On Tue, May 2, 2017 at 11:56 AM, Damian Kaczkowski <[email protected]> wrote: > Hello Janson.
My name is Jason. > 3. Well if one uses firewall to control flows between zones in environment > with mix protocols (eg. gre, ipsec, openvpn and so on) then using second > tool just to control only wireguard ACLs is not very convenient way from > administrative point of view. Also in case where peer is roaming and > changing its source IP (eg. road warrior) then maintaining wireguard ACLs > will be a huge PITA, if not impossible at large scale. No, you are wrong. Allowed-ips controls the IP addresses _within_ the tunnel. Thus your iptables rules can use "-i wg0 -s 10.0.0.3/32" or similar to match a _precise_ peer. > 4. Does wireguard have some means so that iptables can easily differentiate > tunnels (peers) and put them in appropriate 'zone'? like eg. > iptables -m policy --help > iptables -m ah --help > iptables -m esp --help > > Or something similar? WireGuard has gone out of its way to explicitly avoid this brain damage. Use the allowed-ips concept instead. _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
