Development discussion of WireGuard
 help / color / mirror / Atom feed
* Enhance the "AllowedIPs"
@ 2021-03-15  7:57 Feng Li
  2021-03-15 13:31 ` Lonnie Abelbeck
  2021-03-16 11:33 ` Chris
  0 siblings, 2 replies; 5+ messages in thread
From: Feng Li @ 2021-03-15  7:57 UTC (permalink / raw)
  To: WireGuard mailing list

Hi,

As we know, the AllowedIPs will set the route table. However, if we
want to set the CIDR, but except for some CIDR range, it's not so easy
and out of the box. For example, if I want to route my all traffic,
except the 192.168.0.0/16. I have to calculate the two CIDR
difference:

AllowedIPs =
0.0.0.0/1 + 128.0.0.0/1 - 192.168.0.0/16
=
0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/2,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3,10.99.0.0/24

Is it possible to be built in Wireguard in the future? I think it's very useful.

The discussion link is here:
https://www.reddit.com/r/WireGuard/comments/m44fi5/enhance_the_allowedips/

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Enhance the "AllowedIPs"
  2021-03-15  7:57 Enhance the "AllowedIPs" Feng Li
@ 2021-03-15 13:31 ` Lonnie Abelbeck
  2021-03-15 14:57   ` Aaron Jones
  2021-03-16 11:33 ` Chris
  1 sibling, 1 reply; 5+ messages in thread
From: Lonnie Abelbeck @ 2021-03-15 13:31 UTC (permalink / raw)
  To: Feng Li; +Cc: WireGuard mailing list


> On Mar 15, 2021, at 2:57 AM, Feng Li <lifeng1519@gmail.com> wrote:
> 
> As we know, the AllowedIPs will set the route table. However, if we
> want to set the CIDR, but except for some CIDR range, it's not so easy
> and out of the box. For example, if I want to route my all traffic,
> except the 192.168.0.0/16. I have to calculate the two CIDR
> difference:
> 
> AllowedIPs =
> 0.0.0.0/1 + 128.0.0.0/1 - 192.168.0.0/16
> =
> 0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/2,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3,10.99.0.0/24

For giggles, I though this might be a clever solution:
--
[Peer]
PublicKey = <remote PublicKey>
Endpoint = remote-vpn:51820
AllowedIPs = 0.0.0.0/0, ::/0

[Peer]
PublicKey = <local PublicKey>
Endpoint = 127.0.0.1:51820
AllowedIPs = 192.168.0.0/16
--

I tested, but wg silently ignores peers to itself.

Lonnie




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Enhance the "AllowedIPs"
  2021-03-15 13:31 ` Lonnie Abelbeck
@ 2021-03-15 14:57   ` Aaron Jones
  0 siblings, 0 replies; 5+ messages in thread
From: Aaron Jones @ 2021-03-15 14:57 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 530 bytes --]

On 15/03/2021 13:31, Lonnie Abelbeck wrote:
> For giggles, I though this might be a clever solution:
> --
> [Peer]
> PublicKey = <remote PublicKey>
> Endpoint = remote-vpn:51820
> AllowedIPs = 0.0.0.0/0, ::/0
> 
> [Peer]
> PublicKey = <local PublicKey>
> Endpoint = 127.0.0.1:51820
> AllowedIPs = 192.168.0.0/16
> --
> 
> I tested, but wg silently ignores peers to itself.
> Lonnie

Indeed; but nothing prevents you from terminating it with a different
local WireGuard interface with a different private key.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Enhance the "AllowedIPs"
  2021-03-15  7:57 Enhance the "AllowedIPs" Feng Li
  2021-03-15 13:31 ` Lonnie Abelbeck
@ 2021-03-16 11:33 ` Chris
  2021-03-17  5:30   ` Feng Li
  1 sibling, 1 reply; 5+ messages in thread
From: Chris @ 2021-03-16 11:33 UTC (permalink / raw)
  To: wireguard

Just in case:
I guess you have already thought about using the post script to add a separate 
route to 192.160.0.0/16 using the original path with a lower metric.

On 15/03/2021 08:57, Feng Li wrote:
> Hi,
>
> As we know, the AllowedIPs will set the route table. However, if we
> want to set the CIDR, but except for some CIDR range, it's not so easy
> and out of the box. For example, if I want to route my all traffic,
> except the 192.168.0.0/16. I have to calculate the two CIDR
> difference:
>
> AllowedIPs =
> 0.0.0.0/1 + 128.0.0.0/1 - 192.168.0.0/16
> =
> 0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/2,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3,10.99.0.0/24
>
> Is it possible to be built in Wireguard in the future? I think it's very useful.
>
> The discussion link is here:
> https://www.reddit.com/r/WireGuard/comments/m44fi5/enhance_the_allowedips/
>
> Thanks.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Enhance the "AllowedIPs"
  2021-03-16 11:33 ` Chris
@ 2021-03-17  5:30   ` Feng Li
  0 siblings, 0 replies; 5+ messages in thread
From: Feng Li @ 2021-03-17  5:30 UTC (permalink / raw)
  To: Chris; +Cc: WireGuard mailing list

Thanks.

Add a route is simple on Linux, But it's not simple for other
platforms, like Windows.
So changes the AllowedIPs is the best option.

On Tue, Mar 16, 2021 at 7:40 PM Chris <wireguard@spam-free.eu> wrote:
>
> Just in case:
> I guess you have already thought about using the post script to add a separate
> route to 192.160.0.0/16 using the original path with a lower metric.
>
> On 15/03/2021 08:57, Feng Li wrote:
> > Hi,
> >
> > As we know, the AllowedIPs will set the route table. However, if we
> > want to set the CIDR, but except for some CIDR range, it's not so easy
> > and out of the box. For example, if I want to route my all traffic,
> > except the 192.168.0.0/16. I have to calculate the two CIDR
> > difference:
> >
> > AllowedIPs =
> > 0.0.0.0/1 + 128.0.0.0/1 - 192.168.0.0/16
> > =
> > 0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/2,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3,10.99.0.0/24
> >
> > Is it possible to be built in Wireguard in the future? I think it's very useful.
> >
> > The discussion link is here:
> > https://www.reddit.com/r/WireGuard/comments/m44fi5/enhance_the_allowedips/
> >
> > Thanks.
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-03-17  5:33 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-15  7:57 Enhance the "AllowedIPs" Feng Li
2021-03-15 13:31 ` Lonnie Abelbeck
2021-03-15 14:57   ` Aaron Jones
2021-03-16 11:33 ` Chris
2021-03-17  5:30   ` Feng Li

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git