mesh VPN with wireguard?

mesh VPN with wireguard?

[Tomasz Chmielewski]

Does Wireguard allow to set up mesh VPN with "relative ease"?

Say, we have 10 servers with public IPs, we want them all to create a 
VPN network with private subnet 10.11.12.0/24, and have all 10 servers 
communicate directly with each other.
Then a year later, expand it to 100 servers.

Something in the line of: https://www.tinc-vpn.org/


Tomasz Chmielewski
https://lxadm.com
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: mesh VPN with wireguard?

[Roman Mamedov]

On Thu, 28 Mar 2019 23:22:45 +0900
Tomasz Chmielewski <mangoo@wpkg.org> wrote:

> Does Wireguard allow to set up mesh VPN with "relative ease"?
> 
> Say, we have 10 servers with public IPs, we want them all to create a 
> VPN network with private subnet 10.11.12.0/24, and have all 10 servers 
> communicate directly with each other.
> Then a year later, expand it to 100 servers.

Sure.

But note that in this case unlike Tinc you cannot have some servers exit to
the outside world via some other servers (with AllowedIP 0.0.0.0/0). There has
to be just one such exit point per a WG network.

If it's purely for communication between servers, then of course no issue.

> Something in the line of: https://www.tinc-vpn.org/

Another limitation compared to Tinc is that Tinc will autoheal the partially
disconnected mesh and will have some nodes forwarding for the others, in case
direct communication between some of them gets cut (e.g. due to a peering or
routing issue on the underlying Internet -- this saved me a few times).

WG will do no such thing, and node-to-node communication working will depend
on both nodes always having direct connectivity to each other.

-- 
With respect,
Roman
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: mesh VPN with wireguard?

[StarBrilliant]

Hi Tomasz,

You might want to try my VWGen project:
https://github.com/m13253/VxWireguard-Generator
The program can generate configuration files for your network and run
VXLAN over Wireguard mesh.

Best regards,
StarBrilliant


On Sat, Apr 6, 2019 at 7:54 PM Tomasz Chmielewski <mangoo@wpkg.org> wrote:
>
> Does Wireguard allow to set up mesh VPN with "relative ease"?
>
> Say, we have 10 servers with public IPs, we want them all to create a
> VPN network with private subnet 10.11.12.0/24, and have all 10 servers
> communicate directly with each other.
> Then a year later, expand it to 100 servers.
>
> Something in the line of: https://www.tinc-vpn.org/
>
>
> Tomasz Chmielewski
> https://lxadm.com
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: mesh VPN with wireguard?

[Vincent Wiemann]

No, it's not easy to create a mesh with WireGuard (if you're referring to real
mesh networks using e.g. Babel).
It's complicated, because in a mesh you don't want to manually assign IP addresses
to the mesh nodes and configure corresponding WireGuard peers.
When roaming comes into play, it becomes even more cumbersome,
as WireGuard has its own routing layer and thus the same subnet can't be assigned to all nodes.
One needs to use a broker script which creates a separate WireGuard interface/instance
for every mesh node automatically so that e.g. Babel can route according to interfaces.
As I don't like this approach and we need it for our mesh network,
I'm working on a layer 2 version of WireGuard.

Regards,

Vincent Wiemann

On 06.04.2019 15:01, Roman Mamedov wrote:
> On Thu, 28 Mar 2019 23:22:45 +0900
> Tomasz Chmielewski <mangoo@wpkg.org> wrote:
> 
>> Does Wireguard allow to set up mesh VPN with "relative ease"?
>>
>> Say, we have 10 servers with public IPs, we want them all to create a 
>> VPN network with private subnet 10.11.12.0/24, and have all 10 servers 
>> communicate directly with each other.
>> Then a year later, expand it to 100 servers.
> 
> Sure.
> 
> But note that in this case unlike Tinc you cannot have some servers exit to
> the outside world via some other servers (with AllowedIP 0.0.0.0/0). There has
> to be just one such exit point per a WG network.
> 
> If it's purely for communication between servers, then of course no issue.
> 
>> Something in the line of: https://www.tinc-vpn.org/
> 
> Another limitation compared to Tinc is that Tinc will autoheal the partially
> disconnected mesh and will have some nodes forwarding for the others, in case
> direct communication between some of them gets cut (e.g. due to a peering or
> routing issue on the underlying Internet -- this saved me a few times).
> 
> WG will do no such thing, and node-to-node communication working will depend
> on both nodes always having direct connectivity to each other.
> 
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard