Re: AMD RDRAND
Il 12/01/21 00:20, Jason A. Donenfeld ha scritto: > Hi Germano, > > I fixed this already, by removing the use of RDRAND from > get_random_{u32,u64,int,long} entirely: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=69efea712f5b0489e67d07565aad5c94e09a3e52 > > This happened almost a year ago back in February, and was backported > to the stable kernels too, which means you should have no issues > finding a working kernel for your brand new Ryzen. > > Is this actually a problem you're experiencing or is your report > mostly just speculation based on that systemd issue you linked to? > > Jason Hi Jason, I did not know you already addressed the problem in the Linux kernel, I just made a quick search in Wireguard mailing list but I did not find any discussion related to RDRAND I did not experience the problem (I haven't run proper tests yet), and I haven't studied yet in detail all new replies in the thread. I just wanted to let Wireguard developers know about this problem because I thought it may affect Wireguard
AMD RDRAND
I would like to inform Wireguard developers about the following. it seems that this [1] old AMD RDRAND problem is still present: RDRAND on AMD Ryzen 9 5900X is flakey - https://github.com/systemd/systemd/issues/18184 I own 2x Ryzen 3600, feel free to write me in case you would like to run some tests [1]: https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
Re: WireGuard connecting hosts WAN->LAN
Il 14/03/20 19:16, Luis Ressel ha scritto: > On Sat, Mar 14, 2020 at 04:33:44PM +0100, Germano Massullo wrote: >> I want to: >> 1) connect A to C passing through B. I don't want to expose C to >> internet at all, (so no things like port forwarding) >> 2) A must have C public key (and viceversa), so in case of B being >> compromised, the A<->C VPN will not be compromised. > The answer you quoted is correct. If you don't wish to set up port > forwarding, and C is thus not accessible from the internet at all, A > can't establish a tunnel with it. > > You may want to consider setting up two tunnels on A: > * wg0 with B as the peer > * wg1 with C as the peer > and then route the encrypted packets of wg1 through wg0. The > disadvantage of this is that you're encrypting every packet twice, which > hurts performance and lowers the tunnel MTU. > > Cheers, > Luis Hi Luis, thank you for the explanation Have a nice day
WireGuard connecting hosts WAN->LAN
A simple question to Wireguard developers, since while asking for help in OpenWRT forum[1] I have been told that I am asking a thing that Wireguard cannot do, so I want to ask upstream if it is possible or not Scenario: A = internet (WAN) host (WireGuard IP 10.1.1.3) B = OpenWRT router (WireGuard IP 10.1.1.1) C = LAN host (WireGuard IP 10.1.1.2) I want to: 1) connect A to C passing through B. I don't want to expose C to internet at all, (so no things like port forwarding) 2) A must have C public key (and viceversa), so in case of B being compromised, the A<->C VPN will not be compromised. In a few words, I want B to just route forwards packages from A to C. I have been told: = In your scenario A is not connected to C. Having peer entries for A and C at each end are completely pointless because they're not doing anything. The keys you have in those entries will only ever be used if A and C are connected directly. As long as you have B in the middle then packets will be sent from A (or C) to B which will decrypt then with the appropriate public key. B will then re-encrypt them with it's own private key before sending them on to C (or A). If you don't want that to happen then you'll need to connect A and C directly. = What do you think about? For information completeness, below I attach the configuration of the three hosts In past I had a similar configuration with 3 Fedora/CentOS machines, where A had just the B public key and I could connect to C because in A configuration, the allowed IPs of B had a /24 mask. Now I would like to setup a more strict configuration Thank you for your time [1]: https://forum.openwrt.org/t/wireguard-connecting-hosts-wan-lan/ **Host A - WireGuard configuration file (Fedora)** ``` [Interface] Address = 10.1.1.3/24 PrivateKey = censored ListenPort = 51820 # Host B [Peer] PublicKey = censored Endpoint = tom.foo.bar:51820 AllowedIPs = 10.1.1.1/32 # Host C [Peer] PublicKey = censored AllowedIPs = 10.1.1.2/32 ``` **Host B - OpenWRT /etc/config/network configuration file** ``` root@OpenWrt:/etc# cat config/network config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'censored::/48' config interface 'lan' option type 'bridge' option ifname 'eth0.1' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' config interface 'wan' option ifname 'eth0.2' option proto 'pppoe' option username 'censored' option password 'censored' option ipv6 'auto' config device 'wan_dev' option name 'eth0.2' option macaddr 'censored' config interface 'wan6' option ifname 'eth0.2' option proto 'dhcpv6' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '2 3 4 5 0t' config switch_vlan option device 'switch0' option vlan '2' option ports '1 0t' config interface 'wg0' option proto 'wireguard' option private_key 'censored' option listen_port '51820' option route_allowed_ips '1' list addresses '10.1.1.1/24' # Host A config wireguard_wg0 'wg_client_host_A' option public_key 'censored' list allowed_ips '10.1.1.3/32' # Host C config wireguard_wg0 'wg_client_host_C' option public_key 'censored' list allowed_ips '10.1.1.2/32' ``` **Host C - WireGuard configuration file (CentOS)** ``` [Interface] Address = 10.1.1.2/24 ListenPort = 51820 PrivateKey = censored # Host B [Peer] PublicKey = censored Endpoint = 192.168.1.1:51820 AllowedIPs = 10.1.1.1/32 # Host A [Peer] PublicKey = censored AllowedIPs = 10.1.1.3/32 ```
Re: Wireguard is now in Linus' tree
Thank you guys for your work, this is an amazing news! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard @ FOSDEM -- Meetup
See you at FOSDEM! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Fedora/CentOS error: wireguard-dkms-1:0.0.20180420-1.fc28.noarch: erase failed
On 5/15/18 4:49 PM, Joe Doss wrote: > On 05/15/2018 08:21 AM, Germano Massullo wrote: >> I had the same problem, and I followed your guide till >> >>> # rpm -e wireguard-dkms-0.0.20180420-1.fc28.noarch >> >> Then I wanted to use 0.0.20180513-1.fc28 snapshot, so I runned >> >> # dkms autoinstall >> >> but I got errors >> >> Error! Could not locate dkms.conf file. >> File: /var/lib/dkms/wireguard/0.0.20180218/source/dkms.conf does not >> exist. > > I never use dkms autoinstall but I just used it and I cannot reproduce > the problem. It looks based on /var/lib/dkms/wireguard/0.0.20180218/ > it is looking for a snapshot from Feb. It could be that you are having > different problems here. Maybe your system had issues back in Feb > where it thought it removed the RPM but didn't? > > Since I don't see the 0.0.20180218 RPM installed you most likely can > manually remove /var/lib/dkms/wireguard/0.0.20180218/ and this error > should go away. It worked, thank you! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Fedora/CentOS error: wireguard-dkms-1:0.0.20180420-1.fc28.noarch: erase failed
I had the same problem, and I followed your guide till > # rpm -e wireguard-dkms-0.0.20180420-1.fc28.noarch Then I wanted to use 0.0.20180513-1.fc28 snapshot, so I runned # dkms autoinstall but I got errors Error! Could not locate dkms.conf file. File: /var/lib/dkms/wireguard/0.0.20180218/source/dkms.conf does not exist. Concerning installed files: # dnf list installed | grep wireguard wireguard-dkms.noarch 1:0.0.20180513-1.fc28 @jdoss-wireguard wireguard-tools.x86_64 1:0.0.20180513-1.fc28 @jdoss-wireguard # updatedb # locate wireguard /etc/wireguard /etc/wireguard/privatekey /etc/wireguard/publickey /etc/wireguard/wg0.conf /etc/yum.repos.d/_copr_jdoss-wireguard.repo /usr/lib/modules/4.15.10-300.fc27.x86_64/extra/wireguard.ko.xz /usr/lib/modules/4.16.7-300.fc28.x86_64/extra/wireguard.ko.xz /usr/share/doc/wireguard-tools /usr/share/doc/wireguard-tools/README.md /usr/share/doc/wireguard-tools/examples /usr/share/doc/wireguard-tools/examples/dns-hatchet /usr/share/doc/wireguard-tools/examples/embeddable-wg-library /usr/share/doc/wireguard-tools/examples/extract-handshakes /usr/share/doc/wireguard-tools/examples/extract-keys /usr/share/doc/wireguard-tools/examples/json /usr/share/doc/wireguard-tools/examples/keygen-html /usr/share/doc/wireguard-tools/examples/nat-hole-punching /usr/share/doc/wireguard-tools/examples/ncat-client-server /usr/share/doc/wireguard-tools/examples/reresolve-dns /usr/share/doc/wireguard-tools/examples/sticky-sockets /usr/share/doc/wireguard-tools/examples/synergy /usr/share/doc/wireguard-tools/examples/dns-hatchet/README /usr/share/doc/wireguard-tools/examples/dns-hatchet/apply.sh /usr/share/doc/wireguard-tools/examples/dns-hatchet/hatchet.bash /usr/share/doc/wireguard-tools/examples/embeddable-wg-library/.gitignore /usr/share/doc/wireguard-tools/examples/embeddable-wg-library/Makefile /usr/share/doc/wireguard-tools/examples/embeddable-wg-library/README /usr/share/doc/wireguard-tools/examples/embeddable-wg-library/test.c /usr/share/doc/wireguard-tools/examples/embeddable-wg-library/wireguard.c /usr/share/doc/wireguard-tools/examples/embeddable-wg-library/wireguard.h /usr/share/doc/wireguard-tools/examples/extract-handshakes/.gitignore /usr/share/doc/wireguard-tools/examples/extract-handshakes/Makefile /usr/share/doc/wireguard-tools/examples/extract-handshakes/README /usr/share/doc/wireguard-tools/examples/extract-handshakes/extract-handshakes.sh /usr/share/doc/wireguard-tools/examples/extract-handshakes/offset-finder.c /usr/share/doc/wireguard-tools/examples/extract-keys/.gitignore /usr/share/doc/wireguard-tools/examples/extract-keys/Makefile /usr/share/doc/wireguard-tools/examples/extract-keys/README /usr/share/doc/wireguard-tools/examples/extract-keys/config.c /usr/share/doc/wireguard-tools/examples/extract-keys/extract-keys.c /usr/share/doc/wireguard-tools/examples/json/README /usr/share/doc/wireguard-tools/examples/json/wg-json /usr/share/doc/wireguard-tools/examples/keygen-html/.gitignore /usr/share/doc/wireguard-tools/examples/keygen-html/Makefile /usr/share/doc/wireguard-tools/examples/keygen-html/README /usr/share/doc/wireguard-tools/examples/keygen-html/keygen.html /usr/share/doc/wireguard-tools/examples/keygen-html/src /usr/share/doc/wireguard-tools/examples/keygen-html/src/curve25519_generate.c /usr/share/doc/wireguard-tools/examples/keygen-html/src/glue.js /usr/share/doc/wireguard-tools/examples/nat-hole-punching/README /usr/share/doc/wireguard-tools/examples/nat-hole-punching/nat-punch-client.c /usr/share/doc/wireguard-tools/examples/nat-hole-punching/nat-punch-server.c /usr/share/doc/wireguard-tools/examples/ncat-client-server/README /usr/share/doc/wireguard-tools/examples/ncat-client-server/client.sh /usr/share/doc/wireguard-tools/examples/ncat-client-server/server.sh /usr/share/doc/wireguard-tools/examples/reresolve-dns/README /usr/share/doc/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh /usr/share/doc/wireguard-tools/examples/sticky-sockets/README /usr/share/doc/wireguard-tools/examples/sticky-sockets/sticky-sockets.c /usr/share/doc/wireguard-tools/examples/synergy/README /usr/share/doc/wireguard-tools/examples/synergy/synergy-client.sh /usr/share/doc/wireguard-tools/examples/synergy/synergy-server.sh /usr/share/licenses/wireguard-tools /usr/share/licenses/wireguard-tools/COPYING /usr/src/wireguard-0.0.20180513 /usr/src/debug/systemd-238-7.fc28.1.x86_64/src/network/netdev/wireguard.c /usr/src/debug/systemd-238-7.fc28.1.x86_64/src/network/netdev/wireguard.h /usr/src/debug/systemd-238-7.fc28.1.x86_64/src/shared/wireguard-netlink.h /usr/src/wireguard-0.0.20180513/Kbuild /usr/src/wireguard-0.0.20180513/Kconfig /usr/src/wireguard-0.0.20180513/Makefile /usr/src/wireguard-0.0.20180513/allowedips.c /usr/src/wireguard-0.0.20180513/allowedips.h /usr/src/wireguard-0.0.20180513/compat /usr/src/wireguard-0.0.20180513/cookie.c /usr/src/wireguard-0.0.20180513/cookie.h /usr/src/wireguard-0.0.20180513/crypto
Re: wireguard-dkms and CentOS 7.5
A yum message while upgrading from CentOS from 7.4 to 7.5 === Update : 1:wireguard-dkms-0.0.20180420-1.el7.centos.noarch 44/376 warning: %post(wireguard-dkms-1:0.0.20180420-1.el7.centos.noarch) scriptlet failed, signal 9 Non-fatal POSTIN scriptlet failure in rpm package 1:wireguard-dkms-0.0.20180420-1.el7.centos.noarch Killed === ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: wg0 packets not being routed?
I haven't understood well your configuration, but I can suggest you to give a look to mine, in which a "gateway" is implemented. Look in particular Example 2 (Esempio 2). For the few Italian words you could just use an online translator, but they are not so much important https://groups.google.com/forum/#!topic/ninux-ml/yHXe-dVss2M ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: On redhat 7.4 wireguard not working
I am using Wireguard on CentOS 7.4 by many months iproute-3.10.0-87.el7.x86_64 wireguard-dkms-0.0.20180413-1.el7.centos.noarch wireguard-tools-0.0.20180413-1.el7.centos.x86_64 $ dkms status wireguard, 0.0.20180413, 3.10.0-693.21.1.el7.x86_64, x86_64: installed In my system, Wireguard network interface is handled as a systemd service # systemctl status wg-quick@wg0.service ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled) Active: active (exited) since gio 2018-04-19 18:07:01 CEST; 1h 1min ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/WireGuard/about/src/tools/wg-quick.8 https://git.zx2c4.com/WireGuard/about/src/tools/wg.8 Process: 1059 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=0/SUCCESS) Main PID: 1059 (code=exited, status=0/SUCCESS) apr 19 18:07:00 vpn systemd[1]: Starting WireGuard via wg-quick(8) for wg0... apr 19 18:07:00 vpn wg-quick[1059]: [#] ip link add wg0 type wireguard apr 19 18:07:01 vpn wg-quick[1059]: [#] wg setconf wg0 /dev/fd/63 apr 19 18:07:01 vpn wg-quick[1059]: [#] ip address add **removed by me** dev wg0 apr 19 18:07:01 vpn wg-quick[1059]: [#] ip link set mtu 1420 dev wg0 apr 19 18:07:01 vpn wg-quick[1059]: [#] ip link set wg0 up apr 19 18:07:01 vpn systemd[1]: Started WireGuard via wg-quick(8) for wg0. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Hi Gianluca, you may want to read also this example I explained in Ninux mailing list https://www.mail-archive.com/wireless@ml.ninux.org/msg20983.html Best regards ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard in systemd-networkd
As systemd-networkd user I am very happy about that! Jason it has been a pleasure to meet you at 34C3 :-) ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: 34C3 - WireGuard Workshop?
I am interested and I would participate in a WireGuard workshop signature.asc Description: OpenPGP digital signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wireguard ceased to work after Fedora 26->27 upgrade
jdoss helped me in #wireguard IRC channel. I post the resolution, it could be useful for other Fedora users [18:28] sudo dnf remove wireguard-dkms wireguard-tools; sudo dnf install wireguard-dkms wireguard-tools [18:31] jdoss: dnf cannot remove wireguard-dkms, output below = Transazione in corso Preparazione in corso : 1/1 Esecuzione scriptlet in corso : wireguard-dkms-1:0.0.20171127-1.fc27.noarch 1/1 errore: scriptlet %preun(wireguard-dkms-1:0.0.20171127-1.fc27.noarch) fallita, uscita con stato 3 Error in PREUN scriptlet in rpm package wireguard-dkms Error in PREUN scriptlet in rpm package wireguard-dkms wireguard-dkms-1:0.0.20171127-1.fc27.noarch doveva essere eliminato, ma non lo è stato! Verifica in corso : wireguard-dkms-1:0.0.20171127-1.fc27.noarch 1/1 Non riuscito: wireguard-dkms.noarch 1:0.0.20171127-1.fc27 Errore: Transazione non riuscita = [18:32] rpm -qa |grep wireguard [18:33] jdoss: wireguard-dkms-0.0.20171127-1.fc27.noarch [18:35] dkms remove -m wireguard -v 0.0.20171127 --all [18:36] jdoss: Error! There are no instances of module: wireguard 0.0.20171127 located in the DKMS tree. [18:37] That's a doozy [18:37] uh [18:37] sounds like your dkms went rogue or you removed wireguard outside of the RPM doing it's job [18:37] jdoss: no, I have never messed up with that stuff [18:38] I always used dnf and the copr repo [18:38] sudo dkms add -m wireguard -v 0.0.20171127 [18:38] jdoss: Creating symlink /var/lib/dkms/wireguard/0.0.20171127/source -> /usr/src/wireguard-0.0.20171127 DKMS: add completed. [18:39] sudo dkms build -m wireguard -v 0.0.20171127; sudo dkms install -m wireguard -v 0.0.20171127 [18:40] the upgrade to 27 prob didn't care over well with dkms. [18:41] jdoss: output below = # dkms build -m wireguard -v 0.0.20171127; dkms install -m wireguard -v 0.0.20171127 Kernel preparation unnecessary for this kernel. Skipping... Building module: cleaning build area... make -j4 KERNELRELEASE=4.13.16-300.fc27.x86_64 -C /lib/modules/4.13.16-300.fc27.x86_64/build M=/var/lib/dkms/wireguard/0.0.20171127/build... cleaning build area... DKMS: build completed. wireguard: Running module version sanity check. - Original module - No original module exists within this kernel - Installation - Installing to /lib/modules/4.13.16-300.fc27.x86_64/extra/ Adding any weak-modules depmod.. DKMS: install completed. output below = [18:41] dkms status [18:41] jdoss: wireguard, 0.0.20171127, 4.13.16-300.fc27.x86_64, x86_64: installed [18:42] should be good now [18:42] I suppose that now I have to reinstall the other wireguard packages [18:42] yea reinstall wireguard-tools [18:43] jdoss: yeah, now everything works fine, thank you very much [18:43] no problem [18:44] jdoss: I am going to post the resolution to the mailing list, in case anyone else is affected by the same problem ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Wireguard ceased to work after Fedora 26->27 upgrade
Hi there, some days ago I upgraded my system from Fedora 26 to 27, and Wireguard ceased to work. # systemctl status wg-quick@wg0.service ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2017-12-01 17:55:43 CET; 2min 18s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/WireGuard/about/src/tools/wg-quick.8 https://git.zx2c4.com/WireGuard/about/src/tools/wg.8 Process: 907 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE) Main PID: 907 (code=exited, status=1/FAILURE) dic 01 17:55:43 machine systemd[1]: Starting WireGuard via wg-quick(8) for wg0... dic 01 17:55:43 machine wg-quick[907]: [#] ip link add wg0 type wireguard dic 01 17:55:43 machine wg-quick[907]: RTNETLINK answers: Operation not supported dic 01 17:55:43 machine wg-quick[907]: Unable to get device: Protocol not supported dic 01 17:55:43 machine systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE dic 01 17:55:43 machine systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0. dic 01 17:55:43 machine systemd[1]: wg-quick@wg0.service: Unit entered failed state. dic 01 17:55:43 machine systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'. # dnf list installed | grep wireguard wireguard-dkms.noarch 1:0.0.20171127-1.fc27 @jdoss-wireguard wireguard-tools.x86_64 1:0.0.20171127-1.fc27 @jdoss-wireguard # dkms status returns nothing kernel packages: kernel-4.13.16-300.fc27.x86_64 kernel-core-4.13.16-300.fc27.x86_64 kernel-devel-4.13.16-300.fc27.x86_64 kernel-headers-4.13.16-300.fc27.x86_64 Do you have any idea? Thank you! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Gateway for Wireguard VPN
For who has a Firewalld based Linux distribution like Fedora/RHEL/CentOS: === Host B (VPN gateway) === When system creates interface wg0, it is not attached to any firewall zone, so it falls into default zone, that blocks everything except for ICMP packets. Therefore if you simply run ping among hosts (example from A to C) everything works, but as soon you try to use a service, it will not work. You can solve with # firewall-cmd --zone=trusted --add-interface=wg0 --permanent # firewall-cmd --reload Now from host A you can correctly run $ ssh user@10.1.0.22 that is the server running on host C ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Gateway for Wireguard VPN
Thank you very much Jason, your help has been precious!! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Suggestions for creating a VPN network
Hi there, I am going to start using Wireguard, so I read the whitepaper and the online documentation on the website. I am writing to you to ask you some suggestions about a kind of network I would like to setup, since there could be various different ways to implement what I have in my mind. Here my use case: a server has eth1 network interface that is the slave interface of bridge br0. Many Linux virtual machines (qemu/libvirt) are connected to br0, and they have public IPs. Now let's name one of them 'vm3'. I would like to create a certain amount of virtual machines that: - do not have public IPs; - are in a Wireguard VPN (let's call it 'wireguard_vpn'); - use vm3 as gateway to the internet. Moreover, hosts from the internet must be able to connect to wireguard_vpn, possibly through vm3. It looks like that example "The New Namespace Solution" of https://www.wireguard.com/netns/ is a good way to start configuring vm3. What do you think about? Thank you for your time ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard