From: Ryan Whelan <rcwhelan@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Another allowed-ips question
Date: Tue, 5 Dec 2017 09:05:14 -0500 [thread overview]
Message-ID: <CAM3m09TR-ySFu=E=D3gEQJjeqw3awW5pP2mu+-OKN7jKOfbCDQ@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9qBc1Wm1=QgAY6gSR65bsfNppsRjeZFwJfF1nBAr1WF9A@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2283 bytes --]
On Wed, Nov 22, 2017 at 6:51 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hi Ryan,
>
> Sorry for the delayed response. The high volume and churn of
> development recently has gotten me a bit behind on the mail queue and
> rather confused.
>
> You wrote:
> > what i'm struggling with is if they are unable to communicate directly
> and build routes to one another via an intermediary router (which is also
> connected to each 'client' via wireguard).
>
> If I understood you correctly, you're looking at this situation: Peer
> A connects to Peer S. Peer B connects to Peer S. A wants to talk to B,
> through S. In this case, the allowed-ips of S on A lists B's internal
> IP, and the allowed-ips of S on B lists A's internal IP address. In
> other words, you have A/B state that "I trust S to send me the traffic
> of B/A."
>
> Does this answer your question?
>
> Regards,
> Jason
>
Sorry for my latent reply- I was traveling all last week and have been
doing a bad job keeping up on my email
I think you understand the setup, mostly. The missing piece is that A and
B need to connect directly to one another as well. (Its kind of like a
triangle). The idea is that the link between A and B is 'primary' but if
they are unable to communicate with one another directly, they will 'fall
back' to using the 'Server' (S). A and B will both likely be behind NATs,
so is likely that at some point they will both be behind symmetric-nats and
be unable to communicate directly, needing the fallback route provided by
the server.
That said, i think i have a working setup. there are 2 interfaces
created. one called 'server0' and one called 'direct0'. On the server
interface there is a single peer with an allowed-ips of fc00::/7 and on the
direct interface, there is a peer for each of the other devices we want to
connect to directly. Each peer on the direct interface has an allowed-ips
that matches the addr of the corresponding peer. (/128).
That provides 2 routes between peers- route selection is just matter of
picking an interface. Hopefully something that will be done via a routing
daemon.
Hopefully the above makes sense. I think i have a screenshot that will
paint a clearer picture if needed. (not sure if i can paste pictures into
the mailing list)
ryan
[-- Attachment #2: Type: text/html, Size: 2890 bytes --]
prev parent reply other threads:[~2017-12-05 13:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-18 23:44 Ryan Whelan
2017-11-18 23:55 ` Reuben Martin
2017-11-22 23:51 ` Jason A. Donenfeld
2017-12-05 14:05 ` Ryan Whelan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAM3m09TR-ySFu=E=D3gEQJjeqw3awW5pP2mu+-OKN7jKOfbCDQ@mail.gmail.com' \
--to=rcwhelan@gmail.com \
--cc=Jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).