search

Doridian / wsvpn

VPN over WebSocket and WebTransport
BSD 3-Clause "New" or "Revised" License
120 stars 12 forks source link

[FeatureRequest]Can add TUN mode IP spoof? #449

Closed Handsome1080P closed 5 months ago

Handsome1080P commented 5 months ago

Can add TUN mode IP spoof?Its me again,i have deployed BGP to my mesh network.WSVPN only allow its own ip range pass the packages .Only TAP mode allow ip spoof,can add it to TUN mode?

Doridian commented 5 months ago

@Handsome1080P TUN is an IP point-to-point link. The only way WSVPN knows where packets are supposed to go is by client IP, so IP spoofing in TUN makes no sense.

If you set one-interface-per-connection to true WSVPN already performs no filtering on TUN (nor TAP), which is the only possible way IP spoofing could possibly work on TUN.

Handsome1080P commented 5 months ago

@Handsome1080P TUN is an IP point-to-point link. The only way WSVPN knows where packets are supposed to go is by client IP, so IP spoofing in TUN makes no sense.

If you set one-interface-per-connection to true WSVPN already performs no filtering on TUN (nor TAP), which is the only possible way IP spoofing could possibly work on TUN.

Wireguard p2p too,but it can allow all packets pass.WSVPN only allow it own range.I don't want my client use NAT.

Doridian commented 5 months ago

That is what one-interface-per-connection is for on the server. That allows all packets to pass and expects the server operator to do the filtering. If WSVPN uses one interface for all connections, it cannot know which client to pass packets to if clients can have multiple IPs.

Doridian commented 5 months ago

As for Wireguard, you have to explicitly specify subnets of each peer, you can't just "allow random IPs". WSVPN currently has no per-peer/per-client config, so this is not feasible.

Handsome1080P commented 5 months ago

As for Wireguard, you have to explicitly specify subnets of each peer, you can't just "allow random IPs". WSVPN currently has no per-peer/per-client config, so this is not feasible.

wg I only set one /30,pass BGP routes.Yeah, random ips.And not need one connection one interface.

Doridian commented 5 months ago

@Handsome1080P In Wireguard you have to specify AllowedIPs for each client (aka peer) individually. WSVPN cannot do that currently at all. It treats all clients the same.

Handsome1080P commented 5 months ago

@Handsome1080P In Wireguard you have to specify AllowedIPs for each client (aka peer) individually. WSVPN cannot do that currently at all. It treats all clients the same.

Yeah.This what wanna ask."allowall"meas spoof

Doridian commented 5 months ago

@Handsome1080P In Wireguard you have to specify AllowedIPs for each client (aka peer) individually. WSVPN cannot do that currently at all. It treats all clients the same.

Yeah.This what wanna ask."allowall"

Okay, but that requires one-interface-per-connection in WSVPN.

In Wireguard, you cannot have two clients with the same AllowedIPs either. And in WSVPN there is no client config, so if two clients were to connect, and you get a packet for an IP 1.2.3.4 into the Linux machine, how would WSVPN know where that packet should go? Client 1 or Client 2? That's the issue.

Handsome1080P commented 5 months ago

@Handsome1080P In Wireguard you have to specify AllowedIPs for each client (aka peer) individually. WSVPN cannot do that currently at all. It treats all clients the same.

Yeah.This what wanna ask."allowall"

Okay, but that requires one-interface-per-connection in WSVPN.

In Wireguard, you cannot have two clients with the same AllowedIPs either. And in WSVPN there is no client config, so if two clients were to connect, and you get a packet for an IP 1.2.3.4 into the Linux machine, how would WSVPN know where that packet should go? Client 1 or Client 2? That's the issue.

U mean in wg one interface config files can't set multiple nodes with same "allowip"?My current settings are "one connection one interface".I wanna make it in one config file with one interface.Now I know what going on.Thx.

Handsome1080P commented 5 months ago

I will try wsvpn's "one connection one interface",May be my all issues will solved.other way,can add ipv6 support in tunnel?

Doridian commented 5 months ago

If you use one-interface-per-connection, you should be good. WSVPN will not do any filtering at all whatsoever, just pass packets. Any IP or MAC address filtering is only applied if there is one interface for all connections.

Handsome1080P commented 5 months ago

If you already use one-interface-per-connection, you should be good. WSVPN will not do any filtering at all whatsoever, just pass packets. Any IP or MAC address filtering is only applied if there is one interface for all connections.

Good.Thx.and asked is there ipv6 support?

Doridian commented 5 months ago

WSVPN does not block/filter IPv6 on TUN either in that mode. If IPv6 does not work, I need to look at Wireguard and how that passes v6 through TUN.

Handsome1080P commented 5 months ago

WSVPN does not block/filter IPv6 on TUN either in that mode. If IPv6 does not work, I need to look at Wireguard and how that passes v6 through TUN.

I mean,wsvpn can support dispatch ipv6 address?

Doridian commented 5 months ago

@Handsome1080P No, WSVPN currently cannot hand out IPv6 addresses, you would have to manually add those to the interface in Linux.

Handsome1080P commented 5 months ago

@Handsome1080P No, WSVPN currently cannot hand out IPv6 addresses, you would have to manually add those to the interface in Linux.

Ok, 🙏