Re: Multiple peers
Hi Gianluca, you may want to read also this example I explained in Ninux mailing list https://www.mail-archive.com/wireless@ml.ninux.org/msg20983.html Best regards ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Thanks to both of you guys, really helpful! Especially **Network Namespace** is a great feature that I didn't know before. Cheers, Gianluca ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Another option instead of using the iptables rule is to create a network namespace and assign the wireguard interface to it. ip netns add mesh ip link add wg0 type wireguard ip link set wg0 netns mesh ip -n mesh addr add x.x.x.x/24 dev wg0 ip netns exec mesh wg setconf wg0 /etc/wireguard/wg0.conf ip -n mesh link set wg0 up I prefer this because it isolates any mesh network routing and firewall configuration from that of the physical interfaces of the hub server. You don't have to worry about a routing or firewall misconfiguration on the hub leading to the traffic from the vpn network going on to the hub server's underlying network. Also if you want to provide a service to the VPN network from the server you can run the process in the mesh network namespace or inside a container with only an interface in the mesh namespace available to it. On Tue, Mar 13, 2018 at 1:35 PM, wrote: > Hi Gianluca, > >> I wonder if I need to copy/paste all peers' public key on all the other >> peers' configuration, or I can just configure each peer to connect to the >> server and then allow peers talking with other peers passing through this >> server? > > If you want each peer to have a 1:1 connection to each other peer, then – > yes. But to maintain such a mesh will be quite a bit of work… > > The easier solution should be to use the server as a hub. Make sure the > AllowedIPs on the “clients” permit the subnet IP range you will be using, > e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer > should reflect the single address (/32) you are setting as interface address > on the peer's side. > > To glue, add an iptables rule: > iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT > > > Kind regards, > Peter > > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers
Hi Gianluca, > I wonder if I need to copy/paste all peers' public key on all the other peers' configuration, or I can just configure each peer to connect to the server and then allow peers talking with other peers passing through this server? If you want each peer to have a 1:1 connection to each other peer, then – yes. But to maintain such a mesh will be quite a bit of work… The easier solution should be to use the server as a hub. Make sure the AllowedIPs on the “clients” permit the subnet IP range you will be using, e.g. 192.168.10.0/24. The “server's” setting for AllowedIPs for each peer should reflect the single address (/32) you are setting as interface address on the peer's side. To glue, add an iptables rule: iptables -A FORWARD -i wg9 -o wg9 -j ACCEPT Kind regards, Peter ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers to one wireguard "server"
Yes of course, bad of me to have missed having multiple peers in one config file. Thank you for your help. On Mon, May 29, 2017 at 10:54 PM Jason A. Donenfeld wrote: > Hi Ibrahim, > > On Mon, May 29, 2017 at 10:31 PM, Ibrahim Tachijian > wrote: > > If I understand correctly if I need to connect 10 different wg "clients" > to > > one wg "server" I will require one wgX interface per-client on the > "server". > > > > Is this correct? Does this mean also that each wgX interface on the > "server" > > needs to listen on its own UDP port or can the "server" reuse the same > UDP > > port? > > No. Each WireGuard interface may have multiple peers: > >[Interface] >PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= >ListenPort = 51820 > >[Peer] >PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= >Endpoint = 192.95.5.67:1234 >AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 > >[Peer] >PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= >Endpoint = [2607:5300:60:6b0::c05f:543]:2468 >AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 > >[Peer] >PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= >Endpoint = test.wireguard.io:18981 >AllowedIPs = 10.10.10.230/32 > > Please see the man page wg(8) or the front page of the website -- > www.wireguard.io -- for more details. > > Regards, > Jason > -- *Ibrahim Tachijian* CEO Net Sat AB Mobile: +46723321377 bar...@netsat.se _ *Net Sat ABC/O Jayway AB*Klara Östra Kyrkogata 2B, 1TR, 111 52 Stockholm, Sweden Office: +46 (0)8 408 394 53 ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers to one wireguard "server"
Hi Ibrahim, On Mon, May 29, 2017 at 10:31 PM, Ibrahim Tachijian wrote: > If I understand correctly if I need to connect 10 different wg "clients" to > one wg "server" I will require one wgX interface per-client on the "server". > > Is this correct? Does this mean also that each wgX interface on the "server" > needs to listen on its own UDP port or can the "server" reuse the same UDP > port? No. Each WireGuard interface may have multiple peers: [Interface] PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= ListenPort = 51820 [Peer] PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg= Endpoint = 192.95.5.67:1234 AllowedIPs = 10.192.122.3/32, 10.192.124.1/24 [Peer] PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0= Endpoint = [2607:5300:60:6b0::c05f:543]:2468 AllowedIPs = 10.192.122.4/32, 192.168.0.0/16 [Peer] PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA= Endpoint = test.wireguard.io:18981 AllowedIPs = 10.10.10.230/32 Please see the man page wg(8) or the front page of the website -- www.wireguard.io -- for more details. Regards, Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Multiple peers to one wireguard "server"
On Mon, 29 May 2017 20:31:36 + Ibrahim Tachijian wrote: > If I understand correctly if I need to connect 10 different wg > "clients" to one wg "server" I will require one wgX interface > per-client on the "server". > > Is this correct? No, it means you'll have wg0 and 10 [Peer] sections into your server configuration file. Jean-Yves ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard