[WireGuard] Nesting WireGuard tunnels
Justin Kilpatrick
justin at altheamesh.com
Mon Feb 5 22:00:06 CET 2018
I won't bore you with the details but I'm working on a project where nesting Wireguard tunnels is an attractive solution to a thorny problem.
It looks like this.
A <--Tunnel A on port 51821--> B <--Tunnel B on port 51820--> C
Where A is sending packets addressed to the internal endpoint of Tunnel B on port 51821 and B forwards them along.
I see the correct packets come out of the Tunnel B interface at the destination, but they never seem to go into the Tunnel A endpoint on Device C. If I had to make a guess I'd say that since WireGuard is in-kernel it will never listen on devices that aren't physical nics.
For the short term I've solved this problem by having Device C use a keepalive to Device A, which has only a single tunnel. The NAT traversal code then figures out how to navigate the nested tunnels on Device C to form a bi-directional connection.
My questions are.
1) Is capability for nesting a feature that the community is interested in?
2) Can it be implemented in a sane way?
3) If the above two points are true, I'd appreciate some pointers about how to get started on a patch.
--
Justin Kilpatrick
justin at altheamesh.com
More information about the WireGuard
mailing list