Ability to enable catch all allowed-ips on all peers

Jason A. Donenfeld Jason at zx2c4.com
Thu May 11 12:40:06 CEST 2017


Hi Damian,

At the moment, you can't give multiple peers the same allowed-ips.
There has been some interesting discussion about doing this to support
broadcast messages -- zing a single message out to several peers
having the same matching allowed-ips entry -- but this is different
than the use case you speak of.

I'm not sure I totally understood what you meant in your description
of your multihomed setup. Could you describe in a bit more detail? The
guarantee of WireGuard is that it gives you a strong binding between a
particular IP address (or several IP addresses) and a particular
public key. Wikipedia has a nice diagram for this --
https://en.wikipedia.org/wiki/Surjective_function#/media/File:Surjection.svg
-- with IP addresses being the Xs on the left and public keys being
the Ys on the right. (I should probably make a similar diagram on the
documentation to describe this concept better.) If you're trying to
setup a network such that this binding is problematic, then in all
likelihood, your design has authenticity/spoofing problems. So maybe
you can describe more generally what you're going for, and then we can
try to see how WireGuard fits into this? It's always interesting to
hear about different network setups, anyhow.

Jason


More information about the WireGuard mailing list