Hi everyone, Would it be possible for wireguard to support ip6tables-like network masks [1] for the allowed-ips besides CIDR masks? With CIDR we are limited to variable suffixes. While with network masks we could have variable prefixes, suffixes or any combination.
[1] https://linux.die.net/man/8/ip6tables ------------------------------- Use case (why does it matter to me): I have a client-server setup where I would like to allow the client peers to choose any IPv6 they wish as long as they honor a given suffix. Collision are avoided by having an unique suffix for each client. With CIDR I can only make clients honor a prefix. The long story On my home network I reserved two IPv6 subnets for Wireguard clients: - a private one, eg. fdaa:aaaa:aaaa:aabb::/64 (never changes); - a public one, eg. 2001:aaaa:aaaa:aabb::/64 which is a subnet of the subnet attributed by my ISP (the positions marked with aa's change regularly according to the dynamic assigning done by my ISP). Attributing public IPv6 addresses to the wireguard clients allows them to reach the Internet through the tunnel with no need for NAT. Currently, there seems to be no way of dynamically attributing IPs to clients. (Or is there some kind of DHCPv6 over Wireguard?) Thus, to keep my Cryptokey Routing Table working properly I have to update it on both server and clients whenever my ISP attributes me a different subnet (power outages, router restarts, etc.). This is easy on the clients, which connect and disconnect regularly. I just need a small script to connect to the wireguard server, that gets the current public subnet (from Dynamic DNS) before setting the public IPv6 for tunnel interface. Things are nastier on the server side though, which is an OpenWrt router. I would need a cron/procd job hammering OpenWrt config files whenever a change is detected. Network masks would be a much cleaner solution on this setup and probably many others. Note: I trust all my client peers (which are just me, on other computers outside my home network). ------------------------------- Thanks for building wireguard and specially for publishing it as open-source. You have a great piece of software here. Much appreciated. Regards! -- dllud _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
