From: Tim Sedlmeyer <tim@sedlmeyer.org>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Multiple peers
Date: Tue, 13 Mar 2018 18:04:37 -0400 [thread overview]
Message-ID: <CAK_h9uH4JHMz5j+cZQ4GgO=n0Jqt-R7C+EQFGR5FXciCzV0qcA@mail.gmail.com> (raw)
In-Reply-To: <2016b91a-4c7e-db4d-7e22-8a7efc9add39@mailbox.org>
Another option instead of using the iptables rule is to create a
network namespace
and assign the wireguard interface to it.
ip netns add mesh
ip link add wg0 type wireguard
ip link set wg0 netns mesh
ip -n mesh addr add x.x.x.x/24 dev wg0
ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf
ip -n mesh link set wg0 up
I prefer this because it isolates any mesh network routing and firewall
configuration from that of the physical interfaces of the hub server.
You don't have to
worry about a routing or firewall misconfiguration on the hub leading
to the traffic from
the vpn network going on to the hub server's underlying network.
Also if you want to provide a service to the VPN network from the
server you can run
the process in the mesh network namespace or inside a container with
only an interface
in the mesh namespace available to it.
On Tue, Mar 13, 2018 at 1:35 PM,
<condor+wireguard-mailinglist@mailbox.org> wrote:
> Hi Gianluca,
>
>> I wonder if I need to copy/paste all peers' public key on all the other
>> peers' configuration, or I can just configure each peer to connect to th=
e
>> server and then allow peers talking with other peers passing through thi=
s
>> server?
>
> If you want each peer to have a 1:1 connection to each other peer, then =
=E2=80=93
> yes. But to maintain such a mesh will be quite a bit of work=E2=80=A6
>
> The easier solution should be to use the server as a hub. Make sure the
> AllowedIPs on the =E2=80=9Cclients=E2=80=9D permit the subnet IP range yo=
u will be using,
> e.g. 192.168.10.0/24. The =E2=80=9Cserver's=E2=80=9D setting for AllowedI=
Ps for each peer
> should reflect the single address (/32) you are setting as interface addr=
ess
> on the peer's side.
>
> To glue, add an iptables rule:
> iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT
>
>
> Kind regards,
> Peter
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2018-03-13 21:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 17:07 Gianluca Gabrielli
2018-03-13 17:35 ` condor+wireguard-mailinglist
2018-03-13 22:04 ` Tim Sedlmeyer [this message]
2018-03-15 15:05 ` Gianluca Gabrielli
2018-03-15 17:55 ` Germano Massullo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK_h9uH4JHMz5j+cZQ4GgO=n0Jqt-R7C+EQFGR5FXciCzV0qcA@mail.gmail.com' \
--to=tim@sedlmeyer.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).