From: "Posegga, Joachim" <jp@sec.uni-passau.de>
To: Riccardo Paolo Bestetti <pbl@bestov.io>,
Maarten de Vries <maarten@de-vri.es>,
"wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: RE: Multiple Clients behind NAT
Date: Fri, 15 Jan 2021 19:49:42 +0000 [thread overview]
Message-ID: <992cc9f1fb1b4f06ad27bc0a0005033d@smith.sec.uni-passau.de> (raw)
In-Reply-To: <C8JU1RTQOKUE.3NQU5QRW2L5VI@enhorning>
Thanks for all who responded. The setup is hard to debug, since the clients behind NAT are on the other side of the globe and I am configuring and debugging via Layer 8 ;-).
Meanwhile I created the client configurations and configured the Mikrotik server from scratch again, it now provides a seperate wireguard interface for each client; each client now uses a different target port on the server. I have some doubts if this really addresses the source of the problem, and it is certainly not very elegant, but it does the trick for now. The Mikrotik implementation is still a beta, so you cannot expect a stable server.
Best,
Joachim.
-----Original Message-----
From: Riccardo Paolo Bestetti [mailto:pbl@bestov.io]
Sent: Friday, 15 January, 2021 16:22
To: Maarten de Vries; Posegga, Joachim; wireguard@lists.zx2c4.com
Subject: Re: Multiple Clients behind NAT
On Fri Jan 15, 2021 at 3:21 PM CET, Maarten de Vries wrote:
> WireGuard doesn't have to use the same local port for all clients. In
> fact, if you don't give a ListenPort explicitly, an ephemeral port is
> assigned. This could theoretically still conflict between clients on
This is correct. I mistakenly thought that, by default, WireGuard used
the target port as a source port as well (when available). Ephemeral
makes more sense & is also what really happens.
So yes, Joachim should both fix the NAT and drop ListenPort from his
clients.
Riccardo
prev parent reply other threads:[~2021-01-21 13:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 20:14 Posegga, Joachim
2021-01-14 10:53 ` Roman Mamedov
2021-01-14 17:09 ` Riccardo Paolo Bestetti
2021-01-15 14:21 ` Maarten de Vries
2021-01-15 15:22 ` Riccardo Paolo Bestetti
2021-01-15 19:49 ` Posegga, Joachim [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=992cc9f1fb1b4f06ad27bc0a0005033d@smith.sec.uni-passau.de \
--to=jp@sec.uni-passau.de \
--cc=maarten@de-vri.es \
--cc=pbl@bestov.io \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).