From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: steve@erayd.net Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 6b43427f for ; Thu, 15 Mar 2018 18:29:39 +0000 (UTC) Received: from mail-yw0-f170.google.com (mail-yw0-f170.google.com [209.85.161.170]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e685cb74 for ; Thu, 15 Mar 2018 18:29:39 +0000 (UTC) Received: by mail-yw0-f170.google.com with SMTP id x197so5286192ywg.11 for ; Thu, 15 Mar 2018 11:40:11 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Steve Gilberd Date: Thu, 15 Mar 2018 18:39:59 +0000 Message-ID: Subject: Re: Allowed IPs Toggling To: Samuel Holland Content-Type: multipart/alternative; boundary="94eb2c128e684c490a056777d2ec" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c128e684c490a056777d2ec Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > Allowed IPs is like a routing table; you can't have two routes for the same set of IPs If this is the case, then wireguard does not have proper routing support. Normally, routing tables allow both multiple and overlapping routes present. When making routing decisions, the most-specific route is chosen (e.g. a /29 is higher priority than a /24 which overlaps with it). If there are two identical routes of the same size, then the one with the lowest routing metric is used. I can understand not allowing identical routes of the same size, as wireguard doesn't really have a concept of metric (although it could be useful for backup links). However, it really should allow overlapping routes of different sizes. There's no ambiguity with routing decisions, and it's a standard feature that I would normally expect any IP routing stack to have. Cheers, Steve On Fri, 16 Mar 2018, 04:57 Samuel Holland, wrote: > Hello, > > On 03/15/18 10:31, Gianluca Gabrielli wrote: > > I was setting two peers on the server, but every time I re-add one of > these > > two the other one is shown with (none) on "allowed ips" field. Of cours= e > that > > blocks communications with that peer. If I try to re-add it, then the > other > > peer loses its configuration, same problem. > > Allowed IPs is like a routing table; you can't have two routes for the > same set > of IPs, or WireGuard doesn't know which peer to send the traffic to. You > want to > have non-overlapping Allowed IP ranges. This usually means that the range > of > Allowed IPs is smaller than the host's subnet. For example: > > Host A: > IP configuration for WireGuard interface: 192.168.123.1/24 > Allowed IPs for Host B: 192.168.123.2/32 > > Host B: > IP configuration for WireGuard interface: 192.168.123.2/24 > Allowed IPs for Host A: 192.168.123.1/32 > > The IP configuration tells the kernel which IP ranges are accessible via > the > WireGuard interface. The Allowed IPs tell WireGuard, which _subset_ of > those IPs > is associated with each peer. > > > Cheers, > > Gianluca > > Cheers, > Samuel > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > --=20 Cheers, *Steve Gilberd* Erayd LTD *=C2=B7* Consultant *Phone: +64 4 974-4229 **=C2=B7** Mob: +64 27 565-3237* *PO Box 10019 The Terrace, Wellington 6143, NZ* --94eb2c128e684c490a056777d2ec Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>=C2=A0Allowed IPs is like a routing table; you can't have two = routes for the same set of=C2=A0IPs

If this is the case= , then wireguard does not have proper routing support.

N= ormally, routing tables allow both multiple and overlapping routes present.= When making routing decisions, the most-specific route is chosen (e.g. a /= 29 is higher priority than a /24 which overlaps with it). If there are two = identical routes of the same size, then the one with the lowest routing met= ric is used.

I can understand not allowing identic= al routes of the same size, as wireguard doesn't really have a concept = of metric (although it could be useful for backup links). However, it reall= y should allow overlapping routes of different sizes. There's no ambigu= ity with routing decisions, and it's a standard feature that I would no= rmally expect any IP routing stack to have.

Cheers= ,
Steve

On Fri= , 16 Mar 2018, 04:57 Samuel Holland, <samuel@sholland.org> wrote:
Hello,

On 03/15/18 10:31, Gianluca Gabrielli wrote:
> I was setting two peers on the server, but every time I re-add one of = these
> two the other one is shown with (none) on "allowed ips" fiel= d. Of course that
> blocks communications with that peer. If I try to re-add it, then the = other
> peer loses its configuration, same problem.

Allowed IPs is like a routing table; you can't have two routes for the = same set
of IPs, or WireGuard doesn't know which peer to send the traffic to. Yo= u want to
have non-overlapping Allowed IP ranges. This usually means that the range o= f
Allowed IPs is smaller than the host's subnet. For example:

Host A:
IP configuration for WireGuard interface: 192.168.123.1/24
Allowed IPs for Host B: 192.168.123.2/32

Host B:
IP configuration for WireGuard interface: 192.168.123.2/24
Allowed IPs for Host A: 192.168.123.1/32

The IP configuration tells the kernel which IP ranges are accessible via th= e
WireGuard interface. The Allowed IPs tell WireGuard, which _subset_ of thos= e IPs
is associated with each peer.

> Cheers,
> Gianluca

Cheers,
Samuel
_______________________________________________
WireGuard mailing list
WireGuard@li= sts.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard=
--

Cheers,<= /p>

Steve Gilberd
Erayd LTD=C2=A0= =C2=B7=C2=A0Consultant
Phone: +64 4 974-4229=C2=A0=C2=B7=C2=A0M= ob: +64 27 565-3237
PO Box 10019 The Terrace, Wellington 6143, NZ

--94eb2c128e684c490a056777d2ec--