wg-ip, a tool to assign automatic ip addresses to wireguard interfaces

Christophe-Marie Duquesne chmd at chmd.fr
Tue Apr 10 14:32:31 CEST 2018


Hi,

In an old thread [1], danrl suggested deriving node addresses from the
peer public keys. I liked this idea, so I wrote a tool to do it. It
works like this:

generate an ipv6 address from the default ipv6 subnet of the script
(fd1a:6126:2887::/48):
wg-ip -6 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=
fd1a:6126:2887:17a1:2793:518a:7886:e8a4

generate an ipv4 address from the default ipv4 subnet of the script
(10.0.0.0/8):
wg-ip -4 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=
10.0.37.175

generate an ip address from a custom subnet (ip version inferred from prefix):
wg-ip --subnet 172.16.0.0/12 gen uymIRDopubn0XRLLRTymOvuK2iG90wRcXxhsb2EOYzg=
172.16.37.175

assign an ip address to the selected interface and allowed ips to the
peers, all in the same subnet (existing allowed ips are preserved):
wg-ip [-4|-6|--subnet <subnet>] [dev wg0] apply

or just see which commands 'apply' would run
wg-ip [-4|-6|--subnet <subnet>] [dryrun]

Derivation algorithm: the bytes of the ip address are taken from the
beginning bytes of the sha256 hash of the corresponding pubkey, and
are masked with the network mask.

The tool does not handle collisions nor special addresses: The idea is
to pick a subnet large enough so that these cases are unlikely enough.
For ipv6, with a /48 prefix, that would be a 80 bits address space, so
birthday attacks say one needs about 2^40 peers until they reach a
significant risk of collision, which will fill the routing table well
before this even becomes a problem. For ipv4 with the 10.0.0.0/8, the
address space is 24 bits, so odds are still pretty good until 2^12
peers, but this time it is reachable. For my personal needs (about 10
peers) and for anyone with a network of less than 1000 peers (if my
maths are correct), it should be largely sufficient (collision
probability under 5%). Worst case, if you don't like the ip address
generated, just use another key pair.

It is written in bash, in the spirit of wg-quick. I am definitely open
to have it integrated in wireguard if people show interest.

https://github.com/chmduquesne/wg-ip

[1]: https://lists.zx2c4.com/pipermail/wireguard/2016-December/000812.html


More information about the WireGuard mailing list