* [ wireguard-dev ] About configuring allowedip @ 2017-02-23 13:03 Nicolas Prochazka 2017-02-23 13:41 ` Dan Lüdtke 2017-02-23 21:16 ` Baptiste Jonglez 0 siblings, 2 replies; 6+ messages in thread From: Nicolas Prochazka @ 2017-02-23 13:03 UTC (permalink / raw) To: WireGuard mailing list [-- Attachment #1: Type: text/plain, Size: 535 bytes --] Hello, i'm trying to do this with wireguard, withtout success : peer1 ---> peer2 : config ok , works peer3 ---> peer1 : config ok , works peer3 --->peer1 ---> peer2 : not ok . I suspect allowed-ip configuration, but all my tests does not works. perhaps I must create two wireguard interface on peer 1 and do forwarding/routing ? i'm using ipv6 as internal ip. so my question is : - two interface ? - specifiq magic allowedip ? ( allowed ip is confusing for, it is using for routing and for evicting paquet ? ) Regards, Nicolas [-- Attachment #2: Type: text/html, Size: 793 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ wireguard-dev ] About configuring allowedip 2017-02-23 13:03 [ wireguard-dev ] About configuring allowedip Nicolas Prochazka @ 2017-02-23 13:41 ` Dan Lüdtke 2017-02-24 10:41 ` Nicolas Prochazka 2017-02-23 21:16 ` Baptiste Jonglez 1 sibling, 1 reply; 6+ messages in thread From: Dan Lüdtke @ 2017-02-23 13:41 UTC (permalink / raw) To: Nicolas Prochazka; +Cc: WireGuard mailing list Nicolas: Could you provide the configuration files? Because from your = little graphic or schema I can not even derive what you are configuring. = I guess there is something overlapping prefixes maybe? Jason: I think we are approaching the point in time when there will be a = -dev and a -users ML :) > On 23 Feb 2017, at 14:03, Nicolas Prochazka = <nicolas.prochazka@gmail.com> wrote: >=20 > Hello, i'm trying to do this with wireguard, withtout success :=20 >=20 > peer1 ---> peer2 : config ok , works > peer3 ---> peer1 : config ok , works=20 > peer3 --->peer1 ---> peer2 : not ok . >=20 > I suspect allowed-ip configuration, but all my tests does not works. > perhaps I must create two wireguard interface on peer 1 and do = forwarding/routing ?=20 > i'm using ipv6 as internal ip. >=20 > so my question is :=20 > - two interface ? > - specifiq magic allowedip ? > ( allowed ip is confusing for, it is using for routing and for = evicting paquet ? ) >=20 > Regards,=20 > Nicolas=20 > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ wireguard-dev ] About configuring allowedip 2017-02-23 13:41 ` Dan Lüdtke @ 2017-02-24 10:41 ` Nicolas Prochazka 2017-02-24 13:10 ` Dan Lüdtke 0 siblings, 1 reply; 6+ messages in thread From: Nicolas Prochazka @ 2017-02-24 10:41 UTC (permalink / raw) To: Dan Lüdtke; +Cc: WireGuard mailing list [-- Attachment #1: Type: text/plain, Size: 2864 bytes --] hello again, my configuration , ping peer 1-->peer 2 : ok ( on ipv6 wg0 ) ping peer 3 --> peer 1 : ok ping peer3 --peer1--->peer2 : not ok . On peer 1 , forwarding is setting net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.forwarding = 1 Peer 1 : wg configuration interface: wg0 public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4= private key: (hidden) listening port: 6081 peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA= endpoint: 52.49.x.x:6081 allowed ips: ::/0 latest handshake: 8 seconds ago transfer: 71.29 KiB received, 60.28 KiB sent persistent keepalive: every 25 seconds peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko= endpoint: 10.10.0.69:6081 allowed ips: fd00::baae:edff:fe72:5094/128 latest handshake: 45 seconds ago transfer: 5.49 KiB received, 6.36 KiB sent Peer 3 : interface: wg0 public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko= private key: (hidden) listening port: 6081 peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4= endpoint: 10.10.99.230:6081 allowed ips: ::/0 latest handshake: 33 seconds ago transfer: 4.92 KiB received, 7.55 KiB sent persistent keepalive: every 25 seconds Peer 2 : interface: wg0 public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA= private key: (hidden) listening port: 6081 peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4= endpoint: 77.156.x.x:58943 allowed ips: fd00::eea8:6bff:fef9:23bc/128 latest handshake: 1 minute, 43 seconds ago transfer: 52.59 KiB received, 79.01 KiB sent 2017-02-23 14:41 GMT+01:00 Dan Lüdtke <mail@danrl.com>: > Nicolas: Could you provide the configuration files? Because from your > little graphic or schema I can not even derive what you are configuring. I > guess there is something overlapping prefixes maybe? > > Jason: I think we are approaching the point in time when there will be a > -dev and a -users ML :) > > > > On 23 Feb 2017, at 14:03, Nicolas Prochazka <nicolas.prochazka@gmail.com> > wrote: > > > > Hello, i'm trying to do this with wireguard, withtout success : > > > > peer1 ---> peer2 : config ok , works > > peer3 ---> peer1 : config ok , works > > peer3 --->peer1 ---> peer2 : not ok . > > > > I suspect allowed-ip configuration, but all my tests does not works. > > perhaps I must create two wireguard interface on peer 1 and do > forwarding/routing ? > > i'm using ipv6 as internal ip. > > > > so my question is : > > - two interface ? > > - specifiq magic allowedip ? > > ( allowed ip is confusing for, it is using for routing and for evicting > paquet ? ) > > > > Regards, > > Nicolas > > _______________________________________________ > > WireGuard mailing list > > WireGuard@lists.zx2c4.com > > https://lists.zx2c4.com/mailman/listinfo/wireguard > > [-- Attachment #2: Type: text/html, Size: 4320 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ wireguard-dev ] About configuring allowedip 2017-02-24 10:41 ` Nicolas Prochazka @ 2017-02-24 13:10 ` Dan Lüdtke 2017-02-24 15:06 ` Nicolas Prochazka 0 siblings, 1 reply; 6+ messages in thread From: Dan Lüdtke @ 2017-02-24 13:10 UTC (permalink / raw) To: Nicolas Prochazka; +Cc: WireGuard mailing list Nicolas, I draw your network including the allowed_ips restrictions. > ping peer3 --peer1--->peer2 : not ok . This can not work! Peer 2 does not accept the source address from Peer = 3. Please review your allowed_ips settings. Draw the things on paper, = make PostIt notes representing the packets including their destination = address and source address. Draw a little "firewall" on the tunnels = (whitelist is allowed_ips, all the rest gets dropped!) and see if the = PostIt can make it through with it's source address. Yes, this sounds = like child play, but it works. I have taught complex firewalling and VPN = setups to lawyers and law makers this way. It helps understanding, if a = simple diagram does not cut it. Allowed IPs is probably the most complex thing WireGuard has to offer = from a user perspective. Rename it to Allowed Source Addrresses in your = head it becomes clearer. HTH Dan > On 24 Feb 2017, at 11:41, Nicolas Prochazka = <nicolas.prochazka@gmail.com> wrote: >=20 > hello again,=20 > my configuration ,=20 > ping peer 1-->peer 2 : ok ( on ipv6 wg0 )=20 > ping peer 3 --> peer 1 : ok=20 > ping peer3 --peer1--->peer2 : not ok . >=20 >=20 > On peer 1 , forwarding is setting > net.ipv6.conf.all.forwarding =3D 1 > net.ipv4.conf.all.forwarding =3D 1 >=20 >=20 > Peer 1 : wg configuration =20 >=20 > interface: wg0 > public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=3D > private key: (hidden) > listening port: 6081 >=20 > peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=3D > endpoint: 52.49.x.x:6081 > allowed ips: ::/0 > latest handshake: 8 seconds ago > transfer: 71.29 KiB received, 60.28 KiB sent > persistent keepalive: every 25 seconds >=20 > peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=3D > endpoint: 10.10.0.69:6081 > allowed ips: fd00::baae:edff:fe72:5094/128 > latest handshake: 45 seconds ago > transfer: 5.49 KiB received, 6.36 KiB sent >=20 >=20 > Peer 3 :=20 >=20 >=20 > interface: wg0 > public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=3D > private key: (hidden) > listening port: 6081 >=20 > peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=3D > endpoint: 10.10.99.230:6081 > allowed ips: ::/0 > latest handshake: 33 seconds ago > transfer: 4.92 KiB received, 7.55 KiB sent > persistent keepalive: every 25 seconds >=20 >=20 > Peer 2 :=20 >=20 > interface: wg0 > public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=3D > private key: (hidden) > listening port: 6081 >=20 > peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=3D > endpoint: 77.156.x.x:58943 > allowed ips: fd00::eea8:6bff:fef9:23bc/128 > latest handshake: 1 minute, 43 seconds ago > transfer: 52.59 KiB received, 79.01 KiB sent >=20 >=20 > 2017-02-23 14:41 GMT+01:00 Dan L=C3=BCdtke <mail@danrl.com>: > Nicolas: Could you provide the configuration files? Because from your = little graphic or schema I can not even derive what you are configuring. = I guess there is something overlapping prefixes maybe? >=20 > Jason: I think we are approaching the point in time when there will be = a -dev and a -users ML :) >=20 >=20 > > On 23 Feb 2017, at 14:03, Nicolas Prochazka = <nicolas.prochazka@gmail.com> wrote: > > > > Hello, i'm trying to do this with wireguard, withtout success : > > > > peer1 ---> peer2 : config ok , works > > peer3 ---> peer1 : config ok , works > > peer3 --->peer1 ---> peer2 : not ok . > > > > I suspect allowed-ip configuration, but all my tests does not works. > > perhaps I must create two wireguard interface on peer 1 and do = forwarding/routing ? > > i'm using ipv6 as internal ip. > > > > so my question is : > > - two interface ? > > - specifiq magic allowedip ? > > ( allowed ip is confusing for, it is using for routing and for = evicting paquet ? ) > > > > Regards, > > Nicolas > > _______________________________________________ > > WireGuard mailing list > > WireGuard@lists.zx2c4.com > > https://lists.zx2c4.com/mailman/listinfo/wireguard >=20 >=20 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ wireguard-dev ] About configuring allowedip 2017-02-24 13:10 ` Dan Lüdtke @ 2017-02-24 15:06 ` Nicolas Prochazka 0 siblings, 0 replies; 6+ messages in thread From: Nicolas Prochazka @ 2017-02-24 15:06 UTC (permalink / raw) To: Dan Lüdtke; +Cc: WireGuard mailing list [-- Attachment #1: Type: text/plain, Size: 4467 bytes --] ok thanks, what is confusing me it that allowed ip is for : - authorized source packet - routing outgoing packet and we can set allowedips with a lot of ip / netmask Regards, Nicolas 2017-02-24 14:10 GMT+01:00 Dan Lüdtke <mail@danrl.com>: > Nicolas, > > I draw your network including the allowed_ips restrictions. > > > ping peer3 --peer1--->peer2 : not ok . > > This can not work! Peer 2 does not accept the source address from Peer 3. > Please review your allowed_ips settings. Draw the things on paper, make > PostIt notes representing the packets including their destination address > and source address. Draw a little "firewall" on the tunnels (whitelist is > allowed_ips, all the rest gets dropped!) and see if the PostIt can make it > through with it's source address. Yes, this sounds like child play, but it > works. I have taught complex firewalling and VPN setups to lawyers and law > makers this way. It helps understanding, if a simple diagram does not cut > it. > > Allowed IPs is probably the most complex thing WireGuard has to offer from > a user perspective. Rename it to Allowed Source Addrresses in your head it > becomes clearer. > > HTH > > Dan > > > On 24 Feb 2017, at 11:41, Nicolas Prochazka <nicolas.prochazka@gmail.com> > wrote: > > > > hello again, > > my configuration , > > ping peer 1-->peer 2 : ok ( on ipv6 wg0 ) > > ping peer 3 --> peer 1 : ok > > ping peer3 --peer1--->peer2 : not ok . > > > > > > On peer 1 , forwarding is setting > > net.ipv6.conf.all.forwarding = 1 > > net.ipv4.conf.all.forwarding = 1 > > > > > > Peer 1 : wg configuration > > > > interface: wg0 > > public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4= > > private key: (hidden) > > listening port: 6081 > > > > peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA= > > endpoint: 52.49.x.x:6081 > > allowed ips: ::/0 > > latest handshake: 8 seconds ago > > transfer: 71.29 KiB received, 60.28 KiB sent > > persistent keepalive: every 25 seconds > > > > peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko= > > endpoint: 10.10.0.69:6081 > > allowed ips: fd00::baae:edff:fe72:5094/128 > > latest handshake: 45 seconds ago > > transfer: 5.49 KiB received, 6.36 KiB sent > > > > > > Peer 3 : > > > > > > interface: wg0 > > public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko= > > private key: (hidden) > > listening port: 6081 > > > > peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4= > > endpoint: 10.10.99.230:6081 > > allowed ips: ::/0 > > latest handshake: 33 seconds ago > > transfer: 4.92 KiB received, 7.55 KiB sent > > persistent keepalive: every 25 seconds > > > > > > Peer 2 : > > > > interface: wg0 > > public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA= > > private key: (hidden) > > listening port: 6081 > > > > peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4= > > endpoint: 77.156.x.x:58943 > > allowed ips: fd00::eea8:6bff:fef9:23bc/128 > > latest handshake: 1 minute, 43 seconds ago > > transfer: 52.59 KiB received, 79.01 KiB sent > > > > > > 2017-02-23 14:41 GMT+01:00 Dan Lüdtke <mail@danrl.com>: > > Nicolas: Could you provide the configuration files? Because from your > little graphic or schema I can not even derive what you are configuring. I > guess there is something overlapping prefixes maybe? > > > > Jason: I think we are approaching the point in time when there will be a > -dev and a -users ML :) > > > > > > > On 23 Feb 2017, at 14:03, Nicolas Prochazka < > nicolas.prochazka@gmail.com> wrote: > > > > > > Hello, i'm trying to do this with wireguard, withtout success : > > > > > > peer1 ---> peer2 : config ok , works > > > peer3 ---> peer1 : config ok , works > > > peer3 --->peer1 ---> peer2 : not ok . > > > > > > I suspect allowed-ip configuration, but all my tests does not works. > > > perhaps I must create two wireguard interface on peer 1 and do > forwarding/routing ? > > > i'm using ipv6 as internal ip. > > > > > > so my question is : > > > - two interface ? > > > - specifiq magic allowedip ? > > > ( allowed ip is confusing for, it is using for routing and for > evicting paquet ? ) > > > > > > Regards, > > > Nicolas > > > _______________________________________________ > > > WireGuard mailing list > > > WireGuard@lists.zx2c4.com > > > https://lists.zx2c4.com/mailman/listinfo/wireguard > > > > > > [-- Attachment #2: Type: text/html, Size: 6065 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ wireguard-dev ] About configuring allowedip 2017-02-23 13:03 [ wireguard-dev ] About configuring allowedip Nicolas Prochazka 2017-02-23 13:41 ` Dan Lüdtke @ 2017-02-23 21:16 ` Baptiste Jonglez 1 sibling, 0 replies; 6+ messages in thread From: Baptiste Jonglez @ 2017-02-23 21:16 UTC (permalink / raw) To: Nicolas Prochazka; +Cc: WireGuard mailing list [-- Attachment #1: Type: text/plain, Size: 983 bytes --] On Thu, Feb 23, 2017 at 02:03:37PM +0100, Nicolas Prochazka wrote: > Hello, i'm trying to do this with wireguard, withtout success : > > peer1 ---> peer2 : config ok , works > peer3 ---> peer1 : config ok , works > peer3 --->peer1 ---> peer2 : not ok . > > I suspect allowed-ip configuration, but all my tests does not works. > perhaps I must create two wireguard interface on peer 1 and do > forwarding/routing ? > i'm using ipv6 as internal ip. It should work with a single interface for both peers, but you need to activate forwarding in the kernel: # sysctl net.ipv6.conf.default.forwarding=1 > so my question is : > - two interface ? > - specifiq magic allowedip ? > ( allowed ip is confusing for, it is using for routing and for evicting > paquet ? ) > > Regards, > Nicolas > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-02-24 15:04 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-02-23 13:03 [ wireguard-dev ] About configuring allowedip Nicolas Prochazka 2017-02-23 13:41 ` Dan Lüdtke 2017-02-24 10:41 ` Nicolas Prochazka 2017-02-24 13:10 ` Dan Lüdtke 2017-02-24 15:06 ` Nicolas Prochazka 2017-02-23 21:16 ` Baptiste Jonglez
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).