Another allowed-ips question

Ryan Whelan rcwhelan at gmail.com
Tue Dec 5 15:05:14 CET 2017


On Wed, Nov 22, 2017 at 6:51 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> Hi Ryan,
>
> Sorry for the delayed response. The high volume and churn of
> development recently has gotten me a bit behind on the mail queue and
> rather confused.
>
> You wrote:
> >  what i'm struggling with is if they are unable to communicate directly
> and build routes to one another via an intermediary router (which is also
> connected to each 'client' via wireguard).
>
> If I understood you correctly, you're looking at this situation: Peer
> A connects to Peer S. Peer B connects to Peer S. A wants to talk to B,
> through S. In this case, the allowed-ips of S on A lists B's internal
> IP, and the allowed-ips of S on B lists A's internal IP address. In
> other words, you have A/B state that "I trust S to send me the traffic
> of B/A."
>
> Does this answer your question?
>
> Regards,
> Jason
>

Sorry for my latent reply- I was traveling all last week and have been
doing a bad job keeping up on my email

I think you understand the setup, mostly.  The missing piece is that A and
B need to connect directly to one another as well. (Its kind of like a
triangle).  The idea is that the link between A and B is 'primary' but if
they are unable to communicate with one another directly, they will 'fall
back' to using the 'Server' (S).  A and B will both likely be behind NATs,
so is likely that at some point they will both be behind symmetric-nats and
be unable to communicate directly, needing the fallback route provided by
the server.

That said, i think i have a working setup.  there are 2 interfaces
created.  one called 'server0' and one called 'direct0'.  On the server
interface there is a single peer with an allowed-ips of fc00::/7 and on the
direct interface, there is a peer for each of the other devices we want to
connect to directly.  Each peer on the direct interface has an allowed-ips
that matches the addr of the corresponding peer. (/128).

That provides 2 routes between peers- route selection is just matter of
picking an interface.  Hopefully something that will be done via a routing
daemon.

Hopefully the above makes sense.  I think i have a screenshot that will
paint a clearer picture if needed.  (not sure if i can paste pictures into
the mailing list)

ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20171205/38604a72/attachment.html>


More information about the WireGuard mailing list