From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: rcwhelan@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 6336a9a1 for ; Sat, 18 Nov 2017 23:39:37 +0000 (UTC) Received: from mail-qt0-f170.google.com (mail-qt0-f170.google.com [209.85.216.170]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 8d8bd2e9 for ; Sat, 18 Nov 2017 23:39:37 +0000 (UTC) Received: by mail-qt0-f170.google.com with SMTP id a19so11020405qtb.3 for ; Sat, 18 Nov 2017 15:44:17 -0800 (PST) MIME-Version: 1.0 From: Ryan Whelan Date: Sat, 18 Nov 2017 18:44:15 -0500 Message-ID: Subject: Another allowed-ips question To: WireGuard mailing list Content-Type: multipart/alternative; boundary="001a1137b42a5cae5d055e4a6e64" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a1137b42a5cae5d055e4a6e64 Content-Type: text/plain; charset="UTF-8" I'm working on a system where Wireguard machines can connect directly to one another as well as communicate with one another via an intermediary router (or 'server'). When 2 machines directly connect to one another, the allowed-ips setting is obviously a non-issue; what i'm struggling with is if they are unable to communicate directly and build routes to one another via an intermediary router (which is also connected to each 'client' via wireguard). Unless the 'server' NATs the traffic, the allowed-ips setting will prevent the 'clients' from communicating. Am i missing something? I'm trying to avoid building a wg interface for each peer connection if possible, but i'm failing to see any other way around it. Either NAT at the intermediary router or create an interface per-peer. Are there other options? --001a1137b42a5cae5d055e4a6e64 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm working on a system where Wireguard machines can c= onnect directly to one another as well as communicate with one another via = an intermediary router (or 'server').=C2=A0

When= 2 machines directly connect to one another, the allowed-ips setting is obv= iously a non-issue; what i'm struggling with is if they are unable to c= ommunicate directly and build routes to one another via an intermediary rou= ter (which is also connected to each 'client' via wireguard).=C2=A0= Unless the 'server' NATs the traffic, the allowed-ips setting will= prevent the 'clients' from communicating.=C2=A0 Am i missing somet= hing?

I'm trying to avoid building a wg interf= ace for each peer connection if possible, but i'm failing to see any ot= her way around it.=C2=A0 Either NAT at the intermediary router or create an= interface per-peer.

Are there other options?
--001a1137b42a5cae5d055e4a6e64--