[wireguard-dev] Ability to use one udp port for multiple wg interfaces
Hello, this question have alreadry be post in the past, but i need some help. We want create one wireguard interface by client, because at this moment, we are using one interface for all our client, and it's becomes very difficult to manage in term of Qos , network analyse , security , iptables .. With mutliple interface, all is good in term of performance with the last release , but each interface must have it's own port, that is not possible to manage ( different port by client ) Is there a solution ? Regards, Nicolas Prochazka ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
I'd recommend you use multiple peers per interface. The strong binding with allowed-ips enables you to use qos, network analysis, security, and iptables rules in a very straightforward way. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
Hello, i known, but we are using one interface by customer, each interface manages multiple peers ( > 500 ) as wg_interface0 = client 0 = 500 peers wf_interfacen= client n = 500 peers at this moment, only one interface wg0 manage all peers and all customers , it's very complicating for the administrive tasks , qos, client separation Regards, NIcolas 2017-09-21 13:25 GMT+02:00 Jason A. Donenfeld : > I'd recommend you use multiple peers per interface. The strong binding > with allowed-ips enables you to use qos, network analysis, security, > and iptables rules in a very straightforward way. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
On Thu, Sep 21, 2017 at 1:46 PM, nicolas prochazka wrote: > at this moment, only one interface wg0 manage all peers and all > customers , it's very complicating for the administrive tasks , qos, > client separation It should be possible to accomplish these administrative tasks and qos via subnet range rather than interface. Each interface will handle up to 2^20 peers, which should certainly be enough. In any case, if you would like to use different interfaces, you'll need to use different ports. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
Please do not prefix your email subjects with [wireguard-dev]. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
Ok, To be more precise, the uses cases are : services ( as daemon ) are listening on specifiq interface/Ipv6 address to secure and active service by client, with only one interface, it is not possible, aliasing seems to be not relevant. However i can understand that is not the problem of wireguard , perhaps can you tell us if an internal dev is possible or if the nature of wireguard forbid this ? Regards, Nicolas Ps : sorry for the prefix 2017-09-21 13:55 GMT+02:00 Jason A. Donenfeld : > Please do not prefix your email subjects with [wireguard-dev]. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
Perhaps I'm not understanding your last message, but it's most certainly possible to bind to a particular IP address with a service. It's also possible to bind to _all_ IP addresses, and then use iptables to control which source networks have access to a particular port. Finally, within a service, if you only allow input from wg0 since allowed-ips gives strong cryptographic binding, you can explicitly filter on the IP addresses you get from recvfrom. I don't understand your meaning of "internal dev". ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
internal dev = hack your code for our specifiq use, to multiplex listening udp port . I agree with you about configuration, it is possible, but we are using "historical" private software, and it's difficult to deal with. It is not a wireguard issue. Regards, Nicolas 2017-09-21 14:54 GMT+02:00 Jason A. Donenfeld : > Perhaps I'm not understanding your last message, but it's most > certainly possible to bind to a particular IP address with a service. > It's also possible to bind to _all_ IP addresses, and then use > iptables to control which source networks have access to a particular > port. Finally, within a service, if you only allow input from wg0 > since allowed-ips gives strong cryptographic binding, you can > explicitly filter on the IP addresses you get from recvfrom. > > I don't understand your meaning of "internal dev". ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
On Thu, Sep 21, 2017 at 3:14 PM, nicolas prochazka wrote: > "historical" private software, and it's difficult to deal with. > It is not a wireguard issue. In that case, I'd recommend you bind your services to 0.0.0.0 and just use iptables to do net-based ACLs with the standard filter table. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
A last thing what we also prefere with multiple interface it that the server public key is not shared between our customer. customer only known there's interface public key, so , when we destroy a customer, the key is never used again. Regards, Nicolas 2017-09-21 15:24 GMT+02:00 Jason A. Donenfeld : > On Thu, Sep 21, 2017 at 3:14 PM, nicolas prochazka > wrote: >> "historical" private software, and it's difficult to deal with. >> It is not a wireguard issue. > > In that case, I'd recommend you bind your services to 0.0.0.0 and just > use iptables to do net-based ACLs with the standard filter table. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces
There shouldn't be any massive issue with sharing your public key between customers. Just keep your private keys private. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
2-factor auth options
Hello, all: Is there any mechanism to add some kind of 2-factor authentication mechanism either via: a. additional prompting for a HOTP/TOTP key sequence similar to how openvpn allows doing auth-user-pass in addition to certificate-based authentication b. some way to use PGP Auth keys with wireguard so that keys stored on GnuPG-capable smartcards can be used for establishing a VPN connection. c. (some other means) Best, -K signature.asc Description: PGP signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Failure building on CentOS-7.4
Hi, all: I am getting the following error trying to build using the latest CentOS-7.4 kernel using the 20170907 snapshot: [root@ossna17 ~]# uname -r 3.10.0-693.2.2.el7.x86_64 [root@ossna17 ~]# cat /var/lib/dkms/wireguard/0.0.20170907/build/make.log DKMS make.log for wireguard-0.0.20170907 for kernel 3.10.0-693.2.2.el7.x86_64 (x86_64) Thu Sep 21 19:37:51 UTC 2017 make: Entering directory `/usr/src/kernels/3.10.0-693.2.2.el7.x86_64' LD /var/lib/dkms/wireguard/0.0.20170907/build/built-in.o CC [M] /var/lib/dkms/wireguard/0.0.20170907/build/main.o CC [M] /var/lib/dkms/wireguard/0.0.20170907/build/noise.o CC [M] /var/lib/dkms/wireguard/0.0.20170907/build/device.o CC [M] /var/lib/dkms/wireguard/0.0.20170907/build/peer.o In file included from :0:0: /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static declaration of ‘ipv6_mod_enabled’ follows non-static declaration static inline bool ipv6_mod_enabled(void) ^ In file included from :0:0: /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static declaration of ‘ipv6_mod_enabled’ follows non-static declaration static inline bool ipv6_mod_enabled(void) ^ In file included from include/net/dsfield.h:11:0, from include/net/ip_tunnels.h:10, from /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71, from :0: include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ was here bool ipv6_mod_enabled(void); ^ In file included from include/net/dsfield.h:11:0, from include/net/ip_tunnels.h:10, from /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71, from :0: include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ was here bool ipv6_mod_enabled(void); ^ In file included from :0:0: /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static declaration of ‘ipv6_mod_enabled’ follows non-static declaration static inline bool ipv6_mod_enabled(void) ^ In file included from include/net/dsfield.h:11:0, from include/net/ip_tunnels.h:10, from /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71, from :0: include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ was here bool ipv6_mod_enabled(void); ^ In file included from :0:0: /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static declaration of ‘ipv6_mod_enabled’ follows non-static declaration static inline bool ipv6_mod_enabled(void) ^ In file included from include/net/dsfield.h:11:0, from include/net/ip_tunnels.h:10, from /var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71, from :0: include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ was here bool ipv6_mod_enabled(void); ^ make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/peer.o] Error 1 make[1]: *** Waiting for unfinished jobs make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/main.o] Error 1 make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/device.o] Error 1 make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/noise.o] Error 1 make: *** [_module_/var/lib/dkms/wireguard/0.0.20170907/build] Error 2 make: Leaving directory `/usr/src/kernels/3.10.0-693.2.2.el7.x86_64' Best, Konstantin ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: 2-factor auth options
On Thu, 2017-09-21 at 15:21 -0400, Konstantin Ryabitsev wrote: > Hello, all: > > Is there any mechanism to add some kind of 2-factor authentication > mechanism either via: > > a. additional prompting for a HOTP/TOTP key sequence similar to how > openvpn allows doing auth-user-pass in addition to certificate-based > authentication Remember things like Yubikeys can do [HT]OTP in hardware. Not as HID but actually generating the OTP on demand via PCSC. > b. some way to use PGP Auth keys with wireguard so that keys stored on > GnuPG-capable smartcards can be used for establishing a VPN connection. PKCS#11 might be a better choice than PGP. > c. (some other means) smime.p7s Description: S/MIME cryptographic signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Failure building on CentOS-7.4
Hey Konstantin, You are using an old snapshot. Try upgrading to 20170918, which brings CentOS 7.4 support. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: 2-factor auth options
Hi Konstantin, The easiest way would be to add OTP to the part of your infra that does the key exchange. That is, if you have some kind of HTTPS REST-based API or an SSH-based API, you can have the server not accept a new public key until the OTP challenge is satisfied. Alternatively, you could do OTP in-band, in order to authorize that public key for a certain window of time before inactivity. In this scheme, you'd disallow access to the network segment based on firewall rules until a certain in-band challenge is made -- perhaps by contacting a certain sandboxed server and answering an OTP challenge there (At some point it is planned for WireGuard to have an API for sending control messages directly to a public key, not via an IP address, which will provide another option for in-band challenges (in addition to dynamic configuration of IPs), but it's not immediately obvious that this actually simplifies things, which is why I haven't yet implemented the plan.) What kind of infrastructure are you imagining? Is this for kernel.org? Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard-p2p: A tool for NAT traversal
Hey Manuel, Looks like you rewrote this project from python into rust. Cool! I'd be interested to learn what's new, what's changed, and what's up in general. I always thought this was a pretty neat idea. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard