Question about AllowedIPs and proper "mesh" setup

Lars Francke lars.francke at gmail.com
Tue Nov 6 09:01:02 CET 2018 

Hi,

I've been playing around with WireGuard recently. Thank you for all your
work on it.

It all mostly works but I have one thing that I can't grasp properly:

My setup are a bunch of servers that need to communicate securely over an
unsecured network. Like a mesh. So I have three servers and each of them
has a connection to the other two (i.e. two Peers). This all works
beautifully.

Now I want to add an outside client into the mix (e.g. my laptop). I want
to be able to connect to just one of those hosts and have that host forward
my packages to the others.

I can get it to work if I pick _one_ specific jump host but I haven't
managed to set it up in a way that I can connect to any of them.

(I'm leaving out Private & Public Key, Ports and Endpoints to make the
examples shorter.

Client wg0.conf:
[Interface]
Address = 10.0.1.1

# Server 1
[Peer]
AllowedIPs = 10.0.0.1/24


Server 1 wg0.conf:
[Interface]
Address    = 10.0.0.1

# Client
[Peer]
AllowedIPs = 10.0.1.1/32

# Server 2
[Peer]
AllowedIPs = 10.0.0.2, __10.0.1.1/32__

# Server 3
[Peer]
AllowedIPs = 10.0.0.3, __10.0.1.1/32__


Server 2 wg0.conf:
[Interface]
Address    = 10.0.0.2

# Client
[Peer]
AllowedIPs = 10.0.1.1/32

# Server 1
[Peer]
AllowedIPs = 10.0.0.1, __10.0.1.1/32__

# Server 3
[Peer]
AllowedIPs = 10.0.0.3, __10.0.1.1/32__


Server 3 etc. are similar.
This way I can connect with my client to any of the Servers and I can ping
them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I
connect to server-1 I can not reach server-2 from my client (IP forwarding
etc. is enabled).

This only works when I remove the second IP from AllowedIPs (the one marked
with underscores) from the server I connect to (e.g. server 1). The other
servers (e.g. server 2 & 3) need it though because of course they'll see
traffic from 10.0.1.1 being forwarded to them so it needs to be in their
AllowedIPs.

That means I can get everything to work if I pick one special host that
Clients connect to.

I might just fundamentally misunderstand how AllowedIPs works. Any help is
greatly appreciated


An unrelated question: Should wg-quick up be allowed to be called with just
a file name?
e.g. wg-quick up wg0.conf?
I understand the man page that it should but I think the behavior is broken
on MacOS/Darwin because it tries to cd into the file which fails.


Cheers,
Lars
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20181106/98d88a85/attachment.html>

More information about the WireGuard mailing list