In an old thread [1], danrl suggested deriving node addresses from the
peer public keys. I liked this idea, so I wrote a tool to do it. It
works like this:

generate an ipv6 address from the default ipv6 subnet of the script
wg-ip -6 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=

generate an ipv4 address from the default ipv4 subnet of the script
wg-ip -4 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=

generate an ip address from a custom subnet (ip version inferred from prefix):
wg-ip --subnet gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=

assign an ip address to the selected interface and allowed ips to the
peers, all in the same subnet (existing allowed ips are preserved):
wg-ip [-4|-6|--subnet <subnet>] [dev wg0] apply

or just see which commands 'apply' would run
wg-ip [-4|-6|--subnet <subnet>] [dryrun]

Derivation algorithm: the bytes of the ip address are taken from the
beginning bytes of the sha256 hash of the corresponding pubkey, and
are masked with the network mask.

The tool does not handle collisions nor special addresses: The idea is
to pick a subnet large enough so that these cases are unlikely enough.
For ipv6, with a /48 prefix, that would be a 80 bits address space, so
birthday attacks say one needs about 2^40 peers until they reach a
significant risk of collision, which will fill the routing table well
before this even becomes a problem. For ipv4 with the, the
address space is 24 bits, so odds are still pretty good until 2^12
peers, but this time it is reachable. For my personal needs (about 10
peers) and for anyone with a network of less than 1000 peers (if my
maths are correct), it should be largely sufficient (collision
probability under 5%). Worst case, if you don't like the ip address
generated, just use another key pair.

It is written in bash, in the spirit of wg-quick. I am definitely open
to have it integrated in wireguard if people show interest.


[1]: https://lists.zx2c4.com/pipermail/wireguard/2016-December/000812.html
WireGuard mailing list

Reply via email to