From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: jan@delandtsheer.eu Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 04621449 for ; Thu, 10 Aug 2017 08:51:54 +0000 (UTC) Received: from mail-yw0-f193.google.com (mail-yw0-f193.google.com [209.85.161.193]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b7e6a6ae for ; Thu, 10 Aug 2017 08:51:54 +0000 (UTC) Received: by mail-yw0-f193.google.com with SMTP id p68so78497ywg.5 for ; Thu, 10 Aug 2017 02:13:58 -0700 (PDT) MIME-Version: 1.0 From: Jan De Landtsheer Date: Thu, 10 Aug 2017 09:13:46 +0000 Message-ID: Subject: FR: interface ListenAddress (Aka:Multihomed server issue) To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="001a114e46a0c99b120556629dee" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a114e46a0c99b120556629dee Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Jason, To elaborate on https://lists.zx2c4.com/pipermail/wireguard/2017-August/001598.html, there is something that can be clarified =E2=80=A6 I have a multihomed server (our router for everything) attached to a core switch with vlans, and the router runs openvswitch (but that=E2=80=99s besi= des the point). We run a bunch of wg peers, interconnected to each other (30 or so), but most connect directly to our router. The router has an Uplink interface with a /30 and I use that interface solely to forward packets to our (bgp routed) default gw (Provider). On the same router, I have a Public Interface, also with a public IP (/24) and have on the router itself some IP addresses used for DNAT, and here specifically one for Wireguard. (so NOT the Uplink IP address) When wireguard clients connect, their config shows their peer to be the Uplink IP address instead of the IP on the Public interface that was specifically assigned for wireguard (wgsrv), and as such packets sent to the Uplink IP address were dropped by the firewall. You might say: open up the port for wireguard on the Uplink and off you go. Which I did, to solve my immediate problem. (still find it ugly) But no we=E2=80=99re getting a second provider in da house, that will be co= nnected the same way as the other, with that link being Uplink2. So now I *really* need my bgp routed Public IP address to be the sole answering wireguard IP packets, so that I can be sure that if one of my bgp peers dies, the same Public ip address is used by the clients, not the one wireguard deduces from the subnet with the default route. Now, wireguard will use the incoming UplinkX ip as source and advertise it to the clients connected through either one that has the same metric and routing policy Voila=E2=80=A6 in a nutshell ;-) Jan =E2=80=8B --001a114e46a0c99b120556629dee Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Jason,
To elaborate on https://= lists.zx2c4.com/pipermail/wireguard/2017-August/001598.html, there is s= omething that can be clarified =E2=80=A6

I have a multihomed server (our= router for everything) attached to a core switch with vlans, and the route= r runs openvswitch (but that=E2=80=99s besides the point).

We run a bunch of wg peers, int= erconnected to each other (30 or so), but most connect directly to our rout= er.

The router has an Uplink interface with a /30 and I use that interface solely to= forward packets to our (bgp routed) default gw (Provider).

On the same router, I have a Public Interface, also with a public IP (/24) and hav= e on the router itself some IP addresses used for DNAT, and here specifical= ly one for Wireguard. (so NOT the Uplink IP address= )

When wireguard clients connect,= their config shows their peer to be the Uplink IP = address instead of the IP on the Public interface t= hat was specifically assigned for wireguard (wgsrv)= , and as such packets sent to the Uplink IP address= were dropped by the firewall.

You might say: open up the port= for wireguard on the Uplink and off you go. Which = I did, to solve my immediate problem. (still find it ugly)

But no we=E2=80=99re getting a = second provider in da house, that will be connected the same way as the oth= er, with that link being Uplink2. So now I real= ly need my bgp routed Public IP address to be = the sole answering wireguard IP packets, so that I can be sure that if one = of my bgp peers dies, the same Public ip address is= used by the clients, not the one wireguard deduces from the subnet with th= e default route.

Now, wireguard will use the inc= oming UplinkX ip as source and advertise it to the = clients connected through either one that has the same metric and routing = policy

Voila=E2=80=A6 in a nutshell ;-= )

Jan

=E2=80=8B
--001a114e46a0c99b120556629dee--