Early Feedback on Container Networking, Resilience, Json Config and AcceptedIPs

raul raulbe at gmail.com
Mon Jul 10 17:14:56 CEST 2017


Hi Jason,


So: things won't be too big of a pain, and at some point, there won't be
> any possibility of pains.
>


Great to hear that!


What precisely are you doing that you think might be easier with JSON?



I did look at wg-json. I was wondering more about /etc/wireguard/*.conf and
the possibility of using json config there. I am trying to parse wgX.conf
so that we can quickly add and remove peers and subnets. Currently I am
dumping it into a python dict keyed with the pubkeys


In this sense, on outgoing, it's sort of like a routing table. on incoming,
> it's sort of like an IP access control list.



 That's a pretty succinct way of putting it. It does sounds simple put that
way.


You don't have to run WireGuard in a star topology. You can do full mesh
> if you want, or whatever other topology. One interface can have multiple
> peers, so you can connect things together any which way you like.
>


As Jonathan mentioned he is running a mesh. And it does open up
possibilities in terms of access control that I haven't fully considered.
But how do we scale a mesh? For a number of hosts lets say 20+ with 20
container subnets or more to share, one would imagine managing a peer to
peer configuration as the network scales up and down can become a chore.

A client server with let's say a /16 shared may be more feasible, as then
all the client's acceptedIPs can be the single /16 subnet, while the
individual client subnets are added to the server for routing as they are
added. I will think about this some more.

Once again this is really impressive and valuable.

Thanks!
Raul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20170710/6cfab6f4/attachment.html>


More information about the WireGuard mailing list