Re: WireGuard connecting hosts WAN->LAN
Il 14/03/20 19:16, Luis Ressel ha scritto: > On Sat, Mar 14, 2020 at 04:33:44PM +0100, Germano Massullo wrote: >> I want to: >> 1) connect A to C passing through B. I don't want to expose C to >> internet at all, (so no things like port forwarding) >> 2) A must have C public key (and viceversa), so in case of B being >> compromised, the A<->C VPN will not be compromised. > The answer you quoted is correct. If you don't wish to set up port > forwarding, and C is thus not accessible from the internet at all, A > can't establish a tunnel with it. > > You may want to consider setting up two tunnels on A: > * wg0 with B as the peer > * wg1 with C as the peer > and then route the encrypted packets of wg1 through wg0. The > disadvantage of this is that you're encrypting every packet twice, which > hurts performance and lowers the tunnel MTU. > > Cheers, > Luis Hi Luis, thank you for the explanation Have a nice day
Re: WireGuard connecting hosts WAN->LAN
On Sat, Mar 14, 2020 at 04:33:44PM +0100, Germano Massullo wrote: > I want to: > 1) connect A to C passing through B. I don't want to expose C to > internet at all, (so no things like port forwarding) > 2) A must have C public key (and viceversa), so in case of B being > compromised, the A<->C VPN will not be compromised. The answer you quoted is correct. If you don't wish to set up port forwarding, and C is thus not accessible from the internet at all, A can't establish a tunnel with it. You may want to consider setting up two tunnels on A: * wg0 with B as the peer * wg1 with C as the peer and then route the encrypted packets of wg1 through wg0. The disadvantage of this is that you're encrypting every packet twice, which hurts performance and lowers the tunnel MTU. Cheers, Luis
Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
On Sat, Mar 14, 2020 at 06:08:35PM +0100, Matthias Urlichs wrote: > Ideally some background process forked by `wg` or `wg-quick` should set > the first address, monitor the peer, and use the next one if it hasn't > been established after some configurable number of seconds (or when the > keepalive fails). Bonus points for re-resolving the address when it expires. Yes, trying the ips in order until a tunnel can be established is certainly a good idea, and in fact what the relevant standards recommend, but so far noone has bothered to implement it. Running a daemon that periodically re-resolves the host and sets the endpoint to its current ip, on the other hand, would interfere with wireguard's transparent roaming support, so wg(8) isn't ever going to do that. Of course, you can easily do this yourself if it makes sense for your setup. Cheers, Luis
Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
On 14.03.20 17:52, Luis Ressel wrote: > A standards-compliant implementation should return an ipv6 address in > the first position if one is available and the host has a working > connection to the v6 internet. Unfortunately that is necessary but not sufficient for the link to actually succeed. Also a host might have two IPv4 (or IPv6) addresses, only one of which works, so this problem is not v6-vs.-v4 specific. Ideally some background process forked by `wg` or `wg-quick` should set the first address, monitor the peer, and use the next one if it hasn't been established after some configurable number of seconds (or when the keepalive fails). Bonus points for re-resolving the address when it expires. -- -- Matthias Urlichs
Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4
On Fri, Mar 13, 2020 at 03:52:19PM +0100, Torsten Krah wrote: > I've got an endpoint with a DNS name which has both, an A and > record. > I would like to configure the client, so that I can tell him, to either > prefer IPv6 or IPv4 for the vpn connection. The relevant source code can be found here: https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n242 As you can see, wg resolves host names through the libc's getaddrinfo() function, and simply uses the first ip address returned by that function. A standards-compliant implementation should return an ipv6 address in the first position if one is available and the host has a working connection to the v6 internet. As far as I know, both glibc and musl do this (though the behaviour of glibc can be modified by editing /etc/gai.conf); I'm not sure what other libcs do. It would of course be possible to make this behaviour configurable for wg; we just need to figure out if that's an useful feature, and what the exact semantics should be. Cheers, Luis
WireGuard connecting hosts WAN->LAN
A simple question to Wireguard developers, since while asking for help in OpenWRT forum[1] I have been told that I am asking a thing that Wireguard cannot do, so I want to ask upstream if it is possible or not Scenario: A = internet (WAN) host (WireGuard IP 10.1.1.3) B = OpenWRT router (WireGuard IP 10.1.1.1) C = LAN host (WireGuard IP 10.1.1.2) I want to: 1) connect A to C passing through B. I don't want to expose C to internet at all, (so no things like port forwarding) 2) A must have C public key (and viceversa), so in case of B being compromised, the A<->C VPN will not be compromised. In a few words, I want B to just route forwards packages from A to C. I have been told: = In your scenario A is not connected to C. Having peer entries for A and C at each end are completely pointless because they're not doing anything. The keys you have in those entries will only ever be used if A and C are connected directly. As long as you have B in the middle then packets will be sent from A (or C) to B which will decrypt then with the appropriate public key. B will then re-encrypt them with it's own private key before sending them on to C (or A). If you don't want that to happen then you'll need to connect A and C directly. = What do you think about? For information completeness, below I attach the configuration of the three hosts In past I had a similar configuration with 3 Fedora/CentOS machines, where A had just the B public key and I could connect to C because in A configuration, the allowed IPs of B had a /24 mask. Now I would like to setup a more strict configuration Thank you for your time [1]: https://forum.openwrt.org/t/wireguard-connecting-hosts-wan-lan/ **Host A - WireGuard configuration file (Fedora)** ``` [Interface] Address = 10.1.1.3/24 PrivateKey = censored ListenPort = 51820 # Host B [Peer] PublicKey = censored Endpoint = tom.foo.bar:51820 AllowedIPs = 10.1.1.1/32 # Host C [Peer] PublicKey = censored AllowedIPs = 10.1.1.2/32 ``` **Host B - OpenWRT /etc/config/network configuration file** ``` root@OpenWrt:/etc# cat config/network config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'censored::/48' config interface 'lan' option type 'bridge' option ifname 'eth0.1' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' config interface 'wan' option ifname 'eth0.2' option proto 'pppoe' option username 'censored' option password 'censored' option ipv6 'auto' config device 'wan_dev' option name 'eth0.2' option macaddr 'censored' config interface 'wan6' option ifname 'eth0.2' option proto 'dhcpv6' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '2 3 4 5 0t' config switch_vlan option device 'switch0' option vlan '2' option ports '1 0t' config interface 'wg0' option proto 'wireguard' option private_key 'censored' option listen_port '51820' option route_allowed_ips '1' list addresses '10.1.1.1/24' # Host A config wireguard_wg0 'wg_client_host_A' option public_key 'censored' list allowed_ips '10.1.1.3/32' # Host C config wireguard_wg0 'wg_client_host_C' option public_key 'censored' list allowed_ips '10.1.1.2/32' ``` **Host C - WireGuard configuration file (CentOS)** ``` [Interface] Address = 10.1.1.2/24 ListenPort = 51820 PrivateKey = censored # Host B [Peer] PublicKey = censored Endpoint = 192.168.1.1:51820 AllowedIPs = 10.1.1.1/32 # Host A [Peer] PublicKey = censored AllowedIPs = 10.1.1.3/32 ```