[WireGuard] Troubleshooting with WireGuard
baptiste at bitsofnetworks.org
Wed Jul 13 18:57:45 CEST 2016
On Wed, Jul 13, 2016 at 08:36:33AM -0400, Alex Xu wrote:
> On Wed, 13 Jul 2016 10:28:17 +0200
> "Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> > TunnelIPs ?
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/wireguard
> I vote for ReceiveSubnets. I also support PeerSubnets. "CIDR" is also
> not too complex because you must know what CIDR is to set the option
> properly anyways.
> IMO the use of the term "VPN" should be avoided to cases where an
> actual private network is being used. Here, it is simply referring to
> the subnets on the other side.
Right, please mentally replace "VPN" by "Tunnel" in the propositions then.
> I also considered "RemoteSubnets", but that would seem to imply that
> that also affects the subnets that are *sent* in the wg tunnel, which
> AIUI is actually controlled by routing tables.
Actually, it does ! This dual usage brings more confusion. Despite the
name, "AllowedIPs" controls both:
1) packets that are *received* from a peer (by looking at the source IP
address after decrypting an incoming packet, and only allowing the
packet if it matches an AllowedIPs rule for this peer)
2) packets that are *sent* through a wireguard interface, where the right
peer is found by looking for a matching AllowedIPs entry (using the
destination IP address of the packet, this time). That's the
"cryptokey routing" part.
So, the name should reflect this dual usage, which is difficult.
> For the record as well, the SWAN family of IPsec implementations calls
> a similar configuration option "rightsubnet", which is not terrible
> but applies poorly in this case, since (AIUI) that one actually
> configures the xfrm tables.
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: not available
More information about the WireGuard