Re: Cannot ping peer 1 from peer 2
Thank you. On peer 2 making Address = 10.100.1.2/24 allows peer2 to ping peer1. But peer2 is not able to use peer1 as a router. >From peer 2 when I do a traceroute the packets are not being forwarded by >peer1: root@ubuntu:/gt/runenv/config/wireguard/client# traceroute 4.4.4.4 traceroute to 4.4.4.4 (4.4.4.4), 30 hops max, 60 byte packets 1 10.100.1.1 (10.100.1.1) 4.206 ms 4.197 ms 4.189 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * To make sure there is no confusion. Here are the current settings I am using: https://thepasteb.in/p/y8hzcR2w7xDM0S2 What am I doing wrong? -- VK On Thu, Mar 15, 2018 at 7:07 PM, Vikaswrote: > Here is the config on peer 1 (Vmware VM running ubuntu 16.04): > = > > vk@ubuntu /g/r/c/w/server> ifconfig ens33 > ens33 Link encap:Ethernet HWaddr 00:0c:29:c8:6c:d5 > inet addr:10.0.1.77 Bcast:10.0.1.255 Mask:255.255.255.0 > inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:327949 errors:0 dropped:0 overruns:0 frame:0 > TX packets:87146 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:351155285 (351.1 MB) TX bytes:12179516 (12.1 MB) > > > vk@ubuntu /g/r/c/w/server> more etc-wireguard-wg0.conf > [Interface] > Address = 10.100.1.1/24 > ListenPort = 51820 > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > POSTROUTING -o ens33 -j MASQUERADE > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > POSTROUTING -o ens33 -j MASQUERADE > PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY= > SaveConfig = true > > [Peer] > PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc= > AllowedIPs = 10.100.1.2/32 > > > vk@ubuntu /g/r/c/w/server> ifconfig wg0 > wg0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:10.100.1.1 P-t-P:10.100.1.1 Mask:255.255.255.0 > UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:459 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > > > Here is the config on peer 2 (Vmware VM running ubuntu 18.04): > == > > root@ubuntu /g/r/c/w/client# ifconfig ens33 > ens33: flags=4163 mtu 1500 > inet 10.0.1.71 netmask 255.255.255.0 broadcast 10.0.1.255 > inet6 fe80::c4d7:35d6:306b:fc91 prefixlen 64 scopeid 0x20 > ether 00:0c:29:b6:bb:18 txqueuelen 1000 (Ethernet) > RX packets 532611 bytes 765847699 (765.8 MB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 71767 bytes 5458394 (5.4 MB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > root@ubuntu /g/r/c/w/client# more etc-wireguard-wg0.conf > [Interface] > Address = 10.100.1.2 > PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY= > > [Peer] > PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0= > AllowedIPs = 0.0.0.0/0 > Endpoint = 10.0.1.77:51280 > > > root@ubuntu /g/r/c/w/client# ifconfig wg0 > wg0: flags=209 mtu 1420 > inet 10.100.1.2 netmask 255.255.255.255 destination 10.100.1.2 > unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > txqueuelen 1000 (UNSPEC) > RX packets 0 bytes 0 (0.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 10 bytes 1480 (1.4 KB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > root@ubuntu /g/r/c/w/client# ping 10.0.1.77 > PING 10.0.1.77 (10.0.1.77) 56(84) bytes of data. > 64 bytes from 10.0.1.77: icmp_seq=1 ttl=64 time=0.464 ms > 64 bytes from 10.0.1.77: icmp_seq=2 ttl=64 time=0.715 ms > > > root@ubuntu /g/r/c/w/client# ping 10.100.1.1 > PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data. > ^C > --- 10.100.1.1 ping statistics --- > 3 packets transmitted, 0 received, 100% packet loss, time 2033ms > > > What am I doing wrong? > > -- > VK ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Android app and command line
Hello, On 03/12/18 20:51, Jacob Schooley wrote: > There is an option in the Android app to enable wg and wg-quick, which will be > extremely useful to me as most of my VPN stuff is taken care of with Tasker. > There are two major bugs with this however. Thanks for the report! > One is that the app doesn't automatically update the status of wireguard, so > the > switch inside the app won't flip if I use wg-quick up or down until I swipe > off > and reopen the app, and the quick settings toggle won't change. I've looked into this, and it is unfortunately quite difficult to do. The app can register to receive notification about network changes, but unfortunately there's no* way for the app to tell the Android connectivity service that the WireGuard tunnel exists, so Android can track its state. Even then, wg-quick on the command line wouldn't easily be able to tell the app about _new_ tunnels. *without using reflection to access internal framework classes. > The other is that if I run wg-quick up, then try to bring it down through the > app or the quick settings toggle, it says "Error bringing down tunnel: Unable > to > configure tunnel (wg-quick returned 2)." So as of now it really doesn't work > well with tasker because I can't bring it down manually if I need to. Hmm, that might actually be a bug. I'll look into that. In the meantime, have you considered using Tasker to kill the app every time you use wg-quick? Android will restart it and the quick tile will update, plus it will refresh the state of all known tunnels within the app. Regards, Samuel ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Cannot ping peer 1 from peer 2
The ip address for the wg0 interface on peer 2 is set to 10.100.1.2/32 so peer2 has no route to reach 10.100.1.1. You either need to set a route to 10.100.1.1 on peer 2 or change the address on peer 2 so the subnet it is in includes 10.100.1.1. For example 10.100.1.2/24. On Thu, Mar 15, 2018 at 10:07 PM, Vikaswrote: > Here is the config on peer 1 (Vmware VM running ubuntu 16.04): > = > > vk@ubuntu /g/r/c/w/server> ifconfig ens33 > ens33 Link encap:Ethernet HWaddr 00:0c:29:c8:6c:d5 > inet addr:10.0.1.77 Bcast:10.0.1.255 Mask:255.255.255.0 > inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:327949 errors:0 dropped:0 overruns:0 frame:0 > TX packets:87146 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:351155285 (351.1 MB) TX bytes:12179516 (12.1 MB) > > > vk@ubuntu /g/r/c/w/server> more etc-wireguard-wg0.conf > [Interface] > Address = 10.100.1.1/24 > ListenPort = 51820 > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > POSTROUTING -o ens33 -j MASQUERADE > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > POSTROUTING -o ens33 -j MASQUERADE > PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY= > SaveConfig = true > > [Peer] > PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc= > AllowedIPs = 10.100.1.2/32 > > > vk@ubuntu /g/r/c/w/server> ifconfig wg0 > wg0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:10.100.1.1 P-t-P:10.100.1.1 Mask:255.255.255.0 > UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:459 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > > > Here is the config on peer 2 (Vmware VM running ubuntu 18.04): > == > > root@ubuntu /g/r/c/w/client# ifconfig ens33 > ens33: flags=4163 mtu 1500 > inet 10.0.1.71 netmask 255.255.255.0 broadcast 10.0.1.255 > inet6 fe80::c4d7:35d6:306b:fc91 prefixlen 64 scopeid 0x20 > ether 00:0c:29:b6:bb:18 txqueuelen 1000 (Ethernet) > RX packets 532611 bytes 765847699 (765.8 MB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 71767 bytes 5458394 (5.4 MB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > root@ubuntu /g/r/c/w/client# more etc-wireguard-wg0.conf > [Interface] > Address = 10.100.1.2 > PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY= > > [Peer] > PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0= > AllowedIPs = 0.0.0.0/0 > Endpoint = 10.0.1.77:51280 > > > root@ubuntu /g/r/c/w/client# ifconfig wg0 > wg0: flags=209 mtu 1420 > inet 10.100.1.2 netmask 255.255.255.255 destination 10.100.1.2 > unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > txqueuelen 1000 (UNSPEC) > RX packets 0 bytes 0 (0.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 10 bytes 1480 (1.4 KB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > root@ubuntu /g/r/c/w/client# ping 10.0.1.77 > PING 10.0.1.77 (10.0.1.77) 56(84) bytes of data. > 64 bytes from 10.0.1.77: icmp_seq=1 ttl=64 time=0.464 ms > 64 bytes from 10.0.1.77: icmp_seq=2 ttl=64 time=0.715 ms > > > root@ubuntu /g/r/c/w/client# ping 10.100.1.1 > PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data. > ^C > --- 10.100.1.1 ping statistics --- > 3 packets transmitted, 0 received, 100% packet loss, time 2033ms > > > What am I doing wrong? > > -- > VK > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Cannot ping peer 1 from peer 2
Here is the config on peer 1 (Vmware VM running ubuntu 16.04): = vk@ubuntu /g/r/c/w/server> ifconfig ens33 ens33 Link encap:Ethernet HWaddr 00:0c:29:c8:6c:d5 inet addr:10.0.1.77 Bcast:10.0.1.255 Mask:255.255.255.0 inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:327949 errors:0 dropped:0 overruns:0 frame:0 TX packets:87146 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:351155285 (351.1 MB) TX bytes:12179516 (12.1 MB) vk@ubuntu /g/r/c/w/server> more etc-wireguard-wg0.conf [Interface] Address = 10.100.1.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens33 -j MASQUERADE PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY= SaveConfig = true [Peer] PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc= AllowedIPs = 10.100.1.2/32 vk@ubuntu /g/r/c/w/server> ifconfig wg0 wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.100.1.1 P-t-P:10.100.1.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:459 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Here is the config on peer 2 (Vmware VM running ubuntu 18.04): == root@ubuntu /g/r/c/w/client# ifconfig ens33 ens33: flags=4163mtu 1500 inet 10.0.1.71 netmask 255.255.255.0 broadcast 10.0.1.255 inet6 fe80::c4d7:35d6:306b:fc91 prefixlen 64 scopeid 0x20 ether 00:0c:29:b6:bb:18 txqueuelen 1000 (Ethernet) RX packets 532611 bytes 765847699 (765.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 71767 bytes 5458394 (5.4 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@ubuntu /g/r/c/w/client# more etc-wireguard-wg0.conf [Interface] Address = 10.100.1.2 PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY= [Peer] PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0= AllowedIPs = 0.0.0.0/0 Endpoint = 10.0.1.77:51280 root@ubuntu /g/r/c/w/client# ifconfig wg0 wg0: flags=209 mtu 1420 inet 10.100.1.2 netmask 255.255.255.255 destination 10.100.1.2 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 1480 (1.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@ubuntu /g/r/c/w/client# ping 10.0.1.77 PING 10.0.1.77 (10.0.1.77) 56(84) bytes of data. 64 bytes from 10.0.1.77: icmp_seq=1 ttl=64 time=0.464 ms 64 bytes from 10.0.1.77: icmp_seq=2 ttl=64 time=0.715 ms root@ubuntu /g/r/c/w/client# ping 10.100.1.1 PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data. ^C --- 10.100.1.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2033ms What am I doing wrong? -- VK ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Allowed IPs Toggling
> WireGuard *does* support overlapping ranges of AllowedIPs on different peers. It > doesn't support having *identical* ranges of AllowedIPs on different peers, > which was the situation here. (You're correct, there's no concept of a metric.) Oh good - looks like I just misunderstood your ordinal email then; I thought you were saying that any situation with multiple routes to a single IP was unsupported. Thanks for clarifying :-). Cheers, Steve On Fri, 16 Mar 2018, 07:51 Samuel Holland,wrote: > Hello, > > On 03/15/18 13:39, Steve Gilberd wrote: > >> Allowed IPs is like a routing table; you can't have two routes for the > same > > set of IPs > > > > If this is the case, then wireguard does not have proper routing support. > > > > Normally, routing tables allow both multiple and overlapping routes > present. > > When making routing decisions, the most-specific route is chosen (e.g. a > /29 is > > higher priority than a /24 which overlaps with it). If there are two > identical > > routes of the same size, then the one with the lowest routing metric is > used. > > > > I can understand not allowing identical routes of the same size, as > wireguard > > doesn't really have a concept of metric (although it could be useful for > backup > > links). However, it really should allow overlapping routes of different > sizes. > > There's no ambiguity with routing decisions, and it's a standard feature > that I > > would normally expect any IP routing stack to have. > > WireGuard *does* support overlapping ranges of AllowedIPs on different > peers. It > doesn't support having *identical* ranges of AllowedIPs on different peers, > which was the situation here. (You're correct, there's no concept of a > metric.) > > > Cheers, > > Steve > > Cheers, > Samuel > -- Cheers, *Steve Gilberd* Erayd LTD *·* Consultant *Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237* *PO Box 10019 The Terrace, Wellington 6143, NZ* ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Allowed IPs Toggling
Hello, On 03/15/18 13:39, Steve Gilberd wrote: >> Allowed IPs is like a routing table; you can't have two routes for the same > set of IPs > > If this is the case, then wireguard does not have proper routing support. > > Normally, routing tables allow both multiple and overlapping routes present. > When making routing decisions, the most-specific route is chosen (e.g. a /29 > is > higher priority than a /24 which overlaps with it). If there are two identical > routes of the same size, then the one with the lowest routing metric is used. > > I can understand not allowing identical routes of the same size, as wireguard > doesn't really have a concept of metric (although it could be useful for > backup > links). However, it really should allow overlapping routes of different sizes. > There's no ambiguity with routing decisions, and it's a standard feature that > I > would normally expect any IP routing stack to have. WireGuard *does* support overlapping ranges of AllowedIPs on different peers. It doesn't support having *identical* ranges of AllowedIPs on different peers, which was the situation here. (You're correct, there's no concept of a metric.) > Cheers, > Steve Cheers, Samuel ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Allowed IPs Toggling
> Allowed IPs is like a routing table; you can't have two routes for the same set of IPs If this is the case, then wireguard does not have proper routing support. Normally, routing tables allow both multiple and overlapping routes present. When making routing decisions, the most-specific route is chosen (e.g. a /29 is higher priority than a /24 which overlaps with it). If there are two identical routes of the same size, then the one with the lowest routing metric is used. I can understand not allowing identical routes of the same size, as wireguard doesn't really have a concept of metric (although it could be useful for backup links). However, it really should allow overlapping routes of different sizes. There's no ambiguity with routing decisions, and it's a standard feature that I would normally expect any IP routing stack to have. Cheers, Steve On Fri, 16 Mar 2018, 04:57 Samuel Holland,wrote: > Hello, > > On 03/15/18 10:31, Gianluca Gabrielli wrote: > > I was setting two peers on the server, but every time I re-add one of > these > > two the other one is shown with (none) on "allowed ips" field. Of course > that > > blocks communications with that peer. If I try to re-add it, then the > other > > peer loses its configuration, same problem. > > Allowed IPs is like a routing table; you can't have two routes for the > same set > of IPs, or WireGuard doesn't know which peer to send the traffic to. You > want to > have non-overlapping Allowed IP ranges. This usually means that the range > of > Allowed IPs is smaller than the host's subnet. For example: > > Host A: > IP configuration for WireGuard interface: 192.168.123.1/24 > Allowed IPs for Host B: 192.168.123.2/32 > > Host B: > IP configuration for WireGuard interface: 192.168.123.2/24 > Allowed IPs for Host A: 192.168.123.1/32 > > The IP configuration tells the kernel which IP ranges are accessible via > the > WireGuard interface. The Allowed IPs tell WireGuard, which _subset_ of > those IPs > is associated with each peer. > > > Cheers, > > Gianluca > > Cheers, > Samuel > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > -- Cheers, *Steve Gilberd* Erayd LTD *·* Consultant *Phone: +64 4 974-4229 **·** Mob: +64 27 565-3237* *PO Box 10019 The Terrace, Wellington 6143, NZ* ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Hi Gianluca, you may want to read also this example I explained in Ninux mailing list https://www.mail-archive.com/wireless@ml.ninux.org/msg20983.html Best regards ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Lineage OS (Android) Support
Hello, On 03/13/18 06:15, Paul wrote: > On So, Mär 11, 2018 at 7:42 PM, Paulwrote: >> Hi all, >> >> I'm new to the list and hope this wasn't discussed in length here before. If >> so, please give me a direction, I couldn't find anything related. >> >> For the last days I tried to find a Lineage OS [1] compatible kernel with >> wireguard included, sadly there is none. Instead of installing a custom >> kernel, could Lineage include the < 4000 lines of code in their build root? >> Have there been any efforts on this? >> >> Thank you very much for all further information. >> >> Best regards, >> Paul Spooren >> >> [1] http://lineageos.org/ > > I asked the Lineage OS maintainer of my current phone and he responded to use > the native VPN interface of Android. Are there any plans on that? Yes, support for using the Go implementation[1] with VpnService is in the works. The same app will support both the native and userspace implementations. It will prefer the native implementation if root access and the kernel module are available, and fall back to using VpnService otherwise. >> https://developer.android.com/reference/android/net/VpnService.html >> >> That has many pros: >> 1. runs on any Android 4.0+ device (NO root required) >> 2. all VPN code (except network interface of course) is running in userspace >> (in case of exploitation only VPN app is compromised) >> 3. decoupled from OS and easy to upgrade Using the native implementation has its own benefits. It will generally be faster and more battery-efficient, and it supports having multiple tunnels up simultaneously. VpnService only allows one VPN to be active at a time. > Thanks for all further information! > > Best, > Paul Regards, Samuel [1]: https://git.zx2c4.com/wireguard-go/ ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Allowed IPs Toggling
Hello, On 03/15/18 10:31, Gianluca Gabrielli wrote: > I was setting two peers on the server, but every time I re-add one of these > two the other one is shown with (none) on "allowed ips" field. Of course that > blocks communications with that peer. If I try to re-add it, then the other > peer loses its configuration, same problem. Allowed IPs is like a routing table; you can't have two routes for the same set of IPs, or WireGuard doesn't know which peer to send the traffic to. You want to have non-overlapping Allowed IP ranges. This usually means that the range of Allowed IPs is smaller than the host's subnet. For example: Host A: IP configuration for WireGuard interface: 192.168.123.1/24 Allowed IPs for Host B: 192.168.123.2/32 Host B: IP configuration for WireGuard interface: 192.168.123.2/24 Allowed IPs for Host A: 192.168.123.1/32 The IP configuration tells the kernel which IP ranges are accessible via the WireGuard interface. The Allowed IPs tell WireGuard, which _subset_ of those IPs is associated with each peer. > Cheers, > Gianluca Cheers, Samuel ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Thanks to both of you guys, really helpful! Especially **Network Namespace** is a great feature that I didn't know before. Cheers, Gianluca ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard