[Discuss] Wireguard [Was Re: dovecot: "Disconnected (no auth attempts in 0 secs)"?]

Fri Dec 18 12:27:57 EST 2020

On 12/18/2020 12:07 PM, Dan Ritter wrote:
> Matthew Gillen wrote: 
>> On 12/18/2020 10:29 AM, Dan Ritter wrote:
>>> That's one of many possible ways to use it.
>>>
>>> Other uses:
>>>
>>> - point-to-point VPN tunnel
>>> - hub-and-spoke VPN with routing
>>> - site-to-site VPN with routing
>>> - full-mesh VPN (requires external tools to keep all the config
>>>   manageable)
>>>
>>>> However, I have yet to get it working the way I want.  Anyone played
>>>> with it?  ( https://www.wireguard.com/ ;
>>>> https://arstechnica.com/gadgets/2020/11/wireguard-for-windows-0-3-1-is-the-release-youve-been-waiting-for/
>>>> )
>>>
>>> Extensively, but not on Windows. I use it personally and at work
>>> on Linux and MacOS.
>>
>> Excellent!  Where I got stuck was the IP layer.  Suppose I want the
>> hub-and-spoke VPN with routing option from you list above, on the 'hub',
>> how do you configure the IP interfaces?  Can you bind it to an existing
>> "internal" interface?  Do you need separate interfaces for every peer?
> 
> Wireguard requires its own interfaces, traditionally named
> wg0... but they can have any name you desire.
> 
> One interface serves per routing policy, so you could have a few
> thousand machines accessible via wg0 if they were all going to
> be treated the same way, and then another few thousand on wg1
> because, say, you wanted to restrict access to them in a
> different way. We did this with one interface for remote laptops
> and a different interface for remote VMs (our usage there is
> limited by policy; they're mostly external monitoring systems.)
> 
>> Also very curious what you're using for "external tools", because right
>> away I saw that it might be manageable for a home network, but would be
>> a nightmare at scale.
> 
> It's actually less of a nightmare than, say, OpenVPN or IPsec,
> because the config to support each remote node is so limited in
> both complexity and size. Shell scripts will work.
> 
> [Peer]
> # laptop assigned to Michelle
> PublicKey = U9Gz3sTIZlB124Gp3yRPr5O/0KeLDUbUh6zKopbqeG4=
> AllowedIPs = 10.10.1.5/32
> 
> [Peer]
> # laptop assigned to Melvin
> PublicKey = FOojDLJ/tOfiZXCya6wBm5god5Fb2diT9/Nt98jmsgY=
> AllowedIPs = 10.10.1.6/32
> 
> That's all you need to set into a wg0.conf skeleton. Keep a very
> simple CSV with name, publickey, IP and always replace both
> private and pubkey when someone reports a machine missing or
> crashed or what-have-you.

Thanks Dan!  The AllowedIPs confused me.  So on the hub, you have the
config above, and the "AllowedIPs" is what the interface on the other
side is allowed to use for the remote IP (essentially the static IP that
the other side is configured with).  I think I misinterpreted it as
saying what the other side was allowed to access on my internal net.

That makes much more sense.  Thank you!

Matt