Include directive to support "conf.d/*" and the like

2018-03-16 Thread Roman Mamedov
Hello, I would like to be able to split the [Interface] and [Peer] parts of the config file into separate files. The reason is that currently I manage configurations of my various hosts at a central location, then push out common configs to all hosts. This becomes problematic with current WireGua

Re: Include directive to support "conf.d/*" and the like

2018-03-16 Thread Kalin KOZHUHAROV
On Fri, Mar 16, 2018 at 9:02 AM, Roman Mamedov wrote: > I would like to be able to split the [Interface] and [Peer] parts of the > config > file into separate files. The reason is that currently I manage configurations > of my various hosts at a central location, then push out common configs to a

Mixed MTU hosts on a network

2018-03-16 Thread Roman Mamedov
Hello, I have a host which is on PPPoE and has 1492 as underlying MTU. When WireGuard starts by default, it sets MTU of its interface to 1420. All TCP connections trying to send a stream of data over the WG interface to that host, hang up (I test with iperf3). My first idea was to override the M

Re: Mixed MTU hosts on a network

2018-03-16 Thread Matthias Ordner
Hi Roman, When WireGuard starts by default, it sets MTU of its interface to 1420. All TCP connections trying to send a stream of data over the WG interface to that host, hang up (I test with iperf3). If you only care about TCP connections you could set a different TCP-MSS with an iptables rul

Re: Mixed MTU hosts on a network

2018-03-16 Thread Kalin KOZHUHAROV
On Fri, Mar 16, 2018 at 10:25 AM, Roman Mamedov wrote: > Hello, > > I have a host which is on PPPoE and has 1492 as underlying MTU. > > When WireGuard starts by default, it sets MTU of its interface to 1420. All > TCP connections trying to send a stream of data over the WG interface to that > host

Re: Mixed MTU hosts on a network

2018-03-16 Thread Roman Mamedov
On Fri, 16 Mar 2018 10:35:18 +0100 Matthias Ordner wrote: > If you only care about TCP connections you could set a different TCP-MSS > with an iptables rule. On Fri, 16 Mar 2018 11:01:51 +0100 Kalin KOZHUHAROV wrote: > You may need to pre-shape the packets for the "offenders", e.g. > > ip6ta

Re: Allowed IPs Toggling

2018-03-16 Thread Gianluca Gabrielli
Thanks very much to everybody, like always professional and straight to the point! One of the best ml ever :) Cheers, Gianluca ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Include directive to support "conf.d/*" and the like

2018-03-16 Thread Daniel Kahn Gillmor
On Fri 2018-03-16 13:02:22 +0500, Roman Mamedov wrote: > While it would be nice if WireGuard had a "hosts/" directory like Tinc uses > (basically storing its equivalents of WG's [Peer] sections each in a separate > file), I feel the most flexible way to support such scenarios would be to have > a g

Re: Mixed MTU hosts on a network

2018-03-16 Thread Roman Mamedov
On Fri, 16 Mar 2018 15:53:43 +0500 Roman Mamedov wrote: > But guess what, turns out that didn't work either. Tried both OUTPUT and > POSTROUTING chains on the "mangle" table, and set-mss all the way down to > 1220, no matter what, the iperf3 output looked the same as before. Actually the iptable

Reconciling "cryptokey-based" and regular routing

2018-03-16 Thread Roman Mamedov
Hello, I need to have multiple gateways on my WG network that can provide access to the entire IPv4 (or IPv6) Internet, for redundancy and load-balancing purposes. In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on more than one peer. Then I would add routes into the regular routing

Re: Reconciling "cryptokey-based" and regular routing

2018-03-16 Thread Tim Sedlmeyer
You need to create multiple wireguard interfaces and assign a single peer to each. On Fri, Mar 16, 2018 at 1:01 PM, Roman Mamedov wrote: > Hello, > > I need to have multiple gateways on my WG network that can provide access to > the entire IPv4 (or IPv6) Internet, for redundancy and load-balancin

Re: Reconciling "cryptokey-based" and regular routing

2018-03-16 Thread Aaron Jones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 16/03/18 17:01, Roman Mamedov wrote: > Hello, > > I need to have multiple gateways on my WG network that can provide > access to the entire IPv4 (or IPv6) Internet, for redundancy and > load-balancing purposes. > > In WG terms this means I need