Re: Mixed MTU hosts on a network

On Sat, Apr 14, 2018 at 03:38:46AM +0200, Jason A. Donenfeld wrote: > 2) When we pad the packet payload. In this case, we pad it to the > nearest multiple of 16, but we don't let it exceed the device MTU. > This is skb_padding in send.c. This behavior seems like the bug in > your particular case,

Re: Policy-based routing

Hi Bruno, You can't set multiple peers to use 0.0.0.0/0 at the same time on the same interface. How would it be able to choose which peer to send traffic to then? Instead, if you want some kind of redundancy or bonding, you can try using multiple interfaces, and then use whatever traditional

Re: Wireguard behind NAT

If you can have SIDE_A connect to SIDE_B and enable persistent-keepalive, that should take care of things mostly. If you can't do that for whatever reason, there are hole punching tricks like [1] and [2]. [1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching [2]

Re: Android app and command line

On Fri, Mar 16, 2018 at 3:38 AM, Samuel Holland wrote: > I've looked into this, and it is unfortunately quite difficult to do. The app > can register to receive notification about network changes, but unfortunately > there's no* way for the app to tell the Android

Re: Cannot ping peer 1 from peer 2

You may need to run as root: sysctl net.ipv4.ip_forward=1 You also may want a -o wg0 rule on the FORWARD table, if you don't also have an established/related rule there. ___ WireGuard mailing list WireGuard@lists.zx2c4.com

Re: Include directive to support "conf.d/*" and the like

Hi Roman, This also came up in another thread I was replying to earlier tonight. While one way indeed is to have an 'include' directive, it seems simple enough to just do something like: $ wg setconf wg0 <(cat /etc/wireguard/mysite.conf.d/*.conf) And then you can have various fragments in there

Re: Mixed MTU hosts on a network

Hi Roman, I think that your idea of setting a route-based MTU _should_ work, and it seems like a bug if it isn't working. There are two places in WireGuard which directly touch the MTU: 1) When we split GSO superpackets up into normal sized packets. This code is supposed to be aware of the

Re: Troubleshooting WireGuard connections

Hi Riccardo, Based on those tcpdump timestamps, it looks like the handshake response happens nearly immediately after the handshake initiation. Yet from your description, it appears only after many moments. In my experience, tcpdump blocks like this when it has to do too many DNS resolutions and

Re: Some potential bug in wg-quick re. fwmark and default route

Hi Saeid, Your email got sent to my spam folder. Sorry about that. Thanks for following up on this, Luis. Based on Luis' analysis and first patch, I've written a fix here: https://git.zx2c4.com/WireGuard/commit/?id=406709a6cfee08139daf6f6a58088c45e125e291 Let me know if this works as you

Re: Troubleshooting WireGuard connections

I didn't think about using tcpdump by checking the default interface, thanks for the suggestion! I updated to the April 2018 snapshot on every peer. I removed the server endpoints and since I was there, switched the server port to 51820, the protocol "default" one. It still works for the

Re: wg-quick (script snippets) for OpenWRT/LEDE

Hello vtol, OpenWRT has its own robust configuration system, which can do nice things like avoid circular routing. For that reason, the set of tricks that wg-quick uses are best avoided on those types of fully-managed systems. That's why it's not included in the package. Perhaps it should be,

Re: ideas/features

Hi ST, On Mon, Mar 26, 2018 at 7:17 PM, ST wrote: > 1. Labels. > > Is it possible to add an optional label to a peer to make it a bit more > usable for humans (who tend not to remember IPs or keys). A label > associated with a peer is just a string (could be a first/last name,

Re: wg-ip, a tool to assign automatic ip addresses to wireguard interfaces

Hi Chirstophe, Thanks for writing this. Very cool work. As part of GSoC this summer, Martin (CC'd) is going to be working on a dynamic provisioning protocol over IPv6. One of the things we'll be investigating is whether it's best to derive a v6 address from a public key or whether it's best to

Re: few wg peers over the same port in the main office? Cryptokey routing

For your use case, I'd suggest you use multiple peers on a single interface with a single listen port. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Conflict with broadcom component.

Hi Jun, Fascinating. I really don't know and I'll need to spend some time looking into what on earth Broadcom has done with this kernel. There appears to be some kind of data structure added to the skb that isn't an skb anymore, under CONFIG_BCM_KF_NBUFF. "KuffinBuff"? I imagine the correct

Re: Re: Troubleshooting WireGuard connections

When you type "wg", does it show you a "latest handshake"? If not, perhaps they're not even communicating at all. For this, you could look for udp packets on port 21 and see what's up. Also, you might simplify things a bit by: - Removing all mentions of Endpoint on the server, since the server

WireGuard integration with a DHCP server/client or other automatic provisioning

Hello, as mentioned earlier I'm looking for ways to automate IPs assignment and more general - addition of new peers into a VPN through a central WG server. It was suggested to use DHCP server/client. Are there tutorials somewhere on how to do that? Maybe you are aware of other

Re: Re: Troubleshooting WireGuard connections

I wasn't clear in the previous email, I'm only seeing ICMP requests and not answers so no traffic through the tunnel. Also, I have not setup forwarding to another interface, maybe that's the next step for a road-warrior OpenVPN-like setup, but at the moment I'm keeping things simple and I'm