From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: damian.kaczkowski@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id cc70f0e2 for ; Fri, 5 May 2017 18:19:18 +0000 (UTC) Received: from mail-qt0-f170.google.com (mail-qt0-f170.google.com [209.85.216.170]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 284669f5 for ; Fri, 5 May 2017 18:19:18 +0000 (UTC) Received: by mail-qt0-f170.google.com with SMTP id m36so11902895qtb.0 for ; Fri, 05 May 2017 11:29:14 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: Damian Kaczkowski Date: Fri, 5 May 2017 20:28:33 +0200 Message-ID: Subject: Re: Ability to use one udp port for multiple wg interfaces To: "Jason A. Donenfeld" , WireGuard mailing list Content-Type: multipart/alternative; boundary=001a114114f201f143054ecb11c0 List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a114114f201f143054ecb11c0 Content-Type: text/plain; charset=UTF-8 On 2 May 2017 at 21:45, Jason A. Donenfeld wrote: > On May 2, 2017 19:59, "Damian Kaczkowski" > wrote: > > On 2 May 2017 at 18:32, Jason A. Donenfeld wrote: > >> > 3. Well if one uses firewall to control flows between zones in >> environment > > > with mix protocols (eg. gre, ipsec, openvpn and so on) then using second >> > tool just to control only wireguard ACLs is not very convenient way from >> > administrative point of view. Also in case where peer is roaming and >> > changing its source IP (eg. road warrior) then maintaining wireguard >> ACLs >> > will be a huge PITA, if not impossible at large scale. >> >> No, you are wrong. Allowed-ips controls the IP addresses _within_ the >> tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or >> similar to match a _precise_ peer. >> > > Ok. Thanks for a tip. However I still think wireguard looses some > flexibility in that way eg. when peer roams from one network to another > then its ip address may be unknown. > > > No, wrong. Roaming regards external IP. Allowed IPs regards internal > tunnel IPs, which are static. > True. But I still think that ability to assign multi interfaces to one udp port would be handy. Eg when one want to use only specific and limited ports (like eg 53) for wireguard but still wants to have more interfaces at one's disposal. Possible use case - be able to easily assign and group various peers to different interfaces and monitor those interfaces parameters (exposed eg by kernel) using monitoring tools capable of collecting various information/data and/or plotting graphs like bandwidth, traffic, and so on. This info could be later used for analysing or debugging. Anyway, it is not only about roaming case so if it is not much of a work > and if it is not a security problem then please consider to allow multiple > wg interfaces to work on one port. I hope it won't hurt to allow this > functionality and I am sure it might come handy for some admins in the > wild. Maybe it could be implemented in pair with the idea of refactoring > per interface vs per peer private keys? Hope you will consider it at some > point. > > > No, you are very mistaken. Please reread the docs on allowed ips keeping > in mind that these concern internal tunneled ips and are static. Typing to > you on my phone so can't write more now. > Reading through the docs. I come to scenario where I would like to disable whole allowed-ips thing. A multi-homed scenario where traffics comes out via one peer/interface and come back via the other one. Wrote about this in another email. Greets. --001a114114f201f143054ecb11c0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 2= May 2017 at 21:45, Jason A. Donenfeld <Jason@zx2c4.com> wrote= :
On May 2, 2017 19:59, "Damian= Kaczkowski" <damian.kaczkowski@gmail.com> wrote:
On 2 May 2017 at= 18:32, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
=C2=A0> 3. Well if one uses f= irewall to control flows between zones in environment
> with mix protocols (eg. gre, ipsec, openvpn and so on) then using seco= nd
> tool just to control only wireguard ACLs is not very convenient way fr= om
> administrative point of view. Also in case where peer is roaming and > changing its source IP (eg. road warrior) then maintaining wireguard A= CLs
> will be a huge PITA, if not impossible at large scale.

No, you are wrong. Allowed-ips controls the IP addresses _within_ th= e
tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or<= br> similar to match a _precise_ peer.

Ok. Thanks for a tip. However I still think wireguard looses some flexibi= lity in that way eg. when peer roams from one network to another then its i= p address may be unknown.

No, wrong. Ro= aming regards external IP. Allowed IPs regards internal tunnel IPs, which a= re static.

True. But I still th= ink that ability to assign multi interfaces to one udp port would be handy.= Eg when one want to use only specific and limited ports (like eg 53) for w= ireguard but still wants to have more interfaces at one's disposal. Pos= sible use case - be able to easily assign and group various peers to differ= ent interfaces and monitor those interfaces parameters (exposed eg by kerne= l) using monitoring tools capable of collecting various information/data an= d/or plotting graphs like bandwidth, traffic, and so on. This info could be= later used for analysing or debugging.
=C2=A0

Anyway, it is not only about roaming c= ase so if it is not much of a work and if it is not a security problem then= please consider to allow multiple wg interfaces to work on one port. I hop= e it won't hurt to allow this functionality and I am sure it might come= handy for some admins in the wild. Maybe it could be implemented in pair w= ith the idea of refactoring per interface vs per peer private keys? Hope yo= u will consider it at some point.
<= /div>

No, y= ou are very mistaken. Please reread the docs on allowed ips keeping in mind= that these concern internal tunneled ips and are static. Typing to you on = my phone so can't write more now.

Reading through the docs.

I come to scenario where I would like to disable whole all= owed-ips thing. A multi-homed scenario where traffics comes out via one pee= r/interface and come back via the other one. Wrote about this in another em= ail.

G= reets.

--001a114114f201f143054ecb11c0--