On Thu, Jun 06, 2019 at 12:09:45PM +0200, Toke Høiland-Jørgensen wrote: > Paul Zillmann <[email protected]> writes: .. > > The problem is that the allowed-ips configuration has multiple purposes: > > routing table and firewall/packet filter. This introduces these > > problems. It would be helpfull to get a compile flag or something else > > to make this behavior optional. > > That is probably not going to happen; the crypto-routing is quite > integral to Wireguard, and is an important security feature. >
Disabling source filtering entirely is a bad idea, but permitting non-routed (duplicate) inputs would be a useful feature for key-rotation, failover and building resilient and/or exotic routing networks without adding yet another layer of tunneling headers. For example by separating parameters as: AllowedIPs: A, B, C RouteIPs: A, C or set both: IPs: A, C As per the original question, I do find it strange, that a transient modification of a peer can remove routes from another peer. Also discarding routes in general, even more so when done silently. Regards, Ivan _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
