<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">wg inside gre inside tvp?<br><br><div id="AppleMailSignature"><span style="font-size: 13pt;">Thomas J Munn</span><br><div><div><br></div></div></div><div><br>On Mar 10, 2018, at 06:00, <a href="mailto:wireguard-request@lists.zx2c4.com">wireguard-request@lists.zx2c4.com</a> wrote:<br><br></div><blockquote type="cite"><div><span>Send WireGuard mailing list submissions to</span><br><span> <a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a></span><br><span></span><br><span>To subscribe or unsubscribe via the World Wide Web, visit</span><br><span> <a href="https://lists.zx2c4.com/mailman/listinfo/wireguard">https://lists.zx2c4.com/mailman/listinfo/wireguard</a></span><br><span>or, via email, send a message with subject or body 'help' to</span><br><span> <a href="mailto:wireguard-request@lists.zx2c4.com">wireguard-request@lists.zx2c4.com</a></span><br><span></span><br><span>You can reach the person managing the list at</span><br><span> <a href="mailto:wireguard-owner@lists.zx2c4.com">wireguard-owner@lists.zx2c4.com</a></span><br><span></span><br><span>When replying, please edit your Subject line so it is more specific</span><br><span>than "Re: Contents of WireGuard digest..."</span><br><span></span><br><span></span><br><span>Today's Topics:</span><br><span></span><br><span> 1. Re: Another roaming problem (Toke H?iland-J?rgensen)</span><br><span> 2. TCP Wireguard with socat (Gianluca Gabrielli)</span><br><span> 3. Policy-based routing (Bruno)</span><br><span> 4. Re: Policy-based routing (Matthias Urlichs)</span><br><span> 5. Re: TCP Wireguard with socat (Matthias Urlichs)</span><br><span></span><br><span></span><br><span>----------------------------------------------------------------------</span><br><span></span><br><span>Message: 1</span><br><span>Date: Fri, 09 Mar 2018 15:53:27 +0100</span><br><span>From: Toke H?iland-J?rgensen <<a href="mailto:toke@toke.dk">toke@toke.dk</a>></span><br><span>To: "Jason A. Donenfeld" <<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>></span><br><span>Cc: WireGuard mailing list <<a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a>></span><br><span>Subject: Re: Another roaming problem</span><br><span>Message-ID: <<a href="mailto:878tb1jo60.fsf@toke.dk">878tb1jo60.fsf@toke.dk</a>></span><br><span>Content-Type: text/plain</span><br><span></span><br><span>"Jason A. Donenfeld" <<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>> writes:</span><br><span></span><br><blockquote type="cite"><span>Neat script, looks pretty easy to use. The wg repo has a kprobes</span><br></blockquote><blockquote type="cite"><span>script too for extracting ephemeral keys from the kernel:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span><a href="https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes">https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes</a></span><br></blockquote><span></span><br><span>Neat! Brave new world of debugging ;)</span><br><span></span><br><span>/me goes to write some more printk's</span><br><span></span><br><span></span><br><span>-Toke</span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 2</span><br><span>Date: Fri, 09 Mar 2018 11:41:45 -0500</span><br><span>From: Gianluca Gabrielli <<a href="mailto:tuxmealux@protonmail.com">tuxmealux@protonmail.com</a>></span><br><span>To: "<a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a>" <<a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a>></span><br><span>Subject: TCP Wireguard with socat</span><br><span>Message-ID:</span><br><span> <<a href="mailto:utLzzyzPJsv-W3vVhU4Sdchg_5A07v9qCxR1DeJ5Wu7RzJHcje1cCEjtEWi4j0aCN05ozn9b4VYJQsLovvl6TGPp-kbZ_5kfpReEJHQQXGk=@protonmail.com">utLzzyzPJsv-W3vVhU4Sdchg_5A07v9qCxR1DeJ5Wu7RzJHcje1cCEjtEWi4j0aCN05ozn9b4VYJQsLovvl6TGPp-kbZ_5kfpReEJHQQXGk=@protonmail.com</a>></span><br><span> </span><br><span>Content-Type: text/plain; charset=UTF-8</span><br><span></span><br><span>Hi everybody,</span><br><span></span><br><span>I'm an happy wireguard user since a while, but at that time I need to link two peers and I can only use TCP. I know that there are thousand of other tools I can use, but I'd like to do it using wireguard.</span><br><span>My first thought has been to make use of socat, since some newest version a new address type called INTERFACE has been added (<a href="http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES">http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES</a>), so I tried to use it but I've not been able to make it works.</span><br><span>This is why I'm here asking your feedbacks, or to collect other ideas to let wireguard works through a TCP tunnel.</span><br><span></span><br><span>I wrote all the notes about the tests I made on a pdf, I know that this is not the good way to share with you my results, and I should write it here once again in plaintext. But for me it will would turn on a waste of time do it again, and it also would be less comprehensible.</span><br><span>I uploaded the pdf online instead to attach it to this email hence nobody needs to open it on his personal laptop, but it can be viewed via any browser. I personally hate open unknown file on my computer. The pdf can be viewed from the following link:</span><br><span><a href="https://drive.google.com/open?id=1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks">https://drive.google.com/open?id=1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks</a></span><br><span></span><br><span>I will really appreciate any constructive feedback or suggestion on how to easily use wireguard with TCP.</span><br><span></span><br><span>Thanks,</span><br><span>Gianluca</span><br><span></span><br><span></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 3</span><br><span>Date: Fri, 9 Mar 2018 16:38:35 -0300</span><br><span>From: Bruno <<a href="mailto:bruno@streamfeed.com">bruno@streamfeed.com</a>></span><br><span>To: <a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a></span><br><span>Subject: Policy-based routing</span><br><span>Message-ID: <<a href="mailto:a81edfe2-2a49-c49a-ea7c-65e60639ecfe@streamfeed.com">a81edfe2-2a49-c49a-ea7c-65e60639ecfe@streamfeed.com</a>></span><br><span>Content-Type: text/plain; charset=utf-8; format=flowed</span><br><span></span><br><span>Hello,</span><br><span></span><br><span>I'm trying to set up a policy-based routing on a wireguard instance. I </span><br><span>didn't want to call it server, because it acts more like a proxy.</span><br><span></span><br><span>Let's say I have 6 peers plus this wireguard server.</span><br><span></span><br><span>Peer 2? Peer 3?? Peer 4</span><br><span> ?\/?????? \/?????? \/</span><br><span>______________________</span><br><span>|???????????????????? |</span><br><span>| Wireguard "server"? |</span><br><span>|???????????????????? |</span><br><span>|_____________________|</span><br><span> ?\/?????? \/?????? \/</span><br><span>Peer 5? Peer 6?? Peer 7</span><br><span></span><br><span>Wireguard "server"</span><br><span>Address = 10.0.0.1/24</span><br><span></span><br><span>Peers 2-7</span><br><span>Address = 10.0.0.2-7/24, respectively.</span><br><span></span><br><span>So, what I'm trying to do is route traffic to Peer 7, for example, if it </span><br><span>is coming from Peer 2. I can do it doing some `ip rule` and `ip route` </span><br><span>commands. However, wireguard seems to be blocking that traffic. So, I </span><br><span>want peers 5-7 act as gateways to the internet and I would choose it via </span><br><span>Linux environment.</span><br><span></span><br><span>Peers 5-7 would be wireguard servers that would route all traffic to the </span><br><span>internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have </span><br><span>to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard </span><br><span>accept that? On my tests it would just pick one as allowed IPs as </span><br><span>0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic </span><br><span>neither from nor to that others peers.</span><br><span></span><br><span>On the wireguard "server" I would set allowed-IPs to peers 2-4 as </span><br><span>10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just </span><br><span>coming from it.</span><br><span></span><br><span>Is it possible to achieve that with wireguard?</span><br><span></span><br><span>Thanks!</span><br><span></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 4</span><br><span>Date: Fri, 9 Mar 2018 22:35:00 +0100</span><br><span>From: Matthias Urlichs <<a href="mailto:matthias@urlichs.de">matthias@urlichs.de</a>></span><br><span>To: <a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a></span><br><span>Subject: Re: Policy-based routing</span><br><span>Message-ID: <<a href="mailto:9181ac49-897b-8412-84e9-1505cc261913@urlichs.de">9181ac49-897b-8412-84e9-1505cc261913@urlichs.de</a>></span><br><span>Content-Type: text/plain; charset=utf-8</span><br><span></span><br><span>Hi,</span><br><blockquote type="cite"><span>Is it possible to achieve that with wireguard? </span><br></blockquote><span></span><br><span>You need to set up multiple wireguard interfaces (on different ports of</span><br><span>course).</span><br><span></span><br><span>Then you can use traditional Linux routing techniques.</span><br><span></span><br><span>-- </span><br><span>-- Matthias Urlichs</span><br><span></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 5</span><br><span>Date: Fri, 9 Mar 2018 22:45:32 +0100</span><br><span>From: Matthias Urlichs <<a href="mailto:matthias@urlichs.de">matthias@urlichs.de</a>></span><br><span>To: <a href="mailto:wireguard@lists.zx2c4.com">wireguard@lists.zx2c4.com</a></span><br><span>Subject: Re: TCP Wireguard with socat</span><br><span>Message-ID: <<a href="mailto:e0bff705-f328-0071-0fb7-0367d36f0074@urlichs.de">e0bff705-f328-0071-0fb7-0367d36f0074@urlichs.de</a>></span><br><span>Content-Type: text/plain; charset=utf-8</span><br><span></span><br><span>On 09.03.2018 17:41, Gianluca Gabrielli wrote:</span><br><blockquote type="cite"><span>My first thought has been to make use of socat</span><br></blockquote><span></span><br><span>socat can do either packet streams or byte streams. A UDP socket (or a</span><br><span>tun/tap interface) is a packet stream. TCP is a byte stream. You can't</span><br><span>forward a packet stream into a byte stream. (Well, OK, socat does allow</span><br><span>you to set that up, but it won't work.)</span><br><span></span><br><span>You need wrap your packets in some sort of frame (simplest: precede each</span><br><span>with a length word (but think about byte ordering)). I'm sure there are</span><br><span>programs which do that, or you can write your own. socat can't do it.</span><br><span></span><br><span>-- </span><br><span>-- Matthias Urlichs</span><br><span></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Subject: Digest Footer</span><br><span></span><br><span>_______________________________________________</span><br><span>WireGuard mailing list</span><br><span><a href="mailto:WireGuard@lists.zx2c4.com">WireGuard@lists.zx2c4.com</a></span><br><span><a href="https://lists.zx2c4.com/mailman/listinfo/wireguard">https://lists.zx2c4.com/mailman/listinfo/wireguard</a></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>End of WireGuard Digest, Vol 24, Issue 14</span><br><span>*****************************************</span><br></div></blockquote></body></html>