On Wed, Nov 22, 2017 at 6:51 PM, Jason A. Donenfeld wrote: > Hi Ryan, > > Sorry for the delayed response. The high volume and churn of > development recently has gotten me a bit behind on the mail queue and > rather confused. > > You wrote: > > what i'm struggling with is if they are unable to communicate directly > and build routes to one another via an intermediary router (which is also > connected to each 'client' via wireguard). > > If I understood you correctly, you're looking at this situation: Peer > A connects to Peer S. Peer B connects to Peer S. A wants to talk to B, > through S. In this case, the allowed-ips of S on A lists B's internal > IP, and the allowed-ips of S on B lists A's internal IP address. In > other words, you have A/B state that "I trust S to send me the traffic > of B/A." > > Does this answer your question? > > Regards, > Jason > Sorry for my latent reply- I was traveling all last week and have been doing a bad job keeping up on my email I think you understand the setup, mostly. The missing piece is that A and B need to connect directly to one another as well. (Its kind of like a triangle). The idea is that the link between A and B is 'primary' but if they are unable to communicate with one another directly, they will 'fall back' to using the 'Server' (S). A and B will both likely be behind NATs, so is likely that at some point they will both be behind symmetric-nats and be unable to communicate directly, needing the fallback route provided by the server. That said, i think i have a working setup. there are 2 interfaces created. one called 'server0' and one called 'direct0'. On the server interface there is a single peer with an allowed-ips of fc00::/7 and on the direct interface, there is a peer for each of the other devices we want to connect to directly. Each peer on the direct interface has an allowed-ips that matches the addr of the corresponding peer. (/128). That provides 2 routes between peers- route selection is just matter of picking an interface. Hopefully something that will be done via a routing daemon. Hopefully the above makes sense. I think i have a screenshot that will paint a clearer picture if needed. (not sure if i can paste pictures into the mailing list) ryan