Subnet routing

Question

Subnet routing

voidzero opened this issue 4 years ago · 6 comments

Hi, what a great tool! So convenient.

How can I specify the interface name? For if I want to use something other than wg0.

edit Oh never mind. I see it is done by renaming the config to /etc/wireguard/ifname.conf.

But before I close this, I do wonder about something else: how do I route a subnet with this script? For example, let the host get the IP 10.20.30.1/24 and route 10.20.30.0/24 to it. If you specify the IP then wg-quick on the remote host will complain:
Warning: AllowedIP has nonzero host part: 10.30.0.1/24

Thanks!

Answer 1 · 2021-01-23T21:00:04.000Z

Writing AllowedIP should be the way to go.

I think AllowedIP is supposed to be NetworkID/CIDR. 10.30.0.1 is a host address, not the network address. The network address for 10.30.0.1/24 should be 10.30.0.0. Change 10.30.0.1/24 to 10.30.0.0/24 and you should be fine.

Answer 2 · 2021-01-25T22:01:44.000Z

Right. Well it still works, but perhaps it's a good idea to either let this script parse AllowedIP so that the address is correctly specified under [Interface], and the subnets are changed correctly under [Peer]. It makes little sense to first generate configs and then edit all configs by hand. This gets tedious with many peers... I have 12. Or - option two - is to specify addresses separately from AllowedIP, this is more typing for the user, but requires fewer changes in the wg-meshconf script.

Answer 3 · 2021-01-27T04:41:51.000Z

I thought about verifying user input with netaddr, but

These errors are easy to fix
Verifying netaddr requires an extra dependency

Answer 4 · 2021-01-27T05:40:35.000Z

@voidzero
Can you provide full example config with two nodes (host and client) to show expected behaviour in details?

Answer 5 · 2021-01-27T06:47:11.000Z

@dimon222 Sure.

Proposal: if we do not let the script do this via netaddr, let the user manually specify the IP address of the interface with --address and have this separately from what hosts are allowed (literally: routed through the interface) by using --allowed-ips.

In my proposal, let's say I have two hosts Waldorf and Statler:

% wg-meshconf addpeer --endpoint waldorf.example.com --address 10.0.0.254/24 --address fd05:abcd:0123:f000::ffaa/64 --allowed-ips 10.0.0.0/24 --allowed-ips fd05:abcd:0123:f000::/64 waldorf

% wg-meshconf addpeer --endpoint statler.example.com --address 10.0.123.254/24 --address fd05:abcd:0123:f123::ffaa/64 --allowed-ips 10.0.123.0/24 --allowed-ips fd05:abcd:0123:f123::/64 statler

Waldorf: would generate:

[Interface]
# Name: waldorf
Address = 10.0.0.254/24, fd05:abcd:0123:f000::ffaa/64
PrivateKey = waldorfprivate

[Peer]
# Name: statler
PublicKey = statlerpublic
Endpoint = waldorf.example.com:1234
AllowedIPs = 10.0.123.0/24, fd05:abcd:0123:f123::/64

Statler:

[Interface]
# Name: statler
Address = 10.0.123.254/24, fd05:abcd:0123:f123::ffaa/64
PrivateKey = statlerprivate

[Peer]
# Name: waldorf
PublicKey = waldorfpublic
Endpoint = statler.example.com:1234
AllowedIPs = 10.0.0.0/24, fd05:abcd:0123:f000::/64

So: keep --address for the IP(s) of the interface. Add: --allowed-ips to add the subnet (this is what AllowedIPs is).
Note: i typed this config by hand so here's to hoping I made no mistakes.

Answer 6 · 2021-01-27T06:49:10.000Z

So to be painfully verbose, right now the AllowedIPs of Waldorf configures 10.0.123.254/24, fd05:abcd:0123:f123/64, which is invalid for routing unless it specifies a /32 for an IPv4 and a /128 for a IPv6.