Another allowed-ips question
rcwhelan at gmail.com
Tue Dec 5 15:05:14 CET 2017
On Wed, Nov 22, 2017 at 6:51 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi Ryan,
> Sorry for the delayed response. The high volume and churn of
> development recently has gotten me a bit behind on the mail queue and
> rather confused.
> You wrote:
> > what i'm struggling with is if they are unable to communicate directly
> and build routes to one another via an intermediary router (which is also
> connected to each 'client' via wireguard).
> If I understood you correctly, you're looking at this situation: Peer
> A connects to Peer S. Peer B connects to Peer S. A wants to talk to B,
> through S. In this case, the allowed-ips of S on A lists B's internal
> IP, and the allowed-ips of S on B lists A's internal IP address. In
> other words, you have A/B state that "I trust S to send me the traffic
> of B/A."
> Does this answer your question?
Sorry for my latent reply- I was traveling all last week and have been
doing a bad job keeping up on my email
I think you understand the setup, mostly. The missing piece is that A and
B need to connect directly to one another as well. (Its kind of like a
triangle). The idea is that the link between A and B is 'primary' but if
they are unable to communicate with one another directly, they will 'fall
back' to using the 'Server' (S). A and B will both likely be behind NATs,
so is likely that at some point they will both be behind symmetric-nats and
be unable to communicate directly, needing the fallback route provided by
That said, i think i have a working setup. there are 2 interfaces
created. one called 'server0' and one called 'direct0'. On the server
interface there is a single peer with an allowed-ips of fc00::/7 and on the
direct interface, there is a peer for each of the other devices we want to
connect to directly. Each peer on the direct interface has an allowed-ips
that matches the addr of the corresponding peer. (/128).
That provides 2 routes between peers- route selection is just matter of
picking an interface. Hopefully something that will be done via a routing
Hopefully the above makes sense. I think i have a screenshot that will
paint a clearer picture if needed. (not sure if i can paste pictures into
the mailing list)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WireGuard