wesher icon indicating copy to clipboard operation
wesher copied to clipboard

Published 20 hours ago verified publisher icon costela

node subnets are not included in "allowed ips"?

Open bmullan opened this issue 5 years ago • 14 comments

I have wesher creating my mesh using wireguard ok. But I'm finding that subnets on various nodes are not reachable.

On some of my NODEs I have created bridged subnets.

With regular WireGuard I could normally include those Subnets (example 192.168.75.0/24) as an "allowed ips"

But running Wesher if I check /var/lib/wesher/state.json the IP subnets are not included !

Is there a command line option not documented for how someone can specifically identify subnets they want included in the WireGuard config?

thanks

bmullan avatar Feb 05 '20 17:02 bmullan

Is there a way with Wesher to include other/additional subnets in the "allowed ips" ?

Currently no.
It's a bit trickier to implement than one might think at first. But it is something I'm considering. PR always welcome if someone beats me to it!

costela avatar Feb 10 '20 16:02 costela

@costela

Thanks for adding it as a milestone as I think many of the container technologies will be better enabled to be used with Wesher.

bmullan avatar Feb 11 '20 00:02 bmullan

I plan on working on something a bit different, but I might end up supporting both. First my use case in a sentence (I'll develop in another issue): multiple k8s CNI set routes directly to other nodes and expect them to be honored, so I need to reflect routes added manually on the wg devices to be reflected in allowed IPs on other nodes.

Regarding this issue, it seems like a nice complement to my use case. It would probably need an additionnal setting ROUTED_NETWORKS_FILTER that contains a list of CIDRs that is used to filter advertised networks, in order to avoid propagating unwanted networks, or even 127.0.0.1/8.

A sane default value would be the empty filter, which means no network is propagated, and would also avoid adding a setting for enabling/disabling this feature.

kaiyou avatar May 06 '20 12:05 kaiyou

For implementation, I intend on using this : https://godoc.org/github.com/vishvananda/netlink#RouteSubscribe

I will implement a new loop, identical to the cluster loop, consuming events from netlink, filtering the routes using a configuration setting, and providing locla node route list on a channel. Then in the main loop, I will update the local node based on these routes.

Routes will be propagated using node meta, and the node parsing routine will handle extra allowed addresses and netlink routes on top of the node overlay address. The main catch at the moment is that we will need to add and delete routes, removing routes that are not annonuced anymore by a node. How do we handle routes that are set manually by the admin instead of wesher then?

I do not intend on handling conflicting routes in this first implementation. Does that sound ok? I think I will implement the code in the node package since those are properties of the local node.

kaiyou avatar May 15 '20 10:05 kaiyou

Here is the current state of our work on the routing matter. It will undergo some tests in our use case in the next few days: https://github.com/kaiyou/wesher/tree/feature-routed-net

kaiyou avatar May 18 '20 08:05 kaiyou

This is currently running on three different clusters of mine, properly propagating kubernetes routes. I will provide production feedback next week.

kaiyou avatar May 21 '20 20:05 kaiyou

@kaiyou @costela Any updates on this?

This functionality would be great as adding a routing protocol on top of a wesher cluster would still leave the destinations out of allowed-ips on the peers.

arnarg avatar Nov 25 '20 10:11 arnarg

@arnarg unfortunately not from my side. I've been swamped and haven't been able to give wesher the attention it deserves :unamused:

@kaiyou I just noticed I didn't react to your comment. Sorry about that! This definitely sounds like a solid approach :+1:

costela avatar Nov 25 '20 10:11 costela

I'm not sure what the status of Issue#28 currently is: node subnets are not included in "allowed ips"? #28 from reading the comments in this Issue Thread? Does/Will Wesher support Subnets?

bmullan avatar Mar 10 '21 21:03 bmullan

@bmullan probably yes, but unfortunately no time-frame yet.

costela avatar Mar 11 '21 18:03 costela

Thanks. Brian

On Thu, Mar 11, 2021, 1:04 PM Leo Antunes @.***> wrote:

@bmullan https://github.com/bmullan probably yes, but unfortunately no time-frame yet.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/costela/wesher/issues/28#issuecomment-796931817, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM23J7KIMEFQUYMT2GIC3LTDEA4BANCNFSM4KQO3Y6A .

bmullan avatar Mar 11 '21 20:03 bmullan

Is there a way with Wesher to include other/additional subnets in the "allowed ips" ?

Currently no. It's a bit trickier to implement than one might think at first. But it is something I'm considering. PR always welcome if someone beats me to it!

@costela I saw one entry above that said: @costela costela added this to the v0.3.0 milestone on Feb 10, 2020

Just curious if you made any progress implementing support for routing "subnets" on a Mesh VPN Node?

Thanks Brian

bmullan avatar Jul 26 '22 11:07 bmullan

@kaiyou

Earlier in this thread you said...

Here is the current state of our work on the routing matter. It will undergo some tests in our use case in the next few days: https://github.com/kaiyou/wesher/tree/feature-routed-net
This is currently running on three different clusters of mine, properly propagating kubernetes routes. I will provide production feedback next week.

I went to that link but I'm not sure what's different, fixed, added?? What is "running on 3 different clusters" ?

Sorry I'm missing something :-)

Brian

bmullan avatar Jul 26 '22 12:07 bmullan

bump

bmullan avatar Jul 27 '23 14:07 bmullan