* Ability to enable catch all allowed-ips on all peers
@ 2017-05-05 18:00 Damian Kaczkowski
2017-05-11 10:40 ` Jason A. Donenfeld
0 siblings, 1 reply; 2+ messages in thread
From: Damian Kaczkowski @ 2017-05-05 18:00 UTC (permalink / raw)
To: WireGuard mailing list, Jason A. Donenfeld
[-- Attachment #1: Type: text/plain, Size: 1525 bytes --]
Hello Jason.
I would like to enable allowed-ips 0.0.0.0/0 on all peers, cause I have a
scenario with multi-homed hosts where I would like to rely on firewall and
routes only instead of additional wireguard acls. Traffic is routed forth
and back via different interfaces thus I have to know which interface it's
gona come back and allow remote ips on few/all interfaces. Currently
wireguard applys catch all 0.0.0.0/0 allowed-ips only on one peer under wg
interface which is a no-go in such scenario.
This I think is also needed if one wants to build some dynamic routing on
top of wireguard connected nodes, isn't it?
Example wg output:
interface: wg2
public key: <blank>
private key: (hidden)
preshared key: (hidden)
listening port: 51821
peer: <blank>
endpoint: <blank>
allowed ips: (none) <-------------------------------------------
latest handshake: 34 seconds ago
transfer: 1.16 KiB received, 736 B sent
peer: <blank>
endpoint: <blank>
allowed ips: (none) <-------------------------------------------
latest handshake: 34 seconds ago
transfer: 888 B received, 552 B sent
peer: <blank>
endpoint: <blank>
allowed ips: (none) <-------------------------------------------
latest handshake: 34 seconds ago
transfer: 1.16 KiB received, 736 B sent
peer: <blank>
endpoint: <blank>
allowed ips: 0.0.0.0/0 <----------------------------------------
latest handshake: 1 day, 18 hours, 41 minutes, 34 seconds ago
transfer: 4.30 KiB received, 3.12 KiB sent
Greets.
Damian
[-- Attachment #2: Type: text/html, Size: 2198 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Ability to enable catch all allowed-ips on all peers
2017-05-05 18:00 Ability to enable catch all allowed-ips on all peers Damian Kaczkowski
@ 2017-05-11 10:40 ` Jason A. Donenfeld
0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2017-05-11 10:40 UTC (permalink / raw)
To: Damian Kaczkowski; +Cc: WireGuard mailing list
Hi Damian,
At the moment, you can't give multiple peers the same allowed-ips.
There has been some interesting discussion about doing this to support
broadcast messages -- zing a single message out to several peers
having the same matching allowed-ips entry -- but this is different
than the use case you speak of.
I'm not sure I totally understood what you meant in your description
of your multihomed setup. Could you describe in a bit more detail? The
guarantee of WireGuard is that it gives you a strong binding between a
particular IP address (or several IP addresses) and a particular
public key. Wikipedia has a nice diagram for this --
https://en.wikipedia.org/wiki/Surjective_function#/media/File:Surjection.svg
-- with IP addresses being the Xs on the left and public keys being
the Ys on the right. (I should probably make a similar diagram on the
documentation to describe this concept better.) If you're trying to
setup a network such that this binding is problematic, then in all
likelihood, your design has authenticity/spoofing problems. So maybe
you can describe more generally what you're going for, and then we can
try to see how WireGuard fits into this? It's always interesting to
hear about different network setups, anyhow.
Jason
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-11 10:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-05 18:00 Ability to enable catch all allowed-ips on all peers Damian Kaczkowski
2017-05-11 10:40 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).