[WireGuard] Troubleshooting with WireGuard

Baptiste Jonglez baptiste at bitsofnetworks.org
Wed Jul 13 18:57:45 CEST 2016

On Wed, Jul 13, 2016 at 08:36:33AM -0400, Alex Xu wrote:
> On Wed, 13 Jul 2016 10:28:17 +0200
> "Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> > TunnelIPs ?
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/wireguard
> I vote for ReceiveSubnets. I also support PeerSubnets. "CIDR" is also
> not too complex because you must know what CIDR is to set the option
> properly anyways.
> IMO the use of the term "VPN" should be avoided to cases where an
> actual private network is being used. Here, it is simply referring to
> the subnets on the other side.

Right, please mentally replace "VPN" by "Tunnel" in the propositions then.

> I also considered "RemoteSubnets", but that would seem to imply that
> that also affects the subnets that are *sent* in the wg tunnel, which
> AIUI is actually controlled by routing tables.

Actually, it does !  This dual usage brings more confusion.  Despite the
name, "AllowedIPs" controls both:

1) packets that are *received* from a peer (by looking at the source IP
   address after decrypting an incoming packet, and only allowing the
   packet if it matches an AllowedIPs rule for this peer)

2) packets that are *sent* through a wireguard interface, where the right
   peer is found by looking for a matching AllowedIPs entry (using the
   destination IP address of the packet, this time).  That's the
   "cryptokey routing" part.

So, the name should reflect this dual usage, which is difficult.

> For the record as well, the SWAN family of IPsec implementations calls
> a similar configuration option "rightsubnet", which is not terrible
> but applies poorly in this case, since (AIUI) that one actually
> configures the xfrm tables.
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160713/66daf0d0/attachment.asc>

More information about the WireGuard mailing list