From: dllud <dllud@riseup.net>
To: wireguard@lists.zx2c4.com
Subject: Support ip6tables-like network masks for allowed-ips besides CIDR
Date: Mon, 14 Jan 2019 05:51:20 +0000 [thread overview]
Message-ID: <ce1ca341-e913-ed02-5909-1699d0efdc30@riseup.net> (raw)
Hi everyone,
Would it be possible for wireguard to support ip6tables-like network
masks [1] for the allowed-ips besides CIDR masks?
With CIDR we are limited to variable suffixes. While with network masks
we could have variable prefixes, suffixes or any combination.
[1] https://linux.die.net/man/8/ip6tables
-------------------------------
Use case (why does it matter to me): I have a client-server setup where
I would like to allow the client peers to choose any IPv6 they wish as
long as they honor a given suffix. Collision are avoided by having an
unique suffix for each client. With CIDR I can only make clients honor a
prefix.
The long story
On my home network I reserved two IPv6 subnets for Wireguard clients:
- a private one, eg. fdaa:aaaa:aaaa:aabb::/64 (never changes);
- a public one, eg. 2001:aaaa:aaaa:aabb::/64 which is a subnet of the
subnet attributed by my ISP (the positions marked with aa's change
regularly according to the dynamic assigning done by my ISP).
Attributing public IPv6 addresses to the wireguard clients allows them
to reach the Internet through the tunnel with no need for NAT.
Currently, there seems to be no way of dynamically attributing IPs to
clients. (Or is there some kind of DHCPv6 over Wireguard?) Thus, to keep
my Cryptokey Routing Table working properly I have to update it on both
server and clients whenever my ISP attributes me a different subnet
(power outages, router restarts, etc.).
This is easy on the clients, which connect and disconnect regularly. I
just need a small script to connect to the wireguard server, that gets
the current public subnet (from Dynamic DNS) before setting the public
IPv6 for tunnel interface.
Things are nastier on the server side though, which is an OpenWrt
router. I would need a cron/procd job hammering OpenWrt config files
whenever a change is detected.
Network masks would be a much cleaner solution on this setup and
probably many others.
Note: I trust all my client peers (which are just me, on other computers
outside my home network).
-------------------------------
Thanks for building wireguard and specially for publishing it as
open-source. You have a great piece of software here. Much appreciated.
Regards!
--
dllud
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
reply other threads:[~2019-01-14 8:13 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ce1ca341-e913-ed02-5909-1699d0efdc30@riseup.net \
--to=dllud@riseup.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).