Re: Multiple peers

2018-03-13 Thread Tim Sedlmeyer 
Another option instead of using the iptables rule is to create a
network namespace
and assign the wireguard interface to it.

ip netns add mesh
ip link add wg0 type wireguard
ip link set wg0 netns mesh
ip -n mesh addr add x.x.x.x/24 dev wg0
ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf
ip -n mesh link set wg0 up

I prefer this because it isolates any mesh network routing and firewall
configuration from that of the physical interfaces of the hub server.
You don't have to
worry about a routing or firewall misconfiguration on the hub leading
to the traffic from
the vpn network going on to the hub server's underlying network.

Also if you want to provide a service to the VPN network from the
server you can run
the process in the mesh network namespace or inside a container with
only an interface
in the mesh namespace available to it.

On Tue, Mar 13, 2018 at 1:35 PM,
 wrote:
> Hi Gianluca,
>
>> I wonder if I need to copy/paste all peers' public key on all the other
>> peers' configuration, or I can just configure each peer to connect to the
>> server and then allow peers talking with other peers passing through this
>> server?
>
> If you want each peer to have a 1:1 connection to each other peer, then –
> yes. But to maintain such a mesh will be quite a bit of work…
>
> The easier solution should be to use the server as a hub. Make sure the
> AllowedIPs on the “clients” permit the subnet IP range you will be using,
> e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer
> should reflect the single address (/32) you are setting as interface address
> on the peer's side.
>
> To glue, add an iptables rule:
> iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT
>
>
> Kind regards,
> Peter
>
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Multiple peers

2018-03-13 Thread condor+wireguard-mailinglist 

Hi Gianluca,

> I wonder if I need to copy/paste all peers' public key on all the 
other peers' configuration, or I can just configure each peer to connect 
to the server and then allow peers talking with other peers passing 
through this server?


If you want each peer to have a 1:1 connection to each other peer, then 
– yes. But to maintain such a mesh will be quite a bit of work…


The easier solution should be to use the server as a hub. Make sure the 
AllowedIPs on the “clients” permit the subnet IP range you will be 
using, e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for 
each peer should reflect the single address (/32) you are setting as 
interface address on the peer's side.


To glue, add an iptables rule:
iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT


Kind regards,
Peter
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Multiple peers

2018-03-13 Thread Gianluca Gabrielli 
Hi everybody,

I have five peers, and I want that each peer can talk with all the other peers. 
Moreover let's say that one of these peer will acts as a server and as a 
gateway, while the other four will be only clients. 
I wonder if I need to copy/paste all peers' public key on all the other peers' 
configuration, or I can just configure each peer to connect to the server and 
then allow peers talking with other peers passing through this server?
(Something similar to client-to-client option on OpenVPN)

I don't care about firewall rules to configure the server to NAT clients' 
connections, my question is just about wireguard configuration.

Cheers,
Gianluca


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Lineage OS (Android) Support

2018-03-13 Thread Paul 


On So, Mär 11, 2018 at 7:42 PM, Paul  wrote:

Hi all,

I'm new to the list and hope this wasn't discussed in length here 
before. If so, please give me a direction, I couldn't find anything 
related.


For the last days I tried to find a Lineage OS [1] compatible kernel 
with wireguard included, sadly there is none. Instead of installing a 
custom kernel, could Lineage include the < 4000 lines of code in 
their build root? Have there been any efforts on this?


Thank you very much for all further information.

Best regards,
Paul Spooren

[1] http://lineageos.org/


I asked the Lineage OS maintainer of my current phone and he responded 
to use the native VPN interface of Android. Are there any plans on that?



https://developer.android.com/reference/android/net/VpnService.html

That has many pros:
1. runs on any Android 4.0+ device (NO root required)
2. all VPN code (except network interface of course) is running in 
userspace (in case of exploitation only VPN app is compromised)

3. decoupled from OS and easy to upgrade


Thanks for all further information!

Best,
Paul

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: TCP Wireguard with socat

2018-03-13 Thread Gianluca Gabrielli 
Thanks Matthias, now I see your point.

I'm wondering why we should prepend a length to each datagram. On the 
datagram's header the payload length is already present, should not be enough 
to reconstruct the original datagram after the stream has been unwrapped?

Cheers,
Gianluca


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard