* Question about origin of packet relative to peer
@ 2020-05-27 9:01 nicolas prochazka
2020-05-27 11:46 ` Arti Zirk
0 siblings, 1 reply; 4+ messages in thread
From: nicolas prochazka @ 2020-05-27 9:01 UTC (permalink / raw)
To: WireGuard mailing list
Hello,
Using one wireguard Interface, with multiple peer
How can i know that a packet come from peer X ?
Is is possible to mark packet not a level interface (wg0) but at peer level ?
I can dump packet at wg0 but i lost the peer origin.
Thanks,
Nicolas
interface: wg0
public key: A
private key: (hidden)
listening port: 6081
peer: B
preshared key: (hidden)
endpoint: ipb
allowed ips:
latest handshake: 1 minute, 27 seconds ago
transfer: 1.61 MiB received, 6.20 MiB sent
persistent keepalive: every 25 seconds
peer:C
preshared key: (hidden)
endpoint: ipc
allowed ips:
latest handshake: 1 minute, 38 seconds ago
transfer: 24.75 KiB received, 309.71 KiB sent
persistent keepalive: every 25 seconds
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question about origin of packet relative to peer
2020-05-27 9:01 Question about origin of packet relative to peer nicolas prochazka
@ 2020-05-27 11:46 ` Arti Zirk
2020-05-27 19:41 ` nicolas prochazka
0 siblings, 1 reply; 4+ messages in thread
From: Arti Zirk @ 2020-05-27 11:46 UTC (permalink / raw)
To: nicolas prochazka, WireGuard mailing list
On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> How can i know that a packet come from peer X ?
You can check which peers allowed ips list covers the received packets
source ip
> Is is possible to mark packet not a level interface (wg0) but at peer
> level ?
Its probably possible to generate iptables rules from peer allowed ips
list that marks packets with different ids
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question about origin of packet relative to peer
2020-05-27 11:46 ` Arti Zirk
@ 2020-05-27 19:41 ` nicolas prochazka
[not found] ` <CAJJxGdGqNc3hASvSmQ9VA_cYOS-fcH+nEooLE5eY2z4P=ubCeQ@mail.gmail.com>
0 siblings, 1 reply; 4+ messages in thread
From: nicolas prochazka @ 2020-05-27 19:41 UTC (permalink / raw)
To: Arti Zirk; +Cc: WireGuard mailing list
Yes, I can mark the wireguard packet allowedips but i cannot attach
to the associated peer.In my configuration, ip from wireguard (
alllowedip) can come from different peer ( because i'm using different
mask for allowedips and multiple tunnel).
My issue is that a packet can be used by a peer and come back by an
other one ( the packet is routing by allowed-ips, not by it's peer
entry
Example :
On server side S1
Peer A (client peer)
allowedips 192.168.1.0/24
Peer B ( an other "wireguard server" S2 )
allowedIps 192.168.1.100/32
On client Side, allowedIp is set on s2 and if s2 down , set to s1
peer s1 ==> server S1
peer s2 ==> server S2 ==> server S1
Of course it does not work, packet routing does not work
client ==> S2 ==> S1 (peer A) ==> then response route to peer (B)
Regards,
Nicolas
Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.zirk@gmail.com> a écrit :
>
> On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> > How can i know that a packet come from peer X ?
> You can check which peers allowed ips list covers the received packets
> source ip
>
> > Is is possible to mark packet not a level interface (wg0) but at peer
> > level ?
> Its probably possible to generate iptables rules from peer allowed ips
> list that marks packets with different ids
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-27 22:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-27 9:01 Question about origin of packet relative to peer nicolas prochazka
2020-05-27 11:46 ` Arti Zirk
2020-05-27 19:41 ` nicolas prochazka
[not found] ` <CAJJxGdGqNc3hASvSmQ9VA_cYOS-fcH+nEooLE5eY2z4P=ubCeQ@mail.gmail.com>
[not found] ` <CAJJxGdGjKm9Qq-wqUwuVYQyHWc2qSzu=tcUY6VbFhnsvKp3AjA@mail.gmail.com>
2020-05-27 22:11 ` Fwd: " David Kerr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).