[ wireguard-dev ] About configuring allowedip

Dan Lüdtke mail at danrl.com
Fri Feb 24 14:10:45 CET 2017 

Nicolas,

I draw your network including the allowed_ips restrictions.

> ping peer3 --peer1--->peer2 : not ok .

This can not work! Peer 2 does not accept the source address from Peer 3. Please review your allowed_ips settings. Draw the things on paper, make PostIt notes representing the packets including their destination address and source address. Draw a little "firewall" on the tunnels (whitelist is allowed_ips, all the rest gets dropped!) and see if the PostIt can make it through with it's source address. Yes, this sounds like child play, but it works. I have taught complex firewalling and VPN setups to lawyers and law makers this way. It helps understanding, if a simple diagram does not cut it.

Allowed IPs is probably the most complex thing WireGuard has to offer from a user perspective. Rename it to Allowed Source Addrresses in your head it becomes clearer.

HTH

Dan

> On 24 Feb 2017, at 11:41, Nicolas Prochazka <nicolas.prochazka at gmail.com> wrote:
> 
> hello again, 
> my configuration , 
> ping peer 1-->peer 2  : ok   ( on ipv6 wg0 ) 
> ping peer 3 --> peer 1 : ok 
> ping peer3 --peer1--->peer2 : not ok .
> 
> 
> On peer 1 , forwarding is setting
> net.ipv6.conf.all.forwarding = 1
> net.ipv4.conf.all.forwarding = 1
> 
> 
> Peer 1 : wg configuration  
> 
> interface: wg0
>   public key: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
>   private key: (hidden)
>   listening port: 6081
> 
> peer: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=
>   endpoint: 52.49.x.x:6081
>   allowed ips: ::/0
>   latest handshake: 8 seconds ago
>   transfer: 71.29 KiB received, 60.28 KiB sent
>   persistent keepalive: every 25 seconds
> 
> peer: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=
>   endpoint: 10.10.0.69:6081
>   allowed ips: fd00::baae:edff:fe72:5094/128
>   latest handshake: 45 seconds ago
>   transfer: 5.49 KiB received, 6.36 KiB sent
> 
> 
> Peer 3 : 
> 
> 
> interface: wg0
>   public key: bqwiLTe/hr0JJMz3IvnDXqS5nOT6u/WL75dasmTE/ko=
>   private key: (hidden)
>   listening port: 6081
> 
> peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
>   endpoint: 10.10.99.230:6081
>   allowed ips: ::/0
>   latest handshake: 33 seconds ago
>   transfer: 4.92 KiB received, 7.55 KiB sent
>   persistent keepalive: every 25 seconds
> 
> 
> Peer 2 : 
> 
> interface: wg0
>   public key: dOXT9AvlEt9KSl3ricE12GuVa+U4XB0s1c92s8W+9VA=
>   private key: (hidden)
>   listening port: 6081
> 
> peer: q5ypTBI7bN0vPGzvlGYyF6pCqYgrDsEjO827duAwjX4=
>   endpoint: 77.156.x.x:58943
>   allowed ips: fd00::eea8:6bff:fef9:23bc/128
>   latest handshake: 1 minute, 43 seconds ago
>   transfer: 52.59 KiB received, 79.01 KiB sent
> 
> 
> 2017-02-23 14:41 GMT+01:00 Dan Lüdtke <mail at danrl.com>:
> Nicolas: Could you provide the configuration files? Because from your little graphic or schema I can not even derive what you are configuring. I guess there is something overlapping prefixes maybe?
> 
> Jason: I think we are approaching the point in time when there will be a -dev and a -users ML :)
> 
> 
> > On 23 Feb 2017, at 14:03, Nicolas Prochazka <nicolas.prochazka at gmail.com> wrote:
> >
> > Hello, i'm trying to do this with wireguard, withtout success :
> >
> > peer1 ---> peer2   : config ok , works
> > peer3 ---> peer1  : config ok , works
> > peer3 --->peer1 ---> peer2  : not ok .
> >
> > I suspect allowed-ip configuration, but all my tests does not works.
> > perhaps I must create two wireguard interface on peer 1 and do forwarding/routing ?
> > i'm using ipv6 as internal ip.
> >
> > so my question is :
> > - two interface ?
> > - specifiq magic allowedip ?
> > ( allowed ip is confusing for, it is using for routing and for evicting paquet ? )
> >
> > Regards,
> > Nicolas
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard at lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> 
>

More information about the WireGuard mailing list