On May 2, 2017 19:59, "Damian Kaczkowski" <damian.kaczkowski@gmail.com> wrote:

On 2 May 2017 at 18:32, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hello Janson.

My name is Jason.

Sorry.

> 3. Well if one uses firewall to control flows between zones in environment
> with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
> tool just to control only wireguard ACLs is not very convenient way from
> administrative point of view. Also in case where peer is roaming and
> changing its source IP (eg. road warrior) then maintaining wireguard ACLs
> will be a huge PITA, if not impossible at large scale.

No, you are wrong. Allowed-ips controls the IP addresses _within_ the
tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or
similar to match a _precise_ peer.

Ok. Thanks for a tip. However I still think wireguard looses some flexibility in that way eg. when peer roams from one network to another then its ip address may be unknown.

No, wrong. Roaming regards external IP. Allowed IPs regards internal tunnel IPs, which are static.

Anyway, it is not only about roaming case so if it is not much of a work and if it is not a security problem then please consider to allow multiple wg interfaces to work on one port. I hope it won't hurt to allow this functionality and I am sure it might come handy for some admins in the wild. Maybe it could be implemented in pair with the idea of refactoring per interface vs per peer private keys? Hope you will consider it at some point.

No, you are very mistaken. Please reread the docs on allowed ips keeping in mind that these concern internal tunneled ips and are static. Typing to you on my phone so can't write more now.

Best Regards.
Damian.