>> 25 feb. 2020 kl. 07:24 skrev Jan Novak : > Am 25.02.20 um 07:07 schrieb Peter Libassi: >>>> 23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld : >>> On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi wrote: >>>> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else. >>>> How about adding a directive for the remote interface address in wg.conf? Like this: >>>> # cat /usr/local/etc/wireguard/wg0.conf >>>> [Interface] >>>> PrivateKey = <-> >>>> ListenPort = 7777 >>>> Address = 192.168.2.1/32 >>>> RemoteAddress = 192.168.2.2 >>>> [Peer] >>>> PublicKey = <-> >>>> AllowedIPs = 192.168.2.0/24 >>>> Endpoint = 172.16.0.23:7777 >>>> # diff /usr/local/bin/wg-quick.org ./wg-quick >>>> 17a18 >>>>> REMOTE_ADDRESS="" >>>> 86a88 >>>>> RemoteAddress) REMOTEADDRESS="$value"; continue ;; >>>> 175c177,181 >>>> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias >>>> --- >>>>> if [[ -n $REMOTEADDRESS ]]; then >>>>> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias >>>>> else >>>>> cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias >>>>> fi >>> This is not a correct fix; we're not going to add a configuration nob >>> to work around FreeBSD network stack gotchas. >>> Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone >>> around multiple routing tables and marks, much like on Linux, though I >>> don't know if that's possible. Barring that, a proper solution >>> probably involves re-reading the ifconfig man page a few dozen times >>> to find out how to have interface addresses as we need them. >> It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script. > > Hi Peter, > > Can you show me an example for "... implement local/remote address awareness per [Peer] in the wg-quick script... " > > > Bfo > > > Here is one way to do it: root@vpn1:~ # cat /usr/local/etc/wireguard/wg0.conf [Interface] PrivateKey = <-> ListenPort = 7777 [Peer] PublicKey = <-> LinkAddress = 10.0.0.1/10.0.0.2 Endpoint = 192.168.59.155:7777 AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = <-> LinkAddress = 10.1.1.1/10.1.1.2 Endpoint = 192.168.58.155:7777 AllowedIPs = 10.1.1.2/32 $ diff /usr/local/bin/wg-quick wg-quick 16a17 > LADDRESSES=( ) 63c64 < local interface_section=0 line key value stripped path --- > local interface_section=0 peer_section=0 line key value stripped path 95a97,102 > [[ $key == "[Peer]" ]] && peer_section=1 > if [[ $peer_section -eq 1 ]]; then > case "$key" in > LinkAddress) LADDRESSES+=( ${value//,/ } ); continue ;; > esac > fi 175c182 < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias --- > cmd ifconfig "$INTERFACE" inet "${1%/*}/32" "${1#*/}" alias 419c426 < for i in "${ADDRESSES[@]}"; do --- > for i in "${LADDRESSES[@]}"; do root@vpn1:~ # /home/peter/wg-quick up wg0 [#] wireguard-go wg0 INFO: (wg0) 2020/02/25 13:49:54 Starting wireguard-go version 0.0.20200121 [#] wg setconf wg0 /tmp/tmp.vXURfmKj/sh-np.pCIWwG [#] ifconfig wg0 inet 10.0.0.1/32 10.0.0.2 alias [#] ifconfig wg0 inet 10.1.1.1/32 10.1.1.2 alias [#] ifconfig wg0 mtu 1420 [#] ifconfig wg0 up [#] route -q -n add -inet 10.1.1.2/32 -interface wg0 [#] route -q -n add -inet 10.0.0.2/32 -interface wg0 [+] Backgrounding route monitor root@vpn1:~ # ifconfig wg0 wg0: flags=8051 metric 0 mtu 1420 options=80000 inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff inet 10.1.1.1 --> 10.1.1.2 netmask 0xffffffff groups: tun nd6 options=101 Opened by PID 2033 root@VPN1:~ # netstat -rn4 Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.59.2 UGS em0 10.0.0.1 link#4 UHS lo0 10.0.0.2 link#4 UH wg0 10.0.0.2/32 wg0 US wg0 10.1.1.1 link#4 UHS lo0 10.1.1.2 link#4 UH wg0 10.1.1.2/32 wg0 US wg0 127.0.0.1 link#3 UH lo0 192.168.59.0/24 link#1 U em0 192.168.59.154 link#1 UHS lo0 192.168.153.0/24 link#2 U em1 192.168.153.130 link#2 UHS lo0 root@vpn1:~ # ping -c1 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 56 data bytes 64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.373 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms root@vpn1:~ # ping -c1 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.277 ms --- 10.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.277/0.277/0.277/0.000 ms /Peter