Re: WireGuard patchset for OpenBSD, rev. 3
On Sun, 21 Jun 2020 15:54:00 +0200 Matthieu Herrb wrote: > Hi, > > I was wondering if there is a way to specify a routing domain/table > for wgendpoint in ifconfig(8). > > In a VPN client setup (roadwarrior style) I'd like to keep wg0 in > rdomain 0 and put the actual physical interface in rdomain 1. So that > all daemons (smtpd, unwind, ...) use the VPN by default and only the > strict minimum to setup the VPN runs in rdomain 1. > > Everything works if I set wg0 in rdomain1 and keep my re0 interface in > rdomain 0, but as soon as I set rdomain 1 for re0 and rdomain 0 for > wg0, the VPN cannot come up (and I see the UDP packets to port 51820 > trying to go out through wg0). Yes, this is most certainly possible (I have this configuration in a couple of places). If you haven't found it yet, the "wgrtable" option (see ifconfig(8)) will allow you to achieve this.
Re: WireGuard patchset for OpenBSD, rev. 3
On Sun, Jun 21, 2020 at 10:06:52AM -0400, Sonic wrote: > Along that line, does wireguard have any problems using alias > addresses? It's not a problem with IKEv1 but it is with IKEv2. > > Thanks! > > Chris I still don't see how this is a problem with IKEv2, so don't spread any rumours and instead have a look at my response to your mail on misc@. Patrick
Re: WireGuard patchset for OpenBSD, rev. 3
Along that line, does wireguard have any problems using alias addresses? It's not a problem with IKEv1 but it is with IKEv2. Thanks! Chris
Re: WireGuard patchset for OpenBSD, rev. 3
On Fri, Jun 19, 2020 at 06:46:00PM +1000, Matt Dunwoodie wrote: > Hi all, > > After the previous submission of WireGuard, we've again been through a > number of improvements. Thank you everyone for your feedback. Hi, I was wondering if there is a way to specify a routing domain/table for wgendpoint in ifconfig(8). In a VPN client setup (roadwarrior style) I'd like to keep wg0 in rdomain 0 and put the actual physical interface in rdomain 1. So that all daemons (smtpd, unwind, ...) use the VPN by default and only the strict minimum to setup the VPN runs in rdomain 1. Everything works if I set wg0 in rdomain1 and keep my re0 interface in rdomain 0, but as soon as I set rdomain 1 for re0 and rdomain 0 for wg0, the VPN cannot come up (and I see the UDP packets to port 51820 trying to go out through wg0). Thanks for your work on wireguard ! -- Matthieu Herrb
Re: WireGuard patchset for OpenBSD, rev. 3
On Sun, Jun 21, 2020 at 12:52:53PM +0200, Matthieu Herrb wrote: > On Fri, Jun 19, 2020 at 06:46:00PM +1000, Matt Dunwoodie wrote: > > Hi all, > > > > After the previous submission of WireGuard, we've again been through a > > number of improvements. Thank you everyone for your feedback. > > Hi, > > While giving wireguard a try, I found that this patch is needed to fix > ifconfig(8) documentation : Oh yeah, I hit that too. OK by me. > > diff --git sbin/ifconfig/ifconfig.8 sbin/ifconfig/ifconfig.8 > index 29edeb60793..93429b4c103 100644 > --- sbin/ifconfig/ifconfig.8 > +++ sbin/ifconfig/ifconfig.8 > @@ -2056,7 +2056,7 @@ Packets on a VLAN interface without a tag set will use > a value of > .Op Cm wgpsk Ar presharedkey > .Op Fl wgpsk > .Op Cm wgpka Ar persistent-keepalive > -.Op Cm wgpip Ar ip port > +.Op Cm wgendpoint Ar ip port > .Op Cm wgaip Ar allowed-ip/prefix > .Oc > .Op Fl wgpeerall > @@ -2137,7 +2137,7 @@ By default this functionality is disabled, equivalent > to a value of 0. > This is often used to ensure a peer will be accessible when protected by > a firewall, as is when behind a NAT address. > A value of 25 is commonly used. > -.It Cm wgpip Ar ip port > +.It Cm wgendpoint Ar ip port > Set the IP address and port to send the encapsulated packets to. > If the peer changes address, the local interface will update the address > after receiving a correctly authenticated packet. > > -- > Matthieu Herrb >
Re: WireGuard patchset for OpenBSD, rev. 3
On Fri, Jun 19, 2020 at 06:46:00PM +1000, Matt Dunwoodie wrote: > Hi all, > > After the previous submission of WireGuard, we've again been through a > number of improvements. Thank you everyone for your feedback. Hi, While giving wireguard a try, I found that this patch is needed to fix ifconfig(8) documentation : diff --git sbin/ifconfig/ifconfig.8 sbin/ifconfig/ifconfig.8 index 29edeb60793..93429b4c103 100644 --- sbin/ifconfig/ifconfig.8 +++ sbin/ifconfig/ifconfig.8 @@ -2056,7 +2056,7 @@ Packets on a VLAN interface without a tag set will use a value of .Op Cm wgpsk Ar presharedkey .Op Fl wgpsk .Op Cm wgpka Ar persistent-keepalive -.Op Cm wgpip Ar ip port +.Op Cm wgendpoint Ar ip port .Op Cm wgaip Ar allowed-ip/prefix .Oc .Op Fl wgpeerall @@ -2137,7 +2137,7 @@ By default this functionality is disabled, equivalent to a value of 0. This is often used to ensure a peer will be accessible when protected by a firewall, as is when behind a NAT address. A value of 25 is commonly used. -.It Cm wgpip Ar ip port +.It Cm wgendpoint Ar ip port Set the IP address and port to send the encapsulated packets to. If the peer changes address, the local interface will update the address after receiving a correctly authenticated packet. -- Matthieu Herrb
