Multiple Keys per Peer

[Nico Schottelius]

Roman Mamedov <rm at romanrm.net> writes:

> On Sun, 02 May 2021 13:02:28 +0200
> Nico Schottelius <nico.schottelius at ungleich.ch> wrote:
>
>> when running a lot of VPN connections using wireguard, there are some
>> questions we see quite often from users, two of which I'd like to
>> discuss here:
>>
>> Multiple keys per Peer
>> ----------------------
>>
>> Users often ask for sharing their connection with multiple
>> devices. The obvious solution is for users to setup their own VPN
>> endpoint with the first key and then reshare themselves. However, this
>> is not feasible in many end user situations.
>
> The prime and the most straightforward solution is to give each user multiple
> keys, and let them connect from each endpoint as an independent Peer.
>
> The rest of what you propose appears to be a set of bizarre hacks because
> you don't want to do the above, because "(reasons)". Maybe start with
> detailing those reasons first, or reconsidering if they are *really* that
> important and unsurmountable :)

Practically speaking our VPN are currently rather
"dumb" and only know about /48's (usually one VPN server is responsible
for a /40). And in practice, we are not so much interested in knowing
how people split their tunnels, so we considers this more of a
dynamic routing than a static configuration.

However, I see your point that we could update our systems for
pre-processing the routing logic and letting users split on a static
basis and with that keeping the wireguard protocol more simple.

I'd say fair enough and thanks for the pointer!

Best regards,

Nico

--
Sustainable and modern Infrastructures by ungleich.ch