Re: Cannot ping peer 1 from peer 2

[Vikas]

Thank you.

On peer 2 making Address = 10.100.1.2/24 allows peer2 to ping peer1.

But peer2 is not able to use peer1 as a router.

>From peer 2 when I do a traceroute the packets are not being forwarded by 
>peer1:

root@ubuntu:/gt/runenv/config/wireguard/client# traceroute 4.4.4.4
traceroute to 4.4.4.4 (4.4.4.4), 30 hops max, 60 byte packets
 1  10.100.1.1 (10.100.1.1)  4.206 ms  4.197 ms  4.189 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *

To make sure there is no confusion.

Here are the current settings I am using: https://thepasteb.in/p/y8hzcR2w7xDM0S2

What am I doing wrong?



--
VK


On Thu, Mar 15, 2018 at 7:07 PM, Vikas  wrote:
> Here is the config on peer 1 (Vmware VM running ubuntu 16.04):
> =
>
> vk@ubuntu /g/r/c/w/server> ifconfig ens33
> ens33 Link encap:Ethernet  HWaddr 00:0c:29:c8:6c:d5
>   inet addr:10.0.1.77  Bcast:10.0.1.255  Mask:255.255.255.0
>   inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:327949 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:87146 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000
>   RX bytes:351155285 (351.1 MB)  TX bytes:12179516 (12.1 MB)
>
>
> vk@ubuntu /g/r/c/w/server> more etc-wireguard-wg0.conf
> [Interface]
> Address = 10.100.1.1/24
> ListenPort = 51820
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> POSTROUTING -o ens33 -j MASQUERADE
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> POSTROUTING -o ens33 -j MASQUERADE
> PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY=
> SaveConfig = true
>
> [Peer]
> PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc=
> AllowedIPs = 10.100.1.2/32
>
>
> vk@ubuntu /g/r/c/w/server> ifconfig wg0
> wg0   Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>   inet addr:10.100.1.1  P-t-P:10.100.1.1  Mask:255.255.255.0
>   UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:0 errors:459 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000
>   RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
>
> Here is the config on peer 2  (Vmware VM running ubuntu 18.04):
> ==
>
> root@ubuntu /g/r/c/w/client# ifconfig ens33
> ens33: flags=4163  mtu 1500
> inet 10.0.1.71  netmask 255.255.255.0  broadcast 10.0.1.255
> inet6 fe80::c4d7:35d6:306b:fc91  prefixlen 64  scopeid 0x20
> ether 00:0c:29:b6:bb:18  txqueuelen 1000  (Ethernet)
> RX packets 532611  bytes 765847699 (765.8 MB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 71767  bytes 5458394 (5.4 MB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
>
> root@ubuntu /g/r/c/w/client# more etc-wireguard-wg0.conf
> [Interface]
> Address = 10.100.1.2
> PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY=
>
> [Peer]
> PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0=
> AllowedIPs = 0.0.0.0/0
> Endpoint = 10.0.1.77:51280
>
>
> root@ubuntu /g/r/c/w/client# ifconfig wg0
> wg0: flags=209  mtu 1420
> inet 10.100.1.2  netmask 255.255.255.255  destination 10.100.1.2
> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> txqueuelen 1000  (UNSPEC)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 10  bytes 1480 (1.4 KB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
>
> root@ubuntu /g/r/c/w/client# ping 10.0.1.77
> PING 10.0.1.77 (10.0.1.77) 56(84) bytes of data.
> 64 bytes from 10.0.1.77: icmp_seq=1 ttl=64 time=0.464 ms
> 64 bytes from 10.0.1.77: icmp_seq=2 ttl=64 time=0.715 ms
>
>
> root@ubuntu /g/r/c/w/client# ping 10.100.1.1
> PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
> ^C
> --- 10.100.1.1 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 2033ms
>
>
> What am I doing wrong?
>
> --
> VK
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Android app and command line

[Samuel Holland]

Hello,

On 03/12/18 20:51, Jacob Schooley wrote:
> There is an option in the Android app to enable wg and wg-quick, which will be
> extremely useful to me as most of my VPN stuff is taken care of with Tasker.
> There are two major bugs with this however.

Thanks for the report!

> One is that the app doesn't automatically update the status of wireguard, so 
> the
> switch inside the app won't flip if I use wg-quick up or down until I swipe 
> off
> and reopen the app, and the quick settings toggle won't change.

I've looked into this, and it is unfortunately quite difficult to do. The app
can register to receive notification about network changes, but unfortunately
there's no* way for the app to tell the Android connectivity service that the
WireGuard tunnel exists, so Android can track its state. Even then, wg-quick on
the command line wouldn't easily be able to tell the app about _new_ tunnels.

*without using reflection to access internal framework classes.

> The other is that if I run wg-quick up, then try to bring it down through the
> app or the quick settings toggle, it says "Error bringing down tunnel: Unable 
> to
> configure tunnel (wg-quick returned 2)." So as of now it really doesn't work
> well with tasker because I can't bring it down manually if I need to.

Hmm, that might actually be a bug. I'll look into that.

In the meantime, have you considered using Tasker to kill the app every time you
use wg-quick? Android will restart it and the quick tile will update, plus it
will refresh the state of all known tunnels within the app.

Regards,
Samuel
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Cannot ping peer 1 from peer 2

[Tim Sedlmeyer]

The ip address for the wg0 interface on peer 2 is set to 10.100.1.2/32
so peer2 has no route to reach 10.100.1.1. You either need to set a
route to 10.100.1.1 on peer 2 or change the address on peer 2 so the
subnet it is in includes 10.100.1.1. For example 10.100.1.2/24.

On Thu, Mar 15, 2018 at 10:07 PM, Vikas  wrote:
> Here is the config on peer 1 (Vmware VM running ubuntu 16.04):
> =
>
> vk@ubuntu /g/r/c/w/server> ifconfig ens33
> ens33 Link encap:Ethernet  HWaddr 00:0c:29:c8:6c:d5
>   inet addr:10.0.1.77  Bcast:10.0.1.255  Mask:255.255.255.0
>   inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:327949 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:87146 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000
>   RX bytes:351155285 (351.1 MB)  TX bytes:12179516 (12.1 MB)
>
>
> vk@ubuntu /g/r/c/w/server> more etc-wireguard-wg0.conf
> [Interface]
> Address = 10.100.1.1/24
> ListenPort = 51820
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> POSTROUTING -o ens33 -j MASQUERADE
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> POSTROUTING -o ens33 -j MASQUERADE
> PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY=
> SaveConfig = true
>
> [Peer]
> PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc=
> AllowedIPs = 10.100.1.2/32
>
>
> vk@ubuntu /g/r/c/w/server> ifconfig wg0
> wg0   Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>   inet addr:10.100.1.1  P-t-P:10.100.1.1  Mask:255.255.255.0
>   UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:0 errors:459 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000
>   RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
>
> Here is the config on peer 2  (Vmware VM running ubuntu 18.04):
> ==
>
> root@ubuntu /g/r/c/w/client# ifconfig ens33
> ens33: flags=4163  mtu 1500
> inet 10.0.1.71  netmask 255.255.255.0  broadcast 10.0.1.255
> inet6 fe80::c4d7:35d6:306b:fc91  prefixlen 64  scopeid 0x20
> ether 00:0c:29:b6:bb:18  txqueuelen 1000  (Ethernet)
> RX packets 532611  bytes 765847699 (765.8 MB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 71767  bytes 5458394 (5.4 MB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
>
> root@ubuntu /g/r/c/w/client# more etc-wireguard-wg0.conf
> [Interface]
> Address = 10.100.1.2
> PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY=
>
> [Peer]
> PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0=
> AllowedIPs = 0.0.0.0/0
> Endpoint = 10.0.1.77:51280
>
>
> root@ubuntu /g/r/c/w/client# ifconfig wg0
> wg0: flags=209  mtu 1420
> inet 10.100.1.2  netmask 255.255.255.255  destination 10.100.1.2
> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> txqueuelen 1000  (UNSPEC)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 10  bytes 1480 (1.4 KB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
>
> root@ubuntu /g/r/c/w/client# ping 10.0.1.77
> PING 10.0.1.77 (10.0.1.77) 56(84) bytes of data.
> 64 bytes from 10.0.1.77: icmp_seq=1 ttl=64 time=0.464 ms
> 64 bytes from 10.0.1.77: icmp_seq=2 ttl=64 time=0.715 ms
>
>
> root@ubuntu /g/r/c/w/client# ping 10.100.1.1
> PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
> ^C
> --- 10.100.1.1 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 2033ms
>
>
> What am I doing wrong?
>
> --
> VK
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Cannot ping peer 1 from peer 2

[Vikas]

Here is the config on peer 1 (Vmware VM running ubuntu 16.04):
=

vk@ubuntu /g/r/c/w/server> ifconfig ens33
ens33 Link encap:Ethernet  HWaddr 00:0c:29:c8:6c:d5
  inet addr:10.0.1.77  Bcast:10.0.1.255  Mask:255.255.255.0
  inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:327949 errors:0 dropped:0 overruns:0 frame:0
  TX packets:87146 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:351155285 (351.1 MB)  TX bytes:12179516 (12.1 MB)


vk@ubuntu /g/r/c/w/server> more etc-wireguard-wg0.conf
[Interface]
Address = 10.100.1.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
POSTROUTING -o ens33 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
POSTROUTING -o ens33 -j MASQUERADE
PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY=
SaveConfig = true

[Peer]
PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc=
AllowedIPs = 10.100.1.2/32


vk@ubuntu /g/r/c/w/server> ifconfig wg0
wg0   Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
  inet addr:10.100.1.1  P-t-P:10.100.1.1  Mask:255.255.255.0
  UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:459 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)



Here is the config on peer 2  (Vmware VM running ubuntu 18.04):
==

root@ubuntu /g/r/c/w/client# ifconfig ens33
ens33: flags=4163  mtu 1500
inet 10.0.1.71  netmask 255.255.255.0  broadcast 10.0.1.255
inet6 fe80::c4d7:35d6:306b:fc91  prefixlen 64  scopeid 0x20
ether 00:0c:29:b6:bb:18  txqueuelen 1000  (Ethernet)
RX packets 532611  bytes 765847699 (765.8 MB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 71767  bytes 5458394 (5.4 MB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


root@ubuntu /g/r/c/w/client# more etc-wireguard-wg0.conf
[Interface]
Address = 10.100.1.2
PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY=

[Peer]
PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.1.77:51280


root@ubuntu /g/r/c/w/client# ifconfig wg0
wg0: flags=209  mtu 1420
inet 10.100.1.2  netmask 255.255.255.255  destination 10.100.1.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
txqueuelen 1000  (UNSPEC)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 10  bytes 1480 (1.4 KB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


root@ubuntu /g/r/c/w/client# ping 10.0.1.77
PING 10.0.1.77 (10.0.1.77) 56(84) bytes of data.
64 bytes from 10.0.1.77: icmp_seq=1 ttl=64 time=0.464 ms
64 bytes from 10.0.1.77: icmp_seq=2 ttl=64 time=0.715 ms


root@ubuntu /g/r/c/w/client# ping 10.100.1.1
PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
^C
--- 10.100.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2033ms


What am I doing wrong?

--
VK
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Allowed IPs Toggling

[Steve Gilberd]

 > WireGuard *does* support overlapping ranges of AllowedIPs on different
peers. It
> doesn't support having *identical* ranges of AllowedIPs on different
peers,
> which was the situation here. (You're correct, there's no concept of a
metric.)

Oh good - looks like I just misunderstood your ordinal email then; I
thought you were saying that any situation with multiple routes to a single
IP was unsupported. Thanks for clarifying :-).

Cheers,
Steve

On Fri, 16 Mar 2018, 07:51 Samuel Holland,  wrote:

> Hello,
>
> On 03/15/18 13:39, Steve Gilberd wrote:
> >> Allowed IPs is like a routing table; you can't have two routes for the
> same
> > set of IPs
> >
> > If this is the case, then wireguard does not have proper routing support.
> >
> > Normally, routing tables allow both multiple and overlapping routes
> present.
> > When making routing decisions, the most-specific route is chosen (e.g. a
> /29 is
> > higher priority than a /24 which overlaps with it). If there are two
> identical
> > routes of the same size, then the one with the lowest routing metric is
> used.
> >
> > I can understand not allowing identical routes of the same size, as
> wireguard
> > doesn't really have a concept of metric (although it could be useful for
> backup
> > links). However, it really should allow overlapping routes of different
> sizes.
> > There's no ambiguity with routing decisions, and it's a standard feature
> that I
> > would normally expect any IP routing stack to have.
>
> WireGuard *does* support overlapping ranges of AllowedIPs on different
> peers. It
> doesn't support having *identical* ranges of AllowedIPs on different peers,
> which was the situation here. (You're correct, there's no concept of a
> metric.)
>
> > Cheers,
> > Steve
>
> Cheers,
> Samuel
>
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019 The Terrace, Wellington 6143, NZ*
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Allowed IPs Toggling

[Samuel Holland]

Hello,

On 03/15/18 13:39, Steve Gilberd wrote:
>> Allowed IPs is like a routing table; you can't have two routes for the same
> set of IPs
> 
> If this is the case, then wireguard does not have proper routing support.
> 
> Normally, routing tables allow both multiple and overlapping routes present.
> When making routing decisions, the most-specific route is chosen (e.g. a /29 
> is
> higher priority than a /24 which overlaps with it). If there are two identical
> routes of the same size, then the one with the lowest routing metric is used.
> 
> I can understand not allowing identical routes of the same size, as wireguard
> doesn't really have a concept of metric (although it could be useful for 
> backup
> links). However, it really should allow overlapping routes of different sizes.
> There's no ambiguity with routing decisions, and it's a standard feature that 
> I
> would normally expect any IP routing stack to have.

WireGuard *does* support overlapping ranges of AllowedIPs on different peers. It
doesn't support having *identical* ranges of AllowedIPs on different peers,
which was the situation here. (You're correct, there's no concept of a metric.)

> Cheers,
> Steve

Cheers,
Samuel
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Allowed IPs Toggling

[Steve Gilberd]

> Allowed IPs is like a routing table; you can't have two routes for the
same set of IPs

If this is the case, then wireguard does not have proper routing support.

Normally, routing tables allow both multiple and overlapping routes
present. When making routing decisions, the most-specific route is chosen
(e.g. a /29 is higher priority than a /24 which overlaps with it). If there
are two identical routes of the same size, then the one with the lowest
routing metric is used.

I can understand not allowing identical routes of the same size, as
wireguard doesn't really have a concept of metric (although it could be
useful for backup links). However, it really should allow overlapping
routes of different sizes. There's no ambiguity with routing decisions, and
it's a standard feature that I would normally expect any IP routing stack
to have.

Cheers,
Steve

On Fri, 16 Mar 2018, 04:57 Samuel Holland,  wrote:

> Hello,
>
> On 03/15/18 10:31, Gianluca Gabrielli wrote:
> > I was setting two peers on the server, but every time I re-add one of
> these
> > two the other one is shown with (none) on "allowed ips" field. Of course
> that
> > blocks communications with that peer. If I try to re-add it, then the
> other
> > peer loses its configuration, same problem.
>
> Allowed IPs is like a routing table; you can't have two routes for the
> same set
> of IPs, or WireGuard doesn't know which peer to send the traffic to. You
> want to
> have non-overlapping Allowed IP ranges. This usually means that the range
> of
> Allowed IPs is smaller than the host's subnet. For example:
>
> Host A:
> IP configuration for WireGuard interface: 192.168.123.1/24
> Allowed IPs for Host B: 192.168.123.2/32
>
> Host B:
> IP configuration for WireGuard interface: 192.168.123.2/24
> Allowed IPs for Host A: 192.168.123.1/32
>
> The IP configuration tells the kernel which IP ranges are accessible via
> the
> WireGuard interface. The Allowed IPs tell WireGuard, which _subset_ of
> those IPs
> is associated with each peer.
>
> > Cheers,
> > Gianluca
>
> Cheers,
> Samuel
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
-- 

Cheers,

*Steve Gilberd*
Erayd LTD *·* Consultant
*Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237*
*PO Box 10019 The Terrace, Wellington 6143, NZ*
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Multiple peers

[Germano Massullo]

Hi Gianluca, you may want to read also this example I explained in Ninux
mailing list
https://www.mail-archive.com/wireless@ml.ninux.org/msg20983.html

Best regards
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Lineage OS (Android) Support

[Samuel Holland]

Hello,

On 03/13/18 06:15, Paul wrote:
> On So, Mär 11, 2018 at 7:42 PM, Paul  wrote:
>> Hi all,
>>
>> I'm new to the list and hope this wasn't discussed in length here before. If
>> so, please give me a direction, I couldn't find anything related.
>>
>> For the last days I tried to find a Lineage OS [1] compatible kernel with
>> wireguard included, sadly there is none. Instead of installing a custom
>> kernel, could Lineage include the < 4000 lines of code in their build root?
>> Have there been any efforts on this?
>>
>> Thank you very much for all further information.
>>
>> Best regards,
>> Paul Spooren
>>
>> [1] http://lineageos.org/
> 
> I asked the Lineage OS maintainer of my current phone and he responded to use
> the native VPN interface of Android. Are there any plans on that?

Yes, support for using the Go implementation[1] with VpnService is in the works.
The same app will support both the native and userspace implementations. It will
prefer the native implementation if root access and the kernel module are
available, and fall back to using VpnService otherwise.

>> https://developer.android.com/reference/android/net/VpnService.html
>>
>> That has many pros:
>> 1. runs on any Android 4.0+ device (NO root required)
>> 2. all VPN code (except network interface of course) is running in userspace
>> (in case of exploitation only VPN app is compromised)
>> 3. decoupled from OS and easy to upgrade

Using the native implementation has its own benefits. It will generally be
faster and more battery-efficient, and it supports having multiple tunnels up
simultaneously. VpnService only allows one VPN to be active at a time.

> Thanks for all further information!
> 
> Best,
> Paul

Regards,
Samuel

[1]: https://git.zx2c4.com/wireguard-go/
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Allowed IPs Toggling

[Samuel Holland]

Hello,

On 03/15/18 10:31, Gianluca Gabrielli wrote:
> I was setting two peers on the server, but every time I re-add one of these 
> two the other one is shown with (none) on "allowed ips" field. Of course that
> blocks communications with that peer. If I try to re-add it, then the other
> peer loses its configuration, same problem.

Allowed IPs is like a routing table; you can't have two routes for the same set
of IPs, or WireGuard doesn't know which peer to send the traffic to. You want to
have non-overlapping Allowed IP ranges. This usually means that the range of
Allowed IPs is smaller than the host's subnet. For example:

Host A:
IP configuration for WireGuard interface: 192.168.123.1/24
Allowed IPs for Host B: 192.168.123.2/32

Host B:
IP configuration for WireGuard interface: 192.168.123.2/24
Allowed IPs for Host A: 192.168.123.1/32

The IP configuration tells the kernel which IP ranges are accessible via the
WireGuard interface. The Allowed IPs tell WireGuard, which _subset_ of those IPs
is associated with each peer.

> Cheers,
> Gianluca

Cheers,
Samuel
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Multiple peers

[Gianluca Gabrielli]

Thanks to both of you guys, really helpful! Especially **Network Namespace** is 
a great feature that I didn't know before.

Cheers,
Gianluca


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard