WireGuard Digest, Vol 24, Issue 14

Thomas Munn symgryph at gmail.com
Sat Mar 10 19:38:01 CET 2018 

wg inside gre inside tvp?

Thomas J Munn


> On Mar 10, 2018, at 06:00, wireguard-request at lists.zx2c4.com wrote:
> 
> Send WireGuard mailing list submissions to
>    wireguard at lists.zx2c4.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.zx2c4.com/mailman/listinfo/wireguard
> or, via email, send a message with subject or body 'help' to
>    wireguard-request at lists.zx2c4.com
> 
> You can reach the person managing the list at
>    wireguard-owner at lists.zx2c4.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of WireGuard digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Another roaming problem (Toke H?iland-J?rgensen)
>   2. TCP Wireguard with socat (Gianluca Gabrielli)
>   3. Policy-based routing (Bruno)
>   4. Re: Policy-based routing (Matthias Urlichs)
>   5. Re: TCP Wireguard with socat (Matthias Urlichs)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 09 Mar 2018 15:53:27 +0100
> From: Toke H?iland-J?rgensen <toke at toke.dk>
> To: "Jason A. Donenfeld" <Jason at zx2c4.com>
> Cc: WireGuard mailing list <wireguard at lists.zx2c4.com>
> Subject: Re: Another roaming problem
> Message-ID: <878tb1jo60.fsf at toke.dk>
> Content-Type: text/plain
> 
> "Jason A. Donenfeld" <Jason at zx2c4.com> writes:
> 
>> Neat script, looks pretty easy to use. The wg repo has a kprobes
>> script too for extracting ephemeral keys from the kernel:
>> 
>> https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes
> 
> Neat! Brave new world of debugging ;)
> 
> /me goes to write some more printk's
> 
> 
> -Toke
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 09 Mar 2018 11:41:45 -0500
> From: Gianluca Gabrielli <tuxmealux at protonmail.com>
> To: "wireguard at lists.zx2c4.com" <wireguard at lists.zx2c4.com>
> Subject: TCP Wireguard with socat
> Message-ID:
>    <utLzzyzPJsv-W3vVhU4Sdchg_5A07v9qCxR1DeJ5Wu7RzJHcje1cCEjtEWi4j0aCN05ozn9b4VYJQsLovvl6TGPp-kbZ_5kfpReEJHQQXGk=@protonmail.com>
>    
> Content-Type: text/plain; charset=UTF-8
> 
> Hi everybody,
> 
> I'm an happy wireguard user since a while, but at that time I need to link two peers and I can only use TCP. I know that there are thousand of other tools I can use, but I'd like to do it using wireguard.
> My first thought has been to make use of socat, since some newest version a new address type called INTERFACE has been added (http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES), so I tried to use it but I've not been able to make it works.
> This is why I'm here asking your feedbacks, or to collect other ideas to let wireguard works through a TCP tunnel.
> 
> I wrote all the notes about the tests I made on a pdf, I know that this is not the good way to share with you my results, and I should write it here once again in plaintext. But for me it will would turn on a waste of time do it again, and it also would be less comprehensible.
> I uploaded the pdf online instead to attach it to this email hence nobody needs to open it on his personal laptop, but it can be viewed via any browser. I personally hate open unknown file on my computer. The pdf can be viewed from the following link:
> https://drive.google.com/open?id=1KrLvU1D0K4YpRHi-jsIjbExh0lFTRQks
> 
> I will really appreciate any constructive feedback or suggestion on how to easily use wireguard with TCP.
> 
> Thanks,
> Gianluca
> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 9 Mar 2018 16:38:35 -0300
> From: Bruno <bruno at streamfeed.com>
> To: wireguard at lists.zx2c4.com
> Subject: Policy-based routing
> Message-ID: <a81edfe2-2a49-c49a-ea7c-65e60639ecfe at streamfeed.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Hello,
> 
> I'm trying to set up a policy-based routing on a wireguard instance. I 
> didn't want to call it server, because it acts more like a proxy.
> 
> Let's say I have 6 peers plus this wireguard server.
> 
> Peer 2? Peer 3?? Peer 4
> ?\/?????? \/?????? \/
> ______________________
> |???????????????????? |
> | Wireguard "server"? |
> |???????????????????? |
> |_____________________|
> ?\/?????? \/?????? \/
> Peer 5? Peer 6?? Peer 7
> 
> Wireguard "server"
> Address = 10.0.0.1/24
> 
> Peers 2-7
> Address = 10.0.0.2-7/24, respectively.
> 
> So, what I'm trying to do is route traffic to Peer 7, for example, if it 
> is coming from Peer 2. I can do it doing some `ip rule` and `ip route` 
> commands. However, wireguard seems to be blocking that traffic. So, I 
> want peers 5-7 act as gateways to the internet and I would choose it via 
> Linux environment.
> 
> Peers 5-7 would be wireguard servers that would route all traffic to the 
> internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have 
> to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard 
> accept that? On my tests it would just pick one as allowed IPs as 
> 0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic 
> neither from nor to that others peers.
> 
> On the wireguard "server" I would set allowed-IPs to peers 2-4 as 
> 10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just 
> coming from it.
> 
> Is it possible to achieve that with wireguard?
> 
> Thanks!
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 9 Mar 2018 22:35:00 +0100
> From: Matthias Urlichs <matthias at urlichs.de>
> To: wireguard at lists.zx2c4.com
> Subject: Re: Policy-based routing
> Message-ID: <9181ac49-897b-8412-84e9-1505cc261913 at urlichs.de>
> Content-Type: text/plain; charset=utf-8
> 
> Hi,
>> Is it possible to achieve that with wireguard? 
> 
> You need to set up multiple wireguard interfaces (on different ports of
> course).
> 
> Then you can use traditional Linux routing techniques.
> 
> -- 
> -- Matthias Urlichs
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 9 Mar 2018 22:45:32 +0100
> From: Matthias Urlichs <matthias at urlichs.de>
> To: wireguard at lists.zx2c4.com
> Subject: Re: TCP Wireguard with socat
> Message-ID: <e0bff705-f328-0071-0fb7-0367d36f0074 at urlichs.de>
> Content-Type: text/plain; charset=utf-8
> 
>> On 09.03.2018 17:41, Gianluca Gabrielli wrote:
>> My first thought has been to make use of socat
> 
> socat can do either packet streams or byte streams. A UDP socket (or a
> tun/tap interface) is a packet stream. TCP is a byte stream. You can't
> forward a packet stream into a byte stream. (Well, OK, socat does allow
> you to set that up, but it won't work.)
> 
> You need wrap your packets in some sort of frame (simplest: precede each
> with a length word (but think about byte ordering)). I'm sure there are
> programs which do that, or you can write your own. socat can't do it.
> 
> -- 
> -- Matthias Urlichs
> 
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
> 
> 
> ------------------------------
> 
> End of WireGuard Digest, Vol 24, Issue 14
> *****************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180310/fa7fe76d/attachment.html>

More information about the WireGuard mailing list