wg inside gre inside tvp? Thomas J Munn > On Mar 10, 2018, at 06:00, wireguard-request@lists.zx2c4.com wrote: > > Send WireGuard mailing list submissions to > wireguard@lists.zx2c4.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.zx2c4.com/mailman/listinfo/wireguard > or, via email, send a message with subject or body 'help' to > wireguard-request@lists.zx2c4.com > > You can reach the person managing the list at > wireguard-owner@lists.zx2c4.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of WireGuard digest..." > > > Today's Topics: > > 1. Re: Another roaming problem (Toke H?iland-J?rgensen) > 2. TCP Wireguard with socat (Gianluca Gabrielli) > 3. Policy-based routing (Bruno) > 4. Re: Policy-based routing (Matthias Urlichs) > 5. Re: TCP Wireguard with socat (Matthias Urlichs) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 09 Mar 2018 15:53:27 +0100 > From: Toke H?iland-J?rgensen > To: "Jason A. Donenfeld" > Cc: WireGuard mailing list > Subject: Re: Another roaming problem > Message-ID: <878tb1jo60.fsf@toke.dk> > Content-Type: text/plain > > "Jason A. Donenfeld" writes: > >> Neat script, looks pretty easy to use. The wg repo has a kprobes >> script too for extracting ephemeral keys from the kernel: >> >> https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes > > Neat! Brave new world of debugging ;) > > /me goes to write some more printk's > > > -Toke > > > ------------------------------ > > Message: 2 > Date: Fri, 09 Mar 2018 11:41:45 -0500 > From: Gianluca Gabrielli > To: "wireguard@lists.zx2c4.com" > Subject: TCP Wireguard with socat > Message-ID: > > > Content-Type: text/plain; charset=UTF-8 > > Hi everybody, > > I'm an happy wireguard user since a while, but at that time I need to link two peers and I can only use TCP. I know that there are thousand of other tools I can use, but I'd like to do it using wireguard. > My first thought has been to make use of socat, since some newest version a new address type called INTERFACE has been added (http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES), so I tried to use it but I've not been able to make it works. > This is why I'm here asking your feedbacks, or to collect other ideas to let wireguard works through a TCP tunnel. > > I wrote all the notes about the tests I made on a pdf, I know that this is not the good way to share with you my results, and I should write it here once again in plaintext. But for me it will would turn on a waste of time do it again, and it also would be less comprehensible. > I uploaded the pdf online instead to attach it to this email hence nobody needs to open it on his personal laptop, but it can be viewed via any browser. I personally hate open unknown file on my computer. The pdf can be viewed from the following link: > https://drive.google.com/open?id=1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks > > I will really appreciate any constructive feedback or suggestion on how to easily use wireguard with TCP. > > Thanks, > Gianluca > > > > > ------------------------------ > > Message: 3 > Date: Fri, 9 Mar 2018 16:38:35 -0300 > From: Bruno > To: wireguard@lists.zx2c4.com > Subject: Policy-based routing > Message-ID: > Content-Type: text/plain; charset=utf-8; format=flowed > > Hello, > > I'm trying to set up a policy-based routing on a wireguard instance. I > didn't want to call it server, because it acts more like a proxy. > > Let's say I have 6 peers plus this wireguard server. > > Peer 2? Peer 3?? Peer 4 > ?\/?????? \/?????? \/ > ______________________ > |???????????????????? | > | Wireguard "server"? | > |???????????????????? | > |_____________________| > ?\/?????? \/?????? \/ > Peer 5? Peer 6?? Peer 7 > > Wireguard "server" > Address = 10.0.0.1/24 > > Peers 2-7 > Address = 10.0.0.2-7/24, respectively. > > So, what I'm trying to do is route traffic to Peer 7, for example, if it > is coming from Peer 2. I can do it doing some `ip rule` and `ip route` > commands. However, wireguard seems to be blocking that traffic. So, I > want peers 5-7 act as gateways to the internet and I would choose it via > Linux environment. > > Peers 5-7 would be wireguard servers that would route all traffic to the > internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have > to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard > accept that? On my tests it would just pick one as allowed IPs as > 0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic > neither from nor to that others peers. > > On the wireguard "server" I would set allowed-IPs to peers 2-4 as > 10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just > coming from it. > > Is it possible to achieve that with wireguard? > > Thanks! > > > > ------------------------------ > > Message: 4 > Date: Fri, 9 Mar 2018 22:35:00 +0100 > From: Matthias Urlichs > To: wireguard@lists.zx2c4.com > Subject: Re: Policy-based routing > Message-ID: <9181ac49-897b-8412-84e9-1505cc261913@urlichs.de> > Content-Type: text/plain; charset=utf-8 > > Hi, >> Is it possible to achieve that with wireguard? > > You need to set up multiple wireguard interfaces (on different ports of > course). > > Then you can use traditional Linux routing techniques. > > -- > -- Matthias Urlichs > > > > ------------------------------ > > Message: 5 > Date: Fri, 9 Mar 2018 22:45:32 +0100 > From: Matthias Urlichs > To: wireguard@lists.zx2c4.com > Subject: Re: TCP Wireguard with socat > Message-ID: > Content-Type: text/plain; charset=utf-8 > >> On 09.03.2018 17:41, Gianluca Gabrielli wrote: >> My first thought has been to make use of socat > > socat can do either packet streams or byte streams. A UDP socket (or a > tun/tap interface) is a packet stream. TCP is a byte stream. You can't > forward a packet stream into a byte stream. (Well, OK, socat does allow > you to set that up, but it won't work.) > > You need wrap your packets in some sort of frame (simplest: precede each > with a length word (but think about byte ordering)). I'm sure there are > programs which do that, or you can write your own. socat can't do it. > > -- > -- Matthias Urlichs > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > > > ------------------------------ > > End of WireGuard Digest, Vol 24, Issue 14 > *****************************************