Re: Multiple peers
Another option instead of using the iptables rule is to create a network namespace and assign the wireguard interface to it. ip netns add mesh ip link add wg0 type wireguard ip link set wg0 netns mesh ip -n mesh addr add x.x.x.x/24 dev wg0 ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf ip -n mesh link set wg0 up I prefer this because it isolates any mesh network routing and firewall configuration from that of the physical interfaces of the hub server. You don't have to worry about a routing or firewall misconfiguration on the hub leading to the traffic from the vpn network going on to the hub server's underlying network. Also if you want to provide a service to the VPN network from the server you can run the process in the mesh network namespace or inside a container with only an interface in the mesh namespace available to it. On Tue, Mar 13, 2018 at 1:35 PM,wrote: > Hi Gianluca, > >> I wonder if I need to copy/paste all peers' public key on all the other >> peers' configuration, or I can just configure each peer to connect to the >> server and then allow peers talking with other peers passing through this >> server? > > If you want each peer to have a 1:1 connection to each other peer, then – > yes. But to maintain such a mesh will be quite a bit of work… > > The easier solution should be to use the server as a hub. Make sure the > AllowedIPs on the “clients” permit the subnet IP range you will be using, > e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer > should reflect the single address (/32) you are setting as interface address > on the peer's side. > > To glue, add an iptables rule: > iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT > > > Kind regards, > Peter > > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Hi Gianluca, > I wonder if I need to copy/paste all peers' public key on all the other peers' configuration, or I can just configure each peer to connect to the server and then allow peers talking with other peers passing through this server? If you want each peer to have a 1:1 connection to each other peer, then – yes. But to maintain such a mesh will be quite a bit of work… The easier solution should be to use the server as a hub. Make sure the AllowedIPs on the “clients” permit the subnet IP range you will be using, e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer should reflect the single address (/32) you are setting as interface address on the peer's side. To glue, add an iptables rule: iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT Kind regards, Peter ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Multiple peers
Hi everybody, I have five peers, and I want that each peer can talk with all the other peers. Moreover let's say that one of these peer will acts as a server and as a gateway, while the other four will be only clients. I wonder if I need to copy/paste all peers' public key on all the other peers' configuration, or I can just configure each peer to connect to the server and then allow peers talking with other peers passing through this server? (Something similar to client-to-client option on OpenVPN) I don't care about firewall rules to configure the server to NAT clients' connections, my question is just about wireguard configuration. Cheers, Gianluca ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Lineage OS (Android) Support
On So, Mär 11, 2018 at 7:42 PM, Paulwrote: Hi all, I'm new to the list and hope this wasn't discussed in length here before. If so, please give me a direction, I couldn't find anything related. For the last days I tried to find a Lineage OS [1] compatible kernel with wireguard included, sadly there is none. Instead of installing a custom kernel, could Lineage include the < 4000 lines of code in their build root? Have there been any efforts on this? Thank you very much for all further information. Best regards, Paul Spooren [1] http://lineageos.org/ I asked the Lineage OS maintainer of my current phone and he responded to use the native VPN interface of Android. Are there any plans on that? https://developer.android.com/reference/android/net/VpnService.html That has many pros: 1. runs on any Android 4.0+ device (NO root required) 2. all VPN code (except network interface of course) is running in userspace (in case of exploitation only VPN app is compromised) 3. decoupled from OS and easy to upgrade Thanks for all further information! Best, Paul ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: TCP Wireguard with socat
Thanks Matthias, now I see your point. I'm wondering why we should prepend a length to each datagram. On the datagram's header the payload length is already present, should not be enough to reconstruct the original datagram after the stream has been unwrapped? Cheers, Gianluca ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard