From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: damian.kaczkowski@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e583705b for ; Tue, 2 May 2017 09:48:04 +0000 (UTC) Received: from mail-qk0-f169.google.com (mail-qk0-f169.google.com [209.85.220.169]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 6df67289 for ; Tue, 2 May 2017 09:48:04 +0000 (UTC) Received: by mail-qk0-f169.google.com with SMTP id u68so27830046qkd.0 for ; Tue, 02 May 2017 02:57:35 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: Damian Kaczkowski Date: Tue, 2 May 2017 11:56:54 +0200 Message-ID: Subject: Re: Ability to use one udp port for multiple wg interfaces To: "Jason A. Donenfeld" , wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary=94eb2c057516aaa5ee054e87915e List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c057516aaa5ee054e87915e Content-Type: text/plain; charset=UTF-8 Hello Janson. On 2 May 2017 at 10:55, Jason A. Donenfeld wrote: > 3. You may have multiple peers on a single wireguard interface. This > is the configuration that you probably should be using. "It is not > very friendly to open additional udp ports in multiple peer scenario > where firewall ACLs are desirable" This is 100% incorrect. With > multiple peers on an interface and a sufficiently clamped allowed-ips > entry for each, you'll have perfect firewall ACLs. > 3. Well if one uses firewall to control flows between zones in environment with mix protocols (eg. gre, ipsec, openvpn and so on) then using second tool just to control only wireguard ACLs is not very convenient way from administrative point of view. Also in case where peer is roaming and changing its source IP (eg. road warrior) then maintaining wireguard ACLs will be a huge PITA, if not impossible at large scale. 4. Does wireguard have some means so that iptables can easily differentiate tunnels (peers) and put them in appropriate 'zone'? like eg. iptables -m policy --help iptables -m ah --help iptables -m esp --help Or something similar? Regards. --94eb2c057516aaa5ee054e87915e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hell= o Janson.

On 2 May 2017 at 10:55, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
3. You may h= ave multiple peers on a single wireguard interface. This
is the configuration that you probably should be using. "It is not
very friendly to open addition= al udp ports in multiple peer scenario
where firewall ACLs are desirable" This is 100% incorrect. With=
multiple peers on an interface and a sufficiently clamped allowed-ips
entry for each, you'll have perfect firewall ACLs.

3. Well if one uses firewall to control flows between zones= in environment with mix protocols (eg. gre, ipsec, openvpn and so on) then= using second tool just to control only wireguard ACLs is not very convenie= nt way from administrative point of view. Also in case where peer is roamin= g and changing its source IP (eg. road warrior) then maintaining wireguard = ACLs will be a huge PITA, if not impossible at large scale.

<= /div>

4. Does wireguard have some means so that iptables= can easily differentiate=C2=A0tunnels (peers) and put them in appropriate= =C2=A0'zone'? like eg.
iptables -m policy --help
=
iptables -m ah --help
iptables -m esp --help

Or something similar?

Regard= s.

--94eb2c057516aaa5ee054e87915e--