You could seperate the 2 subnet into two wireguard interfaces, for example 10.0.0.0/24 in wg0.conf, while 10.0.1.0/24 in wg1.conf On Wed, Nov 7, 2018 at 3:47 AM Lars Francke <lars.fran...@gmail.com> wrote: > > Hi, > > I've been playing around with WireGuard recently. Thank you for all your work > on it. > > It all mostly works but I have one thing that I can't grasp properly: > > My setup are a bunch of servers that need to communicate securely over an > unsecured network. Like a mesh. So I have three servers and each of them has > a connection to the other two (i.e. two Peers). This all works beautifully. > > Now I want to add an outside client into the mix (e.g. my laptop). I want to > be able to connect to just one of those hosts and have that host forward my > packages to the others. > > I can get it to work if I pick _one_ specific jump host but I haven't managed > to set it up in a way that I can connect to any of them. > > (I'm leaving out Private & Public Key, Ports and Endpoints to make the > examples shorter. > > Client wg0.conf: > [Interface] > Address = 10.0.1.1 > > # Server 1 > [Peer] > AllowedIPs = 10.0.0.1/24 > > > Server 1 wg0.conf: > [Interface] > Address = 10.0.0.1 > > # Client > [Peer] > AllowedIPs = 10.0.1.1/32 > > # Server 2 > [Peer] > AllowedIPs = 10.0.0.2, __10.0.1.1/32__ > > # Server 3 > [Peer] > AllowedIPs = 10.0.0.3, __10.0.1.1/32__ > > > Server 2 wg0.conf: > [Interface] > Address = 10.0.0.2 > > # Client > [Peer] > AllowedIPs = 10.0.1.1/32 > > # Server 1 > [Peer] > AllowedIPs = 10.0.0.1, __10.0.1.1/32__ > > # Server 3 > [Peer] > AllowedIPs = 10.0.0.3, __10.0.1.1/32__ > > > Server 3 etc. are similar. > This way I can connect with my client to any of the Servers and I can ping > them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I connect > to server-1 I can not reach server-2 from my client (IP forwarding etc. is > enabled). > > This only works when I remove the second IP from AllowedIPs (the one marked > with underscores) from the server I connect to (e.g. server 1). The other > servers (e.g. server 2 & 3) need it though because of course they'll see > traffic from 10.0.1.1 being forwarded to them so it needs to be in their > AllowedIPs. > > That means I can get everything to work if I pick one special host that > Clients connect to. > > I might just fundamentally misunderstand how AllowedIPs works. Any help is > greatly appreciated > > > An unrelated question: Should wg-quick up be allowed to be called with just a > file name? > e.g. wg-quick up wg0.conf? > I understand the man page that it should but I think the behavior is broken > on MacOS/Darwin because it tries to cd into the file which fails. > > > Cheers, > Lars > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Question about AllowedIPs and proper "mesh" setup
KeXianbin(http://diyism.com) Tue, 06 Nov 2018 17:57:00 -0800
- Question about AllowedIPs and proper "me... Lars Francke
- Re: Question about AllowedIPs and proper... Matthias Urlichs
- Re: Question about AllowedIPs and proper... Phil Hofer
- Re: Question about AllowedIPs and pr... Lars Francke
- Re: Question about AllowedIPs and proper... KeXianbin(http://diyism.com)