Re: Need for HW-clock independent timestamps

On Thu, 17 May 2018 12:40:55 +0900 Paul wrote: > For me it looks like a problem solvable in software (as done for the > BMX routing protocol). Why even bother to get hardware involved? Personally I am puzzled this is even an issue in WG. Not a single other VPN protocol

Re: [Uber low priority] Linux 4.17.0 on aarch64

On Thu, 07 Jun 2018 09:40:08 +0200 Riccardo Berto wrote: > Just want to report that I can't add a wg interface of type wireguard > with linux 4.17.0 on aarch64 (Raspberry Pi 3). > > Error message: `RTNETLINK answers: Operation not supported`. > > I'm using ArchLinuxARM. Downgrading to 4.16.x

Re: Upstream Submission v1

On Tue, 31 Jul 2018 21:26:53 +0200 "Jason A. Donenfeld" wrote: > Hey list, > > I submitted patchset v1 of WireGuard to LKML a few minutes ago: > > [0/3] https://marc.info/?l=linux-netdev=153306429108040=2 > [1/3] https://marc.info/?l=linux-netdev=153306429908043=2 > [2/3]

Re: Reflections on WireGuard Design Goals

On Fri, 10 Aug 2018 14:35:14 +0100 Brian Candler wrote: > From my point of view, the only thing which makes me uncomfortable > about wireguard is the lack of any second authentication factor. Your > private key is embedded in a plaintext file in your device (e.g. > laptop), not even

Re: Fragmentation on UDP layer possible?

On Mon, 13 Aug 2018 02:53:44 +1000 StarBrilliant wrote: > I know Wireguard can already do IP layer fragmentation. (Just set > tunnel MTU >= 1441 then fragmentation will be turned on) Is that really expected to work? I tried setting MTU 9000 on both ends of a WG tunnel, but large packets still

Getting IPv6 route advertisements to work over WG

Hello, I am trying to get IPv6 link-local IPs and route advertisements to work over WG. The reason is not for the usual case of address autoconfiguration, but to use RA as a dynamic routing protocol of sorts, as it can distribute routes -- or in case of WG (where routes need to be static in

Re: Getting IPv6 route advertisements to work over WG

On Mon, 27 Aug 2018 15:32:49 +0200 netrav...@gmail.com wrote: > When using multicast over WireGuard, would it not be more viable to use > an extra encapsulation layer to run multicast inside of? > > I am specifically thinking of running either GRE or L2TPv3 over wgX. I know people run VXLAN or

Error building for ARM

Hello, AS [M] net/wireguard/crypto/zinc/curve25519/curve25519-arm.o net/wireguard/crypto/zinc/curve25519/curve25519-arm.S: Assembler messages: net/wireguard/crypto/zinc/curve25519/curve25519-arm.S:21: Error: r13 not allowed here -- `and sp,sp,#0xfff0' scripts/Makefile.build:429: recipe

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20180708` Available

On Sun, 08 Jul 2018 18:52:32 +0200 "Jason A. Donenfeld" wrote: > * receive: use NAPI on the receive path > > This is a big change that should both improve preemption latency (by not > disabling it unconditionally) and vastly improve rx performance on most > systems by using NAPI. The

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20180708` Available

On Tue, 10 Jul 2018 16:57:14 +0200 "Jason A. Donenfeld" wrote: > The latest snapshot will still have the same preemption relaxation > with simd_relax(), but gets performance gains by moving to napi, so > it's still faster overall. If you want the simd_relax() to not take a > hit and get maximum

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20180708` Available

On Tue, 10 Jul 2018 20:57:29 +0500 Roman Mamedov wrote: > I'll probably test again without simd_relax Somehow it's now noticeably worse without those. Even got some dips below 1 Gbit/s which I have never seen before, and the overall speed is lower. -- With respect, Ro

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20180708` Available

On Tue, 10 Jul 2018 20:38:24 +0200 "Jason A. Donenfeld" wrote: > I might not be understanding you correctly. Do you mean to suggest > that removing simd_relax() actually harms performance now? That having > it in there helps performance? Actually no, after your message I swapped kernels again

Re: receive: use gro call instead of plain call

On Fri, 13 Jul 2018 08:49:45 -0500 Lonnie Abelbeck wrote: > For certain lower-end x86 boxes I test, I noticed WG 0.0.20180708 w/NAPI > actually slowed down receive performance. > > Jason recently added "receive: use gro call instead of plain call" [1] > commit, which made a big performance

Include directive to support "conf.d/*" and the like

Hello, I would like to be able to split the [Interface] and [Peer] parts of the config file into separate files. The reason is that currently I manage configurations of my various hosts at a central location, then push out common configs to all hosts. This becomes problematic with current

Re: Mixed MTU hosts on a network

On Fri, 16 Mar 2018 10:35:18 +0100 Matthias Ordner wrote: > If you only care about TCP connections you could set a different TCP-MSS > with an iptables rule. On Fri, 16 Mar 2018 11:01:51 +0100 Kalin KOZHUHAROV wrote: > You may need to pre-shape

Mixed MTU hosts on a network

Hello, I have a host which is on PPPoE and has 1492 as underlying MTU. When WireGuard starts by default, it sets MTU of its interface to 1420. All TCP connections trying to send a stream of data over the WG interface to that host, hang up (I test with iperf3). My first idea was to override the

Re: Include directive to support "conf.d/*" and the like

On Sat, 14 Apr 2018 03:47:57 +0200 "Jason A. Donenfeld" wrote: > Hi Roman, > > This also came up in another thread I was replying to earlier tonight. > While one way indeed is to have an 'include' directive, it seems > simple enough to just do something like: > > $ wg setconf

Re: Mixed MTU hosts on a network

On Sat, 14 Apr 2018 15:16:56 +0200 "Jason A. Donenfeld" wrote: > Hi Roman, > > This commit should fix it. It now has a unit test too so that we don't > hit this issue again. Thanks for reporting it in such detail. > >

Re: Mixed MTU hosts on a network

On Sat, 14 Apr 2018 16:15:07 +0200 "Jason A. Donenfeld" wrote: > Hi Roman, > > I answered this in my first email to you, which perhaps got lost in > the mix of emails, so I'll quote the relevant part: > > > 2) When we pad the packet payload. In this case, we pad it to the > >

Re: Mixed MTU hosts on a network

On Sat, 14 Apr 2018 16:45:32 +0200 "Jason A. Donenfeld" wrote: > In this case, WireGuard seems to be doing the right thing. Think you > could come up with some minimal test that exhibits the behavior you're > seeing? I now remember in more detail what was the problem. It was

Re: Why does 'allowed-ips' affect route selection behavior?

On Sun, 15 Apr 2018 14:49:23 -0400 "Patrick O'Sullivan" wrote: > $ sudo ip route get 4.2.2.1 > 4.2.2.1 dev wg0 table 51820 src 10.111.111.100 ^^^ > cache > Can someone please explain this behavior? Probably will be easier to do if you show

Re: add/remove a peer

On Sun, 25 Mar 2018 21:17:35 +0200 Kalin KOZHUHAROV wrote: > There is a reason, at least one, good one - it is called simplicity. > It is also hard to work when you are running out of disk space or > memory; do you expect WG to solve that for you? > Simply put, IP addressing

Reconciling "cryptokey-based" and regular routing

Hello, I need to have multiple gateways on my WG network that can provide access to the entire IPv4 (or IPv6) Internet, for redundancy and load-balancing purposes. In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on more than one peer. Then I would add routes into the regular routing

Re: Mixed MTU hosts on a network

On Fri, 16 Mar 2018 15:53:43 +0500 Roman Mamedov <r...@romanrm.net> wrote: > But guess what, turns out that didn't work either. Tried both OUTPUT and > POSTROUTING chains on the "mangle" table, and set-mss all the way down to > 1220, no matter what, the iperf3 output

Re: Sending just ssh traffic via wg

On Sat, 6 Oct 2018 11:21:01 +0100 Brian Candler wrote: > (Aside: I wish ssh had a feature like SNI, so that you could build an > ssh proxy that forwards incoming connections to the right host.  I have > done this before using an inbound SOCKS proxy, but it's messy to use) What insane things

Re: IPv6 Not Getting Past Server

On Sat, 22 Sep 2018 15:55:22 -0400 "Aaron W. Swenson" wrote: > I’m going to use the official documentation IP addresses. I am using real IPv6 > addresses and not using NAT66. Naturally, NAT is being used for IPv4. Here are > the definitions I’m using: > > Server Public IPv6:

Re: mesh VPN with wireguard?

On Thu, 28 Mar 2019 23:22:45 +0900 Tomasz Chmielewski wrote: > Does Wireguard allow to set up mesh VPN with "relative ease"? > > Say, we have 10 servers with public IPs, we want them all to create a > VPN network with private subnet 10.11.12.0/24, and have all 10 servers > communicate

Re: Help calculate MTU, ISP's 1448

On Tue, 26 Feb 2019 12:39:50 + "STR ." wrote: > I have Fiber to our apartment complex basement, from there Cat6 runs to > each apartment. The ISP/apartment service provider suggests an MTU of > 1448, which I set for the PPPoE interface on my OpenWRT router. It could be that your ISP meant

ifconfig lists IPv6 twice for one WG interface

Hello, I'm facing a strange issue where "ifconfig" shows the IPv6 twice for one particular WG interface. Other similar interfaces on the same machine aren't affected. Can't pinpoint what's special about this one yet. The IP is not added twice during interface setup. Adding it once more, as

Re: Wireguard fails to start when adding IPv6 to AllowedIP

On Sun, 03 Mar 2019 08:56:12 +0100 XRP wrote: > [#] ip link set mtu 1200 up dev wg1 > [#] ip route add fdb8:a70c:b109:9935::/64 dev wg1 > RTNETLINK answers: No such device IPv6 cannot work with MTU less than 1280 on the device. -- With respect, Roman

Re: Logical cores / SMT with WireGuard

On Thu, 14 Feb 2019 18:02:26 + Lee Yates wrote: Sorry, hit "send" before reading the rest of your message. > the router runs headless and is awkward to get a monitor to so I can access > the BIOS. You can toggle it without needing the BIOS. It is possible to disable SMT from grub, with

Re: Logical cores / SMT with WireGuard

On Thu, 14 Feb 2019 18:02:26 + Lee Yates wrote: > recommendations to disable HT, I got to wondering how much - if at all - > disabling HT would impact on WireGuard's real world performance. I mean, > it obviously can utilise logical cores/threads, but is there a real > world throughput

WG can now be fragmented -- great!

Hello, Just wanted to share my excitement about https://git.zx2c4.com/WireGuard/diff/?id=57a8ca7f49b5e70aae18b8b5a70cde8f9e4a9346=7cf2dae97635c8c20a8943522bab2b56c6885c8d This means WG packets can now be fragmented, and as such we can use arbitrary large MTU inside WG. This in turn means we can

Kernel thread naming

Hello, Today I noticed there are kernel threads named "wg-crypt-wgX" (the latter part being name of the interface). However when there is actual load on WG, these don't seem to be active, and in "top" we still see a bunch of "kworker/0:X" using the CPU. Would it be possible to give those

Revisiting the weird MTU issue

Hello, I use WireGuard over IPv6 on a PPPoE connection. The Internet interface MTU is 1492. By my calculations MTU 1412 on the WG interface should fit. However, the following occurs on various MTU combinations between the Remote (a server in a DC with full 1500 wire MTU) and Local WG interface

Re: Speed on Raspberry Pi 4

On Sat, 29 Jun 2019 12:38:01 +0200 Christopher Bachner wrote: > In htop I can see that one of the 4 cores is running at 99%. So I assume > that is the bottleneck. > > Is there a way to improve this? I assume it does not matter which side is > the server and which is the client? You can see

Re: Improve "[WireGuard] Header / MTU sizes for Wireguard"

On Wed, 17 Jul 2019 17:45:18 +0800 Yousong Zhou wrote: > For WireGuard overhead breakdown [1], maybe it's worth also mentioning > that N the length of encrypted data will be padded to be multiples of > 16. > > I am only aware of this when fragmentation was spotted. With 1500 as > MTU for

Re: [PATCH] wg-quick: linux: add support for nft and prefer it

On Tue, 10 Dec 2019 18:36:06 +0100 "Jason A. Donenfeld" wrote: > That bachelors thesis says in the abstract, "Latency was measured > through the round-trip time of ICMP packets while throughput was > measured by generating UDP traffic using iPerf3. The results showed > that, when using linear

Re: [PATCH] wg-quick: linux: add support for nft and prefer it

On Tue, 10 Dec 2019 17:54:49 +0100 "Jason A. Donenfeld" wrote: > iptables rules and nftables rules can co-exist just fine, without any > translation needed. Indeed if your iptables is symlinked to > iptables-nft, then you'll insert nftables rules when you try to insert > iptables rules, but it

Re: idle traffic considerations

On Fri, 29 Nov 2019 16:18:52 -0500 zrm wrote: > Ballpark estimate, round a keepalive packet to about a hundred bytes. > You're also going to get a re-keys, call those two hundred bytes. If you > have a keepalive every 30 seconds and a re-key every 120 seconds, that's > around 18KB per hour

Re: wireguard slow pings

On Sun, 16 Feb 2020 07:58:48 -0500 Neal Becker wrote: > I'm testing wireguard > wireguard-0.0.20191219-2.fc31.x86_64 > between a Fedora 31 client and server, comparing to openvpn. > > Openvpn is running between a linux client outside my lan and a server on my > router, which is running dd-wrt.

Re: Endpoint address dns resolution - option to prefer IPv6 or IPv4

On Sat, 14 Mar 2020 15:51:51 +0100 Torsten Krah wrote: > resend to the list: > > Hm, sorry I don't get the message. Imho its down to the user. I can > choose to use ping or ping6 or tell e.g. java via a system property to > prefer IPv4 if dual stack is available. > > In wireguard I can force

Re: [ANNOUNCE] wireguard-linux-compat v1.0.20200330 released

On Mon, 30 Mar 2020 18:19:17 -0600 "Jason A. Donenfeld" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hello, > > A new version, v1.0.20200330, of the backported WireGuard kernel module for > 3.10 <= Linux <= 5.5.y has been tagged in the git repository. My kernel build for

Re: Is there a way to use wireguard as a non-encrypted VPN?

On Tue, 14 Apr 2020 17:02:41 +0200 ajs124 wrote: > On Sat, 11 Apr 2020 12:13:36 -0700 > wrote: > > > I have some older routers that run OpenWRT just fine, but are a bit slow at > > Wireguard (3-5 MBytes/s for SMB transfers) and which are too slow for > > playing HD movies. > > For these

Re: Significant Dropped Packets on WG interface

On Thu, 14 May 2020 16:35:30 +0930 Mike O'Connor wrote: > Hi All > > For the last few weeks my Wireguard link which I use to as my default > gateway has been having issues with TCP connections stalling. > > I've been trying to work out what is wrong. I just noticed that the > Wireguard link

Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

On Fri, 9 Oct 2020 17:00:31 +0330 Rudi C wrote: > > On Fri, Oct 9, 2020 at 4:52 PM Roman Mamedov wrote: > > just install a SOCKS proxy > > These simple solutions get blocked by the DPI. (I do have my own VPS.) Seems like you misunderstand what I mean. If you use the in

Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

On Fri, 9 Oct 2020 17:16:18 +0330 Rudi C wrote: > > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov wrote: > > Seems like you misunderstand what I mean. If you use the in-VPN (internal) > > IP > > of your VPS, all communication with the SOCKS proxy installed on the VPS

Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

On Sun, 4 Oct 2020 15:41:52 +0330 Rudi C wrote: > I use Wireguard to circumvent Iran's censorship. A major problem with > it is that it's very hard to selectively proxy specific domains/apps > through Wireguard, while leaving others alone. This is an essential > feature for Iran's internet, as:

Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

On Fri, 9 Oct 2020 16:19:22 +0200 Chris wrote: > Maybe I oversimplify your problem, but from what I read, your standard route > will be using the Iranian net. > And - I guess - it is only a limited numer of IP addresses, that you would > like > to reach through the tunnel. > > I don't know

Re: more specific routes for IPs added to "AllowedIPs =" ?

On Wed, 30 Sep 2020 15:42:19 -0700 PGNet Dev wrote: > I've two linux machines connected with wg. > > Machine #1 is a remote VM, & connects to the public 'net. > > Machine #2 is local, on my LAN. > > To date, they've only routed internal traffic. Nice -n- easy. > > I'm adding forwarding of

Re: Standardized IPv6 ULA from PublicKey

On Mon, 29 Jun 2020 12:22:49 +0200 Toke Høiland-Jørgensen wrote: > Reid Rankin writes: > > > Each IPv6 network device is *required* to have a link-local > > address by the RFC > > Given this What you quoted is the shakiest statement of the entire proposal. Might be a cool idea and all, but I

Re: Standardized IPv6 ULA from PublicKey

On Mon, 29 Jun 2020 13:03:40 +0200 Toke Høiland-Jørgensen wrote: > Eh? This is specified pretty clearly in RFC4291, section 2.1: It also says: - 2.5.6. Link-Local IPv6 Unicast Addresses Link-Local addresses are for use on a single link. Link-Local addresses have the following

Re: Wireguard on Ubuntu 18.04.4 (LTS)?

On Mon, 20 Jul 2020 17:04:46 +0200 wrote: > Yes, it is up to date. > Joachim > > -Ursprüngliche Nachricht- > Von: Jason A. Donenfeld > Gesendet: Monday, 20 July 2020 16:49 > An: Joachim Lindenberg > Cc: WireGuard mailing list > Betreff: Re: Wireguard on Ubuntu 18.04.4 (LTS)? > > Is

No longer compiles on 5.4.76

Hello, Building kernel 5.4.76 with WireGuard v1.0.20200908 fails for me now with: AS [M] net/wireguard/crypto/zinc/chacha20/chacha20-x86_64.o In file included from : ././net/wireguard/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined #define SYM_FUNC_START ENTRY In file included

Re: No longer compiles on 5.4.76

On Tue, 10 Nov 2020 18:56:56 +0500 Roman Mamedov wrote: > Hello, > > Building kernel 5.4.76 with WireGuard v1.0.20200908 fails for me now with: > > AS [M] net/wireguard/crypto/zinc/chacha20/chacha20-x86_64.o > In file included from : > ././net/wireguard/compat/com

Re: OSX and Happy Eyeballs

On Tue, 17 Nov 2020 13:00:01 +0100 "Marco Davids (SIDN)" wrote: > Hello, > > We have a Wireguard VPN and everything is working fine. > > There is just one little thing: IPv6 Happy Eyeballs. > > Without the VPN enabled, happy eyeballs works fine. The (IPv6) is > preferred over A (IPv4).

Re: Should we sunset Windows 7 support?

On Thu, 12 Nov 2020 09:34:43 +0100 "Jason A. Donenfeld" wrote: > Could you let me know the rationale for your continued use of Windows > 7? Is it economic? Is it just UI preference, and security isn't a > priority to you? Something else? For me, the UI preference absolutely; but security *is*

Re: WG default routing

On Tue, 5 Jan 2021 21:12:12 +0100 Chris Osicki wrote: > As far as I can see after few tests, AllowedIPs config file option has > nothing to do with routing and I hope > it will stay like this. wg-quick uses AllowedIPs to also set up matching entries in the system routing table. This can be

Re: mtu on Linux vs MacOS

On Sun, 17 Jan 2021 11:36:42 +0100 Harald Dunkel wrote: > Hi folks, > > I am using PPPoE to connect to my IP provider. To use wireguard on Linux I > have to reduce the MTU in wg0.conf to 1400. Using the default 1420 a ssh > connection tunneled through wireguard gets stuck (reproducible). An

Re: Multiple Clients behind NAT

On Wed, 13 Jan 2021 20:14:46 + "Posegga, Joachim" wrote: > Dear all, > > I am trying to connect multiple wireguard clients behind the same NAT-Gateway > to a Mikrotik server with a public IP. I am not yet sure where exactly the > problem is, but it seems that only one client at a time

Re: mtu on Linux vs MacOS

On Thu, 21 Jan 2021 19:07:18 +0500 Roman Mamedov wrote: > On Sun, 17 Jan 2021 11:36:42 +0100 > Harald Dunkel wrote: > > > Hi folks, > > > > I am using PPPoE to connect to my IP provider. To use wireguard on Linux I > > have to reduce the MTU in wg0.conf to 1

Re: Access subnet behind server.

On Sat, 23 Jan 2021 11:52:56 -0500 Ken D'Ambrosio wrote: > Hey, all. I'm relatively new to WireGuard, and have a RasPi at my house > doing firewall duty. Installed WG on it, and on a VPS, and am trying to > get the VPS to access hosts on my home subnet. So: > > VPS <-192.168.50.0/24->

Re: potentially disallowing IP fragmentation on wg packets, and handling routing loops better

On Mon, 7 Jun 2021 11:34:21 +0200 "Jason A. Donenfeld" wrote: > 2) Local egress fragmentation WOULD be affected by this and is the > most relevant thing in this discussion. In this case, a packet that > gets encrypted and winds up being larger than the mtu of the interface > that the encrypted

Re: potentially disallowing IP fragmentation on wg packets, and handling routing loops better

On Mon, 7 Jun 2021 13:27:10 +0200 "Jason A. Donenfeld" wrote: > Can you walk me through your use case a bit more, so I can wrap my mind > around the requirements? > > ingress --plain--> wireguard --wireguard[plain]--> vxlan > --vxlan[wireguard[plain]]--> egress Not sure I understand your

Re: potentially disallowing IP fragmentation on wg packets, and handling routing loops better

On Mon, 7 Jun 2021 16:46:17 +0500 Roman Mamedov wrote: > On Mon, 7 Jun 2021 13:27:10 +0200 > "Jason A. Donenfeld" wrote: > > > Can you walk me through your use case a bit more, so I can wrap my mind > > around the requirements? > > > > ingress --pla

Re: secondary IP on wg0 fails

On Sat, 8 May 2021 17:31:58 +0100 lejeczek wrote: > I'm experiencing a pretty weird wireguard, or perhaps > kernel/OS stack bits behavior. > > I have three nodes which all can ping each other on wg0's > IPs but when I add a secondary IP: > > -> $ ip addr add 10.0.0.226/24 dev wg0 > > it

Re: secondary IP on wg0 fails

On Sat, 8 May 2021 19:49:06 +0100 lejeczek wrote: > > Also remember that sets of AllowedIPs should be unique within the network, > > i.e. can't have the same AllowedIPs or ranges listed for multiple nodes at > > the > > same time. Setting it to the same /24 on all nodes will not work. > > > >

Re: lost connection on dynamic IP

On Thu, 20 May 2021 00:28:08 +0200 Vicente Bergas wrote: > There is a public IP assigned to the router. The IP is dynamic, so, it > can change from time to time, but, once assigned, it is exclusive to > the router. > There is no carrier-grade NAT. > I've configured the router to forward the

Re: lost connection on dynamic IP

On Tue, 18 May 2021 13:22:31 +0200 Vicente Bergas wrote: > A server connected to the Internet through an ISP that provides a > dynamic IP with NAT. If it's NAT, then your server has no dedicated public IP? What do you update to DNS, IP of the ISP's NAT pool (shared IP with many other

Re: lost connection on dynamic IP

On Thu, 20 May 2021 11:15:30 +0500 Roman Mamedov wrote: > > So, what do you mean is that wireguard does a single DNS resolution at > > the beginning and further DNS resolutions need to be done elsewere. Is > > that correct? > > Yes. I also remembered a case where just P

Re: potentially disallowing IP fragmentation on wg packets, and handling routing loops better

On Sun, 6 Jun 2021 11:13:36 +0200 "Jason A. Donenfeld" wrote: > Specifically the change would be to not allow IP fragmentation of the > encrypted UDP packets. This way, in the case of a loop, eventually the > packet size exceeds MTU, and it gets dropped: dumb and effective. > Depending on how

Re: Multiple Keys per Peer

On Sun, 02 May 2021 13:02:28 +0200 Nico Schottelius wrote: > when running a lot of VPN connections using wireguard, there are some > questions we see quite often from users, two of which I'd like to > discuss here: > > Multiple keys per Peer > -- > > Users often ask for

Re: wgX iface as slave to a bridge - Linux

On Sat, 24 Apr 2021 11:11:50 +0100 lejeczek wrote: > Hi guys. > > Apologies, I'll bother you guys as I failed to find some > better places to ask, I searched for forums etc. but failed. > > Can wiregurard ifaces be enslaved by LInux bridge? I tried > but it did not work for me. Similarly

Re: NAT to NAT peers - 'EndPoint' IP data sharing among peers of the same key?

On Sat, 3 Apr 2021 06:27:40 +0200 Giovanni Francesco wrote: > Hi, I am looking to understand if "EndPoint" IP data may be shared among > peers within the tunnel? > > The question may sound confusing, let me explain my setup. > > I have a static IPv4 wireguard server (let's call it "A" peer)

Re: T-Mobile 4G/5G CGNAT vs WireGuard tunnel jitter

On Sat, 10 Apr 2021 10:27:23 -0500 Lonnie Abelbeck wrote: > I have been testing the T-Mobile Home Internet (4G/5G fixed wireless) service > to a Linode VM via WireGuard. > > The TMHI service uses CGNAT plus an additional NAT in their modem/gateway > with a MTU of 1420, so WireGuard is

Re: ipv6 connexion fail - ipv4 OK

On Thu, 26 Aug 2021 13:14:00 +0200 Daniel wrote: > Correction > > Le 25/08/2021 à 17:25, Daniel a écrit : > > Hi list, > > > > I setup wireguard on a server running Debian 11 and get it to work with > > 2 clients (Debian 11 and Ubuntu 20.04). Clients and server are on > > separate networks,

Re: [Warning: DMARC Fail Email] Re: ipv6 connexion fail - ipv4 OK

On Sat, 28 Aug 2021 07:05:45 +0930 Mike O'Connor wrote: > On a 1500 link I'm having to use 1280 to get ipv6 to successfully go > over a wireguard link. Then it is not a true 1500 MTU link, something in-between drops packets at a lower bar. Or maybe not all of them, but just UDP, for example.

Re: enabling WG0 allows telegram but impedes browsing

On Fri, 20 Aug 2021 13:16:34 +0200 S Bauer wrote: > Hello team, > > Hoping you could help me out with a foggy situation. > The past week I have been struggling to get the Wireguard VPN working > smoothly. Everything seems to work on paper, except in a specific way > it doesn't. I am using

Re: Wireguard Neighborhood (IPv6)

On Fri, 24 Sep 2021 11:31:40 -0400 tlhackque wrote: > WireGuard server (Linux, details below) behind a site router that > handles IPv4 NAT & an IPv6 tunnel. > > Server LAN has other hosts (and multiple subnets/vlans) - mostly dual stack. > > The WireGuard server is able to access the WireGuard

Re: linux: bridging/bonding not possible

On Thu, 14 Oct 2021 04:45:32 +0200 uxdwzco...@moenia.de wrote: > as I understand, linux needs the ability to change hardware-addresses on > netdevs to put them into a bridge or bond, but wireguard-netdevs on > linux don't support hw-addresses at all (at least in kernel 5.10). > > is it possible

Re: WireGuard with obfuscation support

On Mon, 27 Sep 2021 02:11:30 -0500 Bruno Wolff III wrote: > On Mon, Sep 27, 2021 at 09:53:08 +0900, > Nico Schottelius wrote: > > > >I'd appreciate if wireguard upstream would take this in, maybe even > >supporting multiple / dynamic listen ports. > > The problem is mostly orthogonal to

Re: WireGuard with obfuscation support

On Mon, 27 Sep 2021 04:14:35 -0500 Bruno Wolff III wrote: > This isn't a simple problem. The assumption is that someone is seeing > your network traffic and blocking it. The assumption is that there's an appliance at the ISP which has a DROP rule for UDP with 4 fixed bytes at a fixed offset.

Re: [Warning: DMARC Fail Email] Re: ipv6 connexion fail - ipv4 OK

On Mon, 30 Aug 2021 19:28:11 +0200 Daniel wrote: > To be sure (and I think it is as I have no problem with ipv4): > > . my interfaces are named wig4tootai our wigserver Nothing wrong here ? > > . conf file are not named .conf but server.conf or > anyname.conf Nothing wrong here too ?

Re: [Warning: DMARC Fail Email] Re: ipv6 connexion fail - ipv4 OK

On Mon, 30 Aug 2021 19:44:21 +0200 Daniel wrote: > > Do you get WG working at all, between some other two hosts (not involving > > this > > particular server for now)? > Yes. Clients are shown on both sides as connected, trafic seems to go > out on each side but other one as received near to

Re: [Warning: DMARC Fail Email] Re: ipv6 connexion fail - ipv4 OK

On Mon, 30 Aug 2021 12:24:01 +0200 Daniel wrote: > Using tcpdump -i any I see the trafic coming to the gre interface and > that's all. But netstat show > > udp6   0  0 :::12345 :::*    > 0  125391 - > > and ps aux output is > > dh@peech:~$ ps

Re: WireGuard Windows should have default MTU of 1280.

On Tue, 22 Feb 2022 00:57:10 +0500 Roman Mamedov wrote: > On Mon, 21 Feb 2022 22:16:22 +0300 > Michael Tokarev wrote: > > > 21.02.2022 22:11, Michael Adams wrote: > > > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, > > > for IPv6 VPN

Re: WireGuard Windows should have default MTU of 1280.

On Mon, 21 Feb 2022 22:16:22 +0300 Michael Tokarev wrote: > 21.02.2022 22:11, Michael Adams wrote: > > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, > > for IPv6 VPN support on Windows & Linux. It's good practice. > > Lemme guess. The OP is routing wg packets over

Re: [WireGuard] Header / MTU sizes for Wireguard

On Thu, 24 Aug 2023 08:50:20 -0400 Saint Michael wrote: > This is the Achiles' heel of Wireguard. It reduces the MTU too much. Other > tunneling techniques use a much larger MTU. I use Mikotik routers and one > of the supported tunnels goes up to 1472. Some apps requiere a large MTU. > Why

Re: [WireGuard] Header / MTU sizes for Wireguard

On Thu, 17 Aug 2023 20:14:52 + blurt_overkill...@simplelogin.com wrote: > I see here[1] that if you're using IPv4 exclusively, you can get away with > an MTU of 1440. If my client only has IPv4 internet, however the server > issues an IPv6 address for use by the client, can the client still

Re: [PATCH] wg-quick: linux: add restart command.

On Wed, 16 Aug 2023 07:06:53 +0200 Henrik Hautakoski wrote: > Add a simple "restart" command that just do cmd_down followed by an cmd_up. > Saves abit of typing :) > > Signed-off-by: Henrik Hautakoski > --- > src/wg-quick/linux.bash | 7 ++- > 1 file changed, 6 insertions(+), 1

Re: How to improve Wireguard speed?

On Wed, 1 Jun 2022 10:07:31 +0100 Houman wrote: > I didn't change the MTU settings, but I have a suspicion about MTU. I > found this article here that makes some interesting suggestions to set > MTU to 1280: https://keremerkan.net/posts/wireguard-mtu-fixes/ > > And beyond that iptables -A

Re: Outgoing ping required in container environment (even with PersistentKeepalive)

On Sun, 08 May 2022 08:34:46 +0200 Nico Schottelius wrote: > The connection stays correctly established. > > If anyone has a pointer on what might be going on, any help is > appreciated. Maybe you don't have a corresponding firewall rule, and happen to rely on the ESTABLISHED,RELATED matching

Re: [Question or feature request] Support multiple peer config file using something like /etc/wireguard/conf.d

Hello, On Tue, 19 Jul 2022 21:36:57 + Quentin Vallin wrote: > I'm trying to separate my peer configuration and automate it.  > > I know that I can use the post hook PostUp = wg addconf /path/to/my/file > > It would be easier to have a special path were wireguard can merge the config >

Re: [RESEND PATCH v3] wg: Support restricting address family of DNS resolved Endpoint

On Sun, 19 Feb 2023 19:04:28 +0100 Daniel Gröber wrote: > +static inline bool parse_address_family(int *family, const char *value) > +{ > + if (strcmp(value, "inet") == 0) > + *family = AF_INET; > + else if (strcmp(value, "inet6") == 0) > + *family = AF_INET6;

Re: Source IP incorrect on multi homed systems

On Sun, 19 Feb 2023 21:18:34 +0100 Nico Schottelius wrote: > If I am not mistaken that would mean in practice: > >if orignal_pkg.ip_dst == one_of_my_ips then > return_pkg.ip.src = orignal_pkg.ip_dst > return_pkg.ip.dst = orignal_pkg.ip_src >fi > > For me that sounds like a

Force a specific IP for outgoing WG traffic with SNAT?

Hello, I'm trying to move all my WG communication with peers to a non-primary IP of my server. It has IPs added like this: inet6 2001:db8::ca6c/128 scope global deprecated valid_lft forever preferred_lft 0sec inet6 2001:db8::1/128 scope global nodad valid_lft forever