* Policy-based routing
@ 2018-03-09 19:38 Bruno
2018-03-09 21:35 ` Matthias Urlichs
2018-04-14 2:09 ` Jason A. Donenfeld
0 siblings, 2 replies; 4+ messages in thread
From: Bruno @ 2018-03-09 19:38 UTC (permalink / raw)
To: wireguard
Hello,
I'm trying to set up a policy-based routing on a wireguard instance. I
didn't want to call it server, because it acts more like a proxy.
Let's say I have 6 peers plus this wireguard server.
Peer 2 Peer 3 Peer 4
\/ \/ \/
______________________
| |
| Wireguard "server" |
| |
|_____________________|
\/ \/ \/
Peer 5 Peer 6 Peer 7
Wireguard "server"
Address = 10.0.0.1/24
Peers 2-7
Address = 10.0.0.2-7/24, respectively.
So, what I'm trying to do is route traffic to Peer 7, for example, if it
is coming from Peer 2. I can do it doing some `ip rule` and `ip route`
commands. However, wireguard seems to be blocking that traffic. So, I
want peers 5-7 act as gateways to the internet and I would choose it via
Linux environment.
Peers 5-7 would be wireguard servers that would route all traffic to the
internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have
to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard
accept that? On my tests it would just pick one as allowed IPs as
0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic
neither from nor to that others peers.
On the wireguard "server" I would set allowed-IPs to peers 2-4 as
10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just
coming from it.
Is it possible to achieve that with wireguard?
Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Policy-based routing
2018-03-09 19:38 Policy-based routing Bruno
@ 2018-03-09 21:35 ` Matthias Urlichs
2018-04-14 2:09 ` Jason A. Donenfeld
1 sibling, 0 replies; 4+ messages in thread
From: Matthias Urlichs @ 2018-03-09 21:35 UTC (permalink / raw)
To: wireguard
Hi,
> Is it possible to achieve that with wireguard?
You need to set up multiple wireguard interfaces (on different ports of
course).
Then you can use traditional Linux routing techniques.
--
-- Matthias Urlichs
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Policy-based routing
2018-03-09 19:38 Policy-based routing Bruno
2018-03-09 21:35 ` Matthias Urlichs
@ 2018-04-14 2:09 ` Jason A. Donenfeld
2018-04-14 18:44 ` Bruno
1 sibling, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2018-04-14 2:09 UTC (permalink / raw)
To: Bruno; +Cc: WireGuard mailing list
Hi Bruno,
You can't set multiple peers to use 0.0.0.0/0 at the same time on the
same interface. How would it be able to choose which peer to send
traffic to then? Instead, if you want some kind of redundancy or
bonding, you can try using multiple interfaces, and then use whatever
traditional routing or load balancing tools that you ordinarily would.
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Policy-based routing
2018-04-14 2:09 ` Jason A. Donenfeld
@ 2018-04-14 18:44 ` Bruno
0 siblings, 0 replies; 4+ messages in thread
From: Bruno @ 2018-04-14 18:44 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
Hi Jason,
Thanks for your input. I agree with you.
But I could have the peers based on table routing and marking packets,
were all the traffic (0.0.0.0/0) would be routed based on the prior
conditions (tables and marking).
I'm doing one interface per peer right now, but I thought it could be
possible to achieve the same results with just one interface.
Bruno
On 04/13/2018 11:09 PM, Jason A. Donenfeld wrote:
> Hi Bruno,
>
> You can't set multiple peers to use 0.0.0.0/0 at the same time on the
> same interface. How would it be able to choose which peer to send
> traffic to then? Instead, if you want some kind of redundancy or
> bonding, you can try using multiple interfaces, and then use whatever
> traditional routing or load balancing tools that you ordinarily would.
>
> Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-04-14 18:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-09 19:38 Policy-based routing Bruno
2018-03-09 21:35 ` Matthias Urlichs
2018-04-14 2:09 ` Jason A. Donenfeld
2018-04-14 18:44 ` Bruno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).