wg-meshconf icon indicating copy to clipboard operation
wg-meshconf copied to clipboard

Published 20 hours ago verified publisher icon k4yt3x

Subnet routing

Open voidzero opened this issue 3 years ago • 6 comments

Hi, what a great tool! So convenient.

How can I specify the interface name? For if I want to use something other than wg0.

edit Oh never mind. I see it is done by renaming the config to /etc/wireguard/ifname.conf.

But before I close this, I do wonder about something else: how do I route a subnet with this script? For example, let the host get the IP 10.20.30.1/24 and route 10.20.30.0/24 to it. If you specify the IP then wg-quick on the remote host will complain: Warning: AllowedIP has nonzero host part: 10.30.0.1/24

Thanks!

voidzero avatar Jan 23 '21 01:01 voidzero

Writing AllowedIP should be the way to go.

I think AllowedIP is supposed to be NetworkID/CIDR. 10.30.0.1 is a host address, not the network address. The network address for 10.30.0.1/24 should be 10.30.0.0. Change 10.30.0.1/24 to 10.30.0.0/24 and you should be fine.

k4yt3x avatar Jan 23 '21 21:01 k4yt3x

Right. Well it still works, but perhaps it's a good idea to either let this script parse AllowedIP so that the address is correctly specified under [Interface], and the subnets are changed correctly under [Peer]. It makes little sense to first generate configs and then edit all configs by hand. This gets tedious with many peers... I have 12. Or - option two - is to specify addresses separately from AllowedIP, this is more typing for the user, but requires fewer changes in the wg-meshconf script.

voidzero avatar Jan 25 '21 22:01 voidzero

I thought about verifying user input with netaddr, but

  • These errors are easy to fix
  • Verifying netaddr requires an extra dependency

k4yt3x avatar Jan 27 '21 04:01 k4yt3x

@voidzero Can you provide full example config with two nodes (host and client) to show expected behaviour in details?

dimon222 avatar Jan 27 '21 05:01 dimon222

@dimon222 Sure.

Proposal: if we do not let the script do this via netaddr, let the user manually specify the IP address of the interface with --address and have this separately from what hosts are allowed (literally: routed through the interface) by using --allowed-ips.

In my proposal, let's say I have two hosts Waldorf and Statler:

% wg-meshconf addpeer --endpoint waldorf.example.com --address 10.0.0.254/24 --address fd05:abcd:0123:f000::ffaa/64 --allowed-ips 10.0.0.0/24 --allowed-ips fd05:abcd:0123:f000::/64 waldorf

% wg-meshconf addpeer --endpoint statler.example.com --address 10.0.123.254/24 --address fd05:abcd:0123:f123::ffaa/64 --allowed-ips 10.0.123.0/24 --allowed-ips fd05:abcd:0123:f123::/64 statler

Waldorf: would generate:

[Interface]
# Name: waldorf
Address = 10.0.0.254/24, fd05:abcd:0123:f000::ffaa/64
PrivateKey = waldorfprivate

[Peer]
# Name: statler
PublicKey = statlerpublic
Endpoint = waldorf.example.com:1234
AllowedIPs = 10.0.123.0/24, fd05:abcd:0123:f123::/64

Statler:

[Interface]
# Name: statler
Address = 10.0.123.254/24, fd05:abcd:0123:f123::ffaa/64
PrivateKey = statlerprivate

[Peer]
# Name: waldorf
PublicKey = waldorfpublic
Endpoint = statler.example.com:1234
AllowedIPs = 10.0.0.0/24, fd05:abcd:0123:f000::/64

So: keep --address for the IP(s) of the interface. Add: --allowed-ips to add the subnet (this is what AllowedIPs is). Note: i typed this config by hand so here's to hoping I made no mistakes.

voidzero avatar Jan 27 '21 06:01 voidzero

So to be painfully verbose, right now the AllowedIPs of Waldorf configures 10.0.123.254/24, fd05:abcd:0123:f123/64, which is invalid for routing unless it specifies a /32 for an IPv4 and a /128 for a IPv6.

voidzero avatar Jan 27 '21 06:01 voidzero