Send WireGuard mailing list submissions to
wireguard@lists.zx2c4.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.zx2c4.com/mailman/listinfo/wireguard
or, via email, send a message with subject or body 'help' to
wireguard-request@lists.zx2c4.com
You can reach the person managing the list at
wireguard-owner@lists.zx2c4.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of WireGuard digest..."
Today's Topics:
1. Re: Another roaming problem (Toke H?iland-J?rgensen)
2. TCP Wireguard with socat (Gianluca Gabrielli)
3. Policy-based routing (Bruno)
4. Re: Policy-based routing (Matthias Urlichs)
5. Re: TCP Wireguard with socat (Matthias Urlichs)
----------------------------------------------------------------------
Message: 1
Date: Fri, 09 Mar 2018 15:53:27 +0100
From: Toke H?iland-J?rgensen <toke@toke.dk>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Another roaming problem
Message-ID: <878tb1jo60.fsf@toke.dk>
Content-Type: text/plain
"Jason A. Donenfeld" <Jason@zx2c4.com> writes:Neat script, looks pretty easy to use. The wg repo has a kprobesscript too for extracting ephemeral keys from the kernel:https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes
Neat! Brave new world of debugging ;)
/me goes to write some more printk's
-Toke
------------------------------
Message: 2
Date: Fri, 09 Mar 2018 11:41:45 -0500
From: Gianluca Gabrielli <tuxmealux@protonmail.com>
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: TCP Wireguard with socat
Message-ID:
<utLzzyzPJsv-W3vVhU4Sdchg_5A07v9qCxR1DeJ5Wu7RzJHcje1cCEjtEWi4j0aCN05ozn9b4VYJQsLovvl6TGPp-kbZ_5kfpReEJHQQXGk=@protonmail.com>
Content-Type: text/plain; charset=UTF-8
Hi everybody,
I'm an happy wireguard user since a while, but at that time I need to link two peers and I can only use TCP. I know that there are thousand of other tools I can use, but I'd like to do it using wireguard.
My first thought has been to make use of socat, since some newest version a new address type called INTERFACE has been added (http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES), so I tried to use it but I've not been able to make it works.
This is why I'm here asking your feedbacks, or to collect other ideas to let wireguard works through a TCP tunnel.
I wrote all the notes about the tests I made on a pdf, I know that this is not the good way to share with you my results, and I should write it here once again in plaintext. But for me it will would turn on a waste of time do it again, and it also would be less comprehensible.
I uploaded the pdf online instead to attach it to this email hence nobody needs to open it on his personal laptop, but it can be viewed via any browser. I personally hate open unknown file on my computer. The pdf can be viewed from the following link:
https://drive.google.com/open?id=1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks
I will really appreciate any constructive feedback or suggestion on how to easily use wireguard with TCP.
Thanks,
Gianluca
------------------------------
Message: 3
Date: Fri, 9 Mar 2018 16:38:35 -0300
From: Bruno <bruno@streamfeed.com>
To: wireguard@lists.zx2c4.com
Subject: Policy-based routing
Message-ID: <a81edfe2-2a49-c49a-ea7c-65e60639ecfe@streamfeed.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Hello,
I'm trying to set up a policy-based routing on a wireguard instance. I
didn't want to call it server, because it acts more like a proxy.
Let's say I have 6 peers plus this wireguard server.
Peer 2? Peer 3?? Peer 4
?\/?????? \/?????? \/
______________________
|???????????????????? |
| Wireguard "server"? |
|???????????????????? |
|_____________________|
?\/?????? \/?????? \/
Peer 5? Peer 6?? Peer 7
Wireguard "server"
Address = 10.0.0.1/24
Peers 2-7
Address = 10.0.0.2-7/24, respectively.
So, what I'm trying to do is route traffic to Peer 7, for example, if it
is coming from Peer 2. I can do it doing some `ip rule` and `ip route`
commands. However, wireguard seems to be blocking that traffic. So, I
want peers 5-7 act as gateways to the internet and I would choose it via
Linux environment.
Peers 5-7 would be wireguard servers that would route all traffic to the
internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have
to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard
accept that? On my tests it would just pick one as allowed IPs as
0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic
neither from nor to that others peers.
On the wireguard "server" I would set allowed-IPs to peers 2-4 as
10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just
coming from it.
Is it possible to achieve that with wireguard?
Thanks!
------------------------------
Message: 4
Date: Fri, 9 Mar 2018 22:35:00 +0100
From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: Policy-based routing
Message-ID: <9181ac49-897b-8412-84e9-1505cc261913@urlichs.de>
Content-Type: text/plain; charset=utf-8
Hi,Is it possible to achieve that with wireguard?
You need to set up multiple wireguard interfaces (on different ports of
course).
Then you can use traditional Linux routing techniques.
--
-- Matthias Urlichs
------------------------------
Message: 5
Date: Fri, 9 Mar 2018 22:45:32 +0100
From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: TCP Wireguard with socat
Message-ID: <e0bff705-f328-0071-0fb7-0367d36f0074@urlichs.de>
Content-Type: text/plain; charset=utf-8
On 09.03.2018 17:41, Gianluca Gabrielli wrote:My first thought has been to make use of socat
socat can do either packet streams or byte streams. A UDP socket (or a
tun/tap interface) is a packet stream. TCP is a byte stream. You can't
forward a packet stream into a byte stream. (Well, OK, socat does allow
you to set that up, but it won't work.)
You need wrap your packets in some sort of frame (simplest: precede each
with a length word (but think about byte ordering)). I'm sure there are
programs which do that, or you can write your own. socat can't do it.
--
-- Matthias Urlichs
------------------------------
Subject: Digest Footer
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
------------------------------
End of WireGuard Digest, Vol 24, Issue 14
*****************************************