From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: symgryph@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1f7f7ecd for ; Sat, 10 Mar 2018 18:28:09 +0000 (UTC) Received: from mail-qk0-f169.google.com (mail-qk0-f169.google.com [209.85.220.169]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id f70860a7 for ; Sat, 10 Mar 2018 18:28:09 +0000 (UTC) Received: by mail-qk0-f169.google.com with SMTP id b130so7274012qkg.9 for ; Sat, 10 Mar 2018 10:38:03 -0800 (PST) Return-Path: Received: from [192.168.3.206] ([98.122.169.29]) by smtp.gmail.com with ESMTPSA id i11sm2571533qtc.30.2018.03.10.10.38.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Mar 2018 10:38:02 -0800 (PST) From: Thomas Munn Content-Type: multipart/alternative; boundary=Apple-Mail-33F3CF78-2CCD-4781-8DC4-F479E6F4586E Mime-Version: 1.0 (1.0) Date: Sat, 10 Mar 2018 13:38:01 -0500 Subject: Re: WireGuard Digest, Vol 24, Issue 14 Message-Id: References: In-Reply-To: To: wireguard@lists.zx2c4.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --Apple-Mail-33F3CF78-2CCD-4781-8DC4-F479E6F4586E Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable wg inside gre inside tvp? Thomas J Munn > On Mar 10, 2018, at 06:00, wireguard-request@lists.zx2c4.com wrote: >=20 > Send WireGuard mailing list submissions to > wireguard@lists.zx2c4.com >=20 > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.zx2c4.com/mailman/listinfo/wireguard > or, via email, send a message with subject or body 'help' to > wireguard-request@lists.zx2c4.com >=20 > You can reach the person managing the list at > wireguard-owner@lists.zx2c4.com >=20 > When replying, please edit your Subject line so it is more specific > than "Re: Contents of WireGuard digest..." >=20 >=20 > Today's Topics: >=20 > 1. Re: Another roaming problem (Toke H?iland-J?rgensen) > 2. TCP Wireguard with socat (Gianluca Gabrielli) > 3. Policy-based routing (Bruno) > 4. Re: Policy-based routing (Matthias Urlichs) > 5. Re: TCP Wireguard with socat (Matthias Urlichs) >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Fri, 09 Mar 2018 15:53:27 +0100 > From: Toke H?iland-J?rgensen > To: "Jason A. Donenfeld" > Cc: WireGuard mailing list > Subject: Re: Another roaming problem > Message-ID: <878tb1jo60.fsf@toke.dk> > Content-Type: text/plain >=20 > "Jason A. Donenfeld" writes: >=20 >> Neat script, looks pretty easy to use. The wg repo has a kprobes >> script too for extracting ephemeral keys from the kernel: >>=20 >> https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes >=20 > Neat! Brave new world of debugging ;) >=20 > /me goes to write some more printk's >=20 >=20 > -Toke >=20 >=20 > ------------------------------ >=20 > Message: 2 > Date: Fri, 09 Mar 2018 11:41:45 -0500 > From: Gianluca Gabrielli > To: "wireguard@lists.zx2c4.com" > Subject: TCP Wireguard with socat > Message-ID: > > =20 > Content-Type: text/plain; charset=3DUTF-8 >=20 > Hi everybody, >=20 > I'm an happy wireguard user since a while, but at that time I need to link= two peers and I can only use TCP. I know that there are thousand of other t= ools I can use, but I'd like to do it using wireguard. > My first thought has been to make use of socat, since some newest version a= new address type called INTERFACE has been added (http://www.dest-unreach.o= rg/socat/doc/socat.html#ADDRESS_TYPES), so I tried to use it but I've not be= en able to make it works. > This is why I'm here asking your feedbacks, or to collect other ideas to l= et wireguard works through a TCP tunnel. >=20 > I wrote all the notes about the tests I made on a pdf, I know that this is= not the good way to share with you my results, and I should write it here o= nce again in plaintext. But for me it will would turn on a waste of time do i= t again, and it also would be less comprehensible. > I uploaded the pdf online instead to attach it to this email hence nobody n= eeds to open it on his personal laptop, but it can be viewed via any browser= . I personally hate open unknown file on my computer. The pdf can be viewed f= rom the following link: > https://drive.google.com/open?id=3D1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks >=20 > I will really appreciate any constructive feedback or suggestion on how to= easily use wireguard with TCP. >=20 > Thanks, > Gianluca >=20 >=20 >=20 >=20 > ------------------------------ >=20 > Message: 3 > Date: Fri, 9 Mar 2018 16:38:35 -0300 > From: Bruno > To: wireguard@lists.zx2c4.com > Subject: Policy-based routing > Message-ID: > Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed >=20 > Hello, >=20 > I'm trying to set up a policy-based routing on a wireguard instance. I=20 > didn't want to call it server, because it acts more like a proxy. >=20 > Let's say I have 6 peers plus this wireguard server. >=20 > Peer 2? Peer 3?? Peer 4 > ?\/?????? \/?????? \/ > ______________________ > |???????????????????? | > | Wireguard "server"? | > |???????????????????? | > |_____________________| > ?\/?????? \/?????? \/ > Peer 5? Peer 6?? Peer 7 >=20 > Wireguard "server" > Address =3D 10.0.0.1/24 >=20 > Peers 2-7 > Address =3D 10.0.0.2-7/24, respectively. >=20 > So, what I'm trying to do is route traffic to Peer 7, for example, if it=20= > is coming from Peer 2. I can do it doing some `ip rule` and `ip route`=20 > commands. However, wireguard seems to be blocking that traffic. So, I=20 > want peers 5-7 act as gateways to the internet and I would choose it via=20= > Linux environment. >=20 > Peers 5-7 would be wireguard servers that would route all traffic to the=20= > internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have=20= > to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard=20= > accept that? On my tests it would just pick one as allowed IPs as=20 > 0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic=20 > neither from nor to that others peers. >=20 > On the wireguard "server" I would set allowed-IPs to peers 2-4 as=20 > 10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just=20 > coming from it. >=20 > Is it possible to achieve that with wireguard? >=20 > Thanks! >=20 >=20 >=20 > ------------------------------ >=20 > Message: 4 > Date: Fri, 9 Mar 2018 22:35:00 +0100 > From: Matthias Urlichs > To: wireguard@lists.zx2c4.com > Subject: Re: Policy-based routing > Message-ID: <9181ac49-897b-8412-84e9-1505cc261913@urlichs.de> > Content-Type: text/plain; charset=3Dutf-8 >=20 > Hi, >> Is it possible to achieve that with wireguard?=20 >=20 > You need to set up multiple wireguard interfaces (on different ports of > course). >=20 > Then you can use traditional Linux routing techniques. >=20 > --=20 > -- Matthias Urlichs >=20 >=20 >=20 > ------------------------------ >=20 > Message: 5 > Date: Fri, 9 Mar 2018 22:45:32 +0100 > From: Matthias Urlichs > To: wireguard@lists.zx2c4.com > Subject: Re: TCP Wireguard with socat > Message-ID: > Content-Type: text/plain; charset=3Dutf-8 >=20 >> On 09.03.2018 17:41, Gianluca Gabrielli wrote: >> My first thought has been to make use of socat >=20 > socat can do either packet streams or byte streams. A UDP socket (or a > tun/tap interface) is a packet stream. TCP is a byte stream. You can't > forward a packet stream into a byte stream. (Well, OK, socat does allow > you to set that up, but it won't work.) >=20 > You need wrap your packets in some sort of frame (simplest: precede each > with a length word (but think about byte ordering)). I'm sure there are > programs which do that, or you can write your own. socat can't do it. >=20 > --=20 > -- Matthias Urlichs >=20 >=20 >=20 > ------------------------------ >=20 > Subject: Digest Footer >=20 > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard >=20 >=20 > ------------------------------ >=20 > End of WireGuard Digest, Vol 24, Issue 14 > ***************************************** --Apple-Mail-33F3CF78-2CCD-4781-8DC4-F479E6F4586E Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable wg inside gre inside tvp?

Thomas J Munn


On Mar 10, 2018, at 06:00, wireguard-request@lists.zx2c4= .com wrote:

Send WireG= uard mailing list submissions to
   wireguard@lists.zx2c4.com

To subscribe or unsubscribe via the World Wide Web, visit=
   https://lists.zx2c4.com/mailman/listinfo/wireguard
or, via email, send a message with subject or body 'help' to
   wireguard-request@lists.zx2c4.com

= You can reach the person managing the list at
   = wireguard-owner@lists.zx2= c4.com

When replying, please edit your S= ubject line so it is more specific
than "Re: Contents of Wir= eGuard digest..."


Today's T= opics:

  1. Re: Another roaming p= roblem (Toke H?iland-J?rgensen)
  2. TCP Wireguar= d with socat (Gianluca Gabrielli)
  3. Policy-bas= ed routing (Bruno)
  4. Re: Policy-based routing (= Matthias Urlichs)
  5. Re: TCP Wireguard with soc= at (Matthias Urlichs)


----= ------------------------------------------------------------------
Message: 1
Date: Fri, 09 Mar 2018 15= :53:27 +0100
From: Toke H?iland-J?rgensen <toke@toke.dk>
To: "Jason A. Donenfe= ld" <Jason@zx2c4.com>Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Anothe= r roaming problem
Message-ID: <878tb1jo60.fsf@toke.dk>
Content-Type:= text/plain

"Jason A. Donenfeld" <Jason@zx2c4.com> writes:

Neat script, looks pretty easy t= o use. The wg repo has a kprobes
script too for extracting ephemeral keys from the kernel:=

https://git.zx2c4.com/WireGuard/tree/c= ontrib/examples/extract-handshakes
<= br>Neat! Brave new world of debugging ;)

/me goes to write some more printk's


-Toke


-----= -------------------------

Message: 2=
Date: Fri, 09 Mar 2018 11:41:45 -0500
From: Gianlu= ca Gabrielli <tuxmealux@proto= nmail.com>
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: TCP W= ireguard with socat
Message-ID:
  &nbs= p;<u= tLzzyzPJsv-W3vVhU4Sdchg_5A07v9qCxR1DeJ5Wu7RzJHcje1cCEjtEWi4j0aCN05ozn9b4VYJQ= sLovvl6TGPp-kbZ_5kfpReEJHQQXGk=3D@protonmail.com>
&n= bsp;  
Content-Type: text/plain; charset=3DUTF-8=

Hi everybody,

I'= m an happy wireguard user since a while, but at that time I need to link two= peers and I can only use TCP. I know that there are thousand of other tools= I can use, but I'd like to do it using wireguard.
My first t= hought has been to make use of socat, since some newest version a new addres= s type called INTERFACE has been added (http://www.dest-unreach.org/socat/doc= /socat.html#ADDRESS_TYPES), so I tried to use it but I've not been able t= o make it works.
This is why I'm here asking your feedbacks,= or to collect other ideas to let wireguard works through a TCP tunnel.

I wrote all the notes about the tests I made on= a pdf, I know that this is not the good way to share with you my results, a= nd I should write it here once again in plaintext. But for me it will would t= urn on a waste of time do it again, and it also would be less comprehensible= .
I uploaded the pdf online instead to attach it to this ema= il hence nobody needs to open it on his personal laptop, but it can be viewe= d via any browser. I personally hate open unknown file on my computer. The p= df can be viewed from the following link:
https://drive= .google.com/open?id=3D1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks
=
I will really appreciate any constructive feedback or sugge= stion on how to easily use wireguard with TCP.

Thanks,
Gianluca




------------------------------<= /span>

Message: 3
Date: Fri, 9 Mar= 2018 16:38:35 -0300
From: Bruno <bruno@streamfeed.com>
To: wireguard@lists.zx2c4.com
<= span>Subject: Policy-based routing
Message-ID: <a81edfe2-2a49-c= 49a-ea7c-65e60639ecfe@streamfeed.com>
Content-Type: t= ext/plain; charset=3Dutf-8; format=3Dflowed

Hello,

I'm trying to set up a policy-based= routing on a wireguard instance. I
didn't want to call it s= erver, because it acts more like a proxy.

L= et's say I have 6 peers plus this wireguard server.
<= br>Peer 2? Peer 3?? Peer 4
?\/?????? \/?????? \/
______________________
|???????????????????? |
| Wireguard "server"? |
|????????????????????= |
|_____________________|
?\/?????? \/????= ?? \/
Peer 5? Peer 6?? Peer 7

Wireguard "server"
Address =3D 10.0.0.1/24

Peers 2-7
Address =3D 10.0.0.2-7/24, resp= ectively.

So, what I'm trying to do is rout= e traffic to Peer 7, for example, if it
is coming from Peer= 2. I can do it doing some `ip rule` and `ip route`
command= s. However, wireguard seems to be blocking that traffic. So, I
want peers 5-7 act as gateways to the internet and I would choose it via=
Linux environment.

Peers 5= -7 would be wireguard servers that would route all traffic to the internet. So, on the wireguard instance (10.0.0.1/24, "server"), I ha= ve
to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct?= Does wireguard
accept that? On my tests it would just pick= one as allowed IPs as
0.0.0.0/0 and set others to (none). T= hen, I couldn't reach traffic
neither from nor to that othe= rs peers.

On the wireguard "server" I would= set allowed-IPs to peers 2-4 as
10.0.0.2/32-10.0.0.4/32 as= I don't need traffic going through it, just
coming from it= .

Is it possible to achieve that with wireg= uard?

Thanks!



------------------------------<= br>
Message: 4
Date: Fri, 9 Mar 2018 2= 2:35:00 +0100
From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
<= span>Subject: Re: Policy-based routing
Message-ID: <9181ac49-897b-= 8412-84e9-1505cc261913@urlichs.de>
Content-Type: text= /plain; charset=3Dutf-8

Hi,
Is it possible to achieve that with wireguard?

You need to set up multiple wir= eguard interfaces (on different ports of
course).
=
Then you can use traditional Linux routing techniques= .

--
-- Matthias Urlichs



----------= --------------------

Message: 5
<= span>Date: Fri, 9 Mar 2018 22:45:32 +0100
From: Matthias Url= ichs <matthias@urlichs.de><= /span>
To: wireguard@l= ists.zx2c4.com
Subject: Re: TCP Wireguard with socat
Message-ID: <e0bff705-f328-0071-0fb7-0367d36f0074@urlichs.de><= /span>
Content-Type: text/plain; charset=3Dutf-8

On 09.03.2018 17:41, Gianluca Gabrielli wrote:
My first thought has been to make use of socat

socat can do either packet stre= ams or byte streams. A UDP socket (or a
tun/tap interface) i= s a packet stream. TCP is a byte stream. You can't
forward a= packet stream into a byte stream. (Well, OK, socat does allow
you to set that up, but it won't work.)

= You need wrap your packets in some sort of frame (simplest: precede each
with a length word (but think about byte ordering)). I'm sure t= here are
programs which do that, or you can write your own. s= ocat can't do it.

--
-- Ma= tthias Urlichs



= ------------------------------

Subjec= t: Digest Footer

__________________________= _____________________
WireGuard mailing list
WireGuard@lists.zx2c4.com<= /span>
https://lists.zx2c4.com/mailman/listinfo/wireguard


------------------------------

End of WireGuard Digest, Vol 24, Issue 14
*****************************************
= --Apple-Mail-33F3CF78-2CCD-4781-8DC4-F479E6F4586E--