >>>> >>>>> Hi! It seems that AllowedIPs declaration gets erased when peers are >>>>> added with addconf >>>> >>>> You can't have the same AllowedIPs for two different peers... :) >>> >>> Err... so, it's a bug or a feature? >>=20 >> A feature. The AllowedIPs controls which IP addresses will be routed to >> that peer. They refer to addresses inside the tunnel. So depending on >> your setup you'd specify the single IP you assign each peer, or possibly >> any subnets behind that peer you want routed through the tunnel. > Then, how can i set a default allow everything for each peer? Should i=20 > make a different tunnel for each peer? Yes, if you want point-to-point links where all traffic is sent to a single other peer, you'll need separate interfaces. If you want a road warrior type setup, where client devices connect to a server and use that as a default gateway, you'd assign each client a single IP (inside the tunnel) and put that in each peer config's allowedips. The clients can then all have 0.0.0.0/0 as allowedip of the server. > But given your explanation i still feel that it is a bug that when an=20 > AllowIPs is declared with the addition of a second peer the declaration=20 > from the first peer gets erased ... Well, the UI can be surprising, sure, but the alternative would be to report an error if you try to set the same allowedIP on different peers, which is not necessarily better. And it's not a bug in that it is intentional behaviour ;) > It should be either a global setting per tunnel OR an individual setting= =20 > per peer (in which case it should stay set) I think the point of confusion is that it is called 'allowedips', but it really means 'ips that are allowed from this peer *and* routed to this peer'. I.e., it is also a routing table. See https://www.wireguard.com/#cryptokey-routing -Toke ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-06-26 10:51 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-06-25 19:51 wg addconf :: AllowedIPs gets deleted with the additions of peers Adrian Sevcenco 2018-06-25 19:55 ` Toke Høiland-Jørgensen 2018-06-25 20:00 ` Adrian Sevcenco 2018-06-25 20:37 ` Toke Høiland-Jørgensen 2018-06-26 7:34 ` Adrian Sevcenco 2018-06-26 7:44 ` Eric Light 2018-06-26 8:13 ` Matthias Urlichs 2018-06-26 10:56 ` Toke Høiland-Jørgensen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).