<div dir="ltr">ok thanks, <div>what is confusing me it that allowed ip is for : </div><div>- authorized source packet</div><div>- routing outgoing packet </div><div>and we can set allowedips with a lot of ip / netmask</div><div>Regards,</div><div>Nicolas</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-24 14:10 GMT+01:00 Dan Lüdtke <span dir="ltr"><<a href="mailto:mail@danrl.com" target="_blank">mail@danrl.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Nicolas,<br>
<br>
I draw your network including the allowed_ips restrictions.<br>
<span class=""><br>
> ping peer3 --peer1--->peer2 : not ok .<br>
<br>
</span>This can not work! Peer 2 does not accept the source address from Peer 3. Please review your allowed_ips settings. Draw the things on paper, make PostIt notes representing the packets including their destination address and source address. Draw a little "firewall" on the tunnels (whitelist is allowed_ips, all the rest gets dropped!) and see if the PostIt can make it through with it's source address. Yes, this sounds like child play, but it works. I have taught complex firewalling and VPN setups to lawyers and law makers this way. It helps understanding, if a simple diagram does not cut it.<br>
<br>
Allowed IPs is probably the most complex thing WireGuard has to offer from a user perspective. Rename it to Allowed Source Addrresses in your head it becomes clearer.<br>
<br>
HTH<br>
<span class="HOEnZb"><font color="#888888"><br>
Dan<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
> On 24 Feb 2017, at 11:41, Nicolas Prochazka <<a href="mailto:nicolas.prochazka@gmail.com">nicolas.prochazka@gmail.com</a>> wrote:<br>
><br>
> hello again,<br>
> my configuration ,<br>
> ping peer 1-->peer 2 : ok ( on ipv6 wg0 )<br>
> ping peer 3 --> peer 1 : ok<br>
> ping peer3 --peer1--->peer2 : not ok .<br>
><br>
><br>
> On peer 1 , forwarding is setting<br>
> net.ipv6.conf.all.forwarding = 1<br>
> net.ipv4.conf.all.forwarding = 1<br>
><br>
><br>
> Peer 1 : wg configuration<br>
><br>
> interface: wg0<br>
> public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDs<wbr>EjO827duAwjX4=<br>
> private key: (hidden)<br>
> listening port: 6081<br>
><br>
> peer: dOXT9AvlEt9KSl3ricE12GuVa+<wbr>U4XB0s1c92s8W+9VA=<br>
> endpoint: 52.49.x.x:6081<br>
> allowed ips: ::/0<br>
> latest handshake: 8 seconds ago<br>
> transfer: 71.29 KiB received, 60.28 KiB sent<br>
> persistent keepalive: every 25 seconds<br>
><br>
> peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/<wbr>WL75dasmTE/ko=<br>
> endpoint: <a href="http://10.10.0.69:6081" rel="noreferrer" target="_blank">10.10.0.69:6081</a><br>
> allowed ips: fd00::baae:edff:fe72:5094/128<br>
> latest handshake: 45 seconds ago<br>
> transfer: 5.49 KiB received, 6.36 KiB sent<br>
><br>
><br>
> Peer 3 :<br>
><br>
><br>
> interface: wg0<br>
> public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/<wbr>WL75dasmTE/ko=<br>
> private key: (hidden)<br>
> listening port: 6081<br>
><br>
> peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDs<wbr>EjO827duAwjX4=<br>
> endpoint: <a href="http://10.10.99.230:6081" rel="noreferrer" target="_blank">10.10.99.230:6081</a><br>
> allowed ips: ::/0<br>
> latest handshake: 33 seconds ago<br>
> transfer: 4.92 KiB received, 7.55 KiB sent<br>
> persistent keepalive: every 25 seconds<br>
><br>
><br>
> Peer 2 :<br>
><br>
> interface: wg0<br>
> public key: dOXT9AvlEt9KSl3ricE12GuVa+<wbr>U4XB0s1c92s8W+9VA=<br>
> private key: (hidden)<br>
> listening port: 6081<br>
><br>
> peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDs<wbr>EjO827duAwjX4=<br>
> endpoint: 77.156.x.x:58943<br>
> allowed ips: fd00::eea8:6bff:fef9:23bc/128<br>
> latest handshake: 1 minute, 43 seconds ago<br>
> transfer: 52.59 KiB received, 79.01 KiB sent<br>
><br>
><br>
> 2017-02-23 14:41 GMT+01:00 Dan Lüdtke <<a href="mailto:mail@danrl.com">mail@danrl.com</a>>:<br>
> Nicolas: Could you provide the configuration files? Because from your little graphic or schema I can not even derive what you are configuring. I guess there is something overlapping prefixes maybe?<br>
><br>
> Jason: I think we are approaching the point in time when there will be a -dev and a -users ML :)<br>
><br>
><br>
> > On 23 Feb 2017, at 14:03, Nicolas Prochazka <<a href="mailto:nicolas.prochazka@gmail.com">nicolas.prochazka@gmail.com</a>> wrote:<br>
> ><br>
> > Hello, i'm trying to do this with wireguard, withtout success :<br>
> ><br>
> > peer1 ---> peer2 : config ok , works<br>
> > peer3 ---> peer1 : config ok , works<br>
> > peer3 --->peer1 ---> peer2 : not ok .<br>
> ><br>
> > I suspect allowed-ip configuration, but all my tests does not works.<br>
> > perhaps I must create two wireguard interface on peer 1 and do forwarding/routing ?<br>
> > i'm using ipv6 as internal ip.<br>
> ><br>
> > so my question is :<br>
> > - two interface ?<br>
> > - specifiq magic allowedip ?<br>
> > ( allowed ip is confusing for, it is using for routing and for evicting paquet ? )<br>
> ><br>
> > Regards,<br>
> > Nicolas<br>
> > ______________________________<wbr>_________________<br>
> > WireGuard mailing list<br>
> > <a href="mailto:WireGuard@lists.zx2c4.com">WireGuard@lists.zx2c4.com</a><br>
> > <a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/<wbr>mailman/listinfo/wireguard</a><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>