Hi Damian, Indeed right now WireGuard lets you specify a "listen port", but then defaults to opening two sockets, one for v4 and one for v6, on the ANY address. This generally isn't a problem because WireGuard is silent unless it's sent fully authenticated packets. For ease of use, I figured that it should accept these from anywhere, since if it's authenticated, it's authenticated. But there is the sysadmin concern of wanting to run other services on the same port, like a local DNS resolver on 53. I can't think of a clean interface for allowing this, however. Maybe you have some ideas? For example, if I simply allow specifying IP:port, then how does this work for supporting v4&v6? Maybe I should then allow for specifying an arbitrarily large sized list of IP:port combos, and reserve one special case one for "both v4 and v6"? But this gets super complicated and I don't want that. Or maybe I should rely on using the v6-mapped-v4 hack, except this isn't available on all systems and isn't really efficient for what we're doing inside WireGuard. So, hmm... I couldn't come up with a clean way of doing this, so I just stuck with the simplest thing I could think of... Ideas?
Jason _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
