Option to submit a peer on setup? (Like: ip a a $host peer $mypeer dev wg0)

[RipperFox]

Like many others I'd like to use a routing daemon and have multiple interfaces with the options "allowed-ips 0.0.0.0/0"" and "route-allowed-ips false" set. Works fine (and blazingly fast :) but it would be convinient to be able to specify a peer in the address configuration, so it's no longer neccesary to add a host route manually just for the endpoint's internal IP.

Btw: The wg-quick script in the non-vyatta installation is also unable to save interface definitions when a peer is specified: the generated config is unusable :(

[tssva]

I'm a little confused as to what exactly you are asking for. Mostly because I'm not sure what you mean when you say "endpoint's internal IP". Do you mean the IP address assigned to the wireguard interface on the endpoint?

[RipperFox]

Sorry for beeing unclear. I meant it's not possible to set the interface's peer address (and thus POINTOPOINT mode)

Edit: OSPF seems to fail on EdgeOS when the interface configured without a peer, even with a manual route to peer address and " set interfaces wireguard wg0 ip ospf network point-to-point" added..

[tssva]

Edit: OSPF seems to fail on EdgeOS when the interface configured without a peer, even with a manual route to peer address and " set interfaces wireguard wg0 ip ospf network point-to-point" added..

Too many uses of the word peer. Peer has a specific meaning when dealing with wireguard and using the term "peer" in other context within this discussion is confusing. This is what I think you are saying.

• On Router A you have a wireguard interface configured with an ip address
• You have a wireguard peer configured with allowed-ips set to 0.0.0.0/0 pointing to an endpoint on Router B
• On Router B you have an interface configured similarly pointing to Router A as the endpoint
• You have connectivity between the two over the wireguard interfaces. For instance you can ping the address on the wireguard interfaces on the other router.
• Currently you have to set a route to get this connectivity. You hope to not have to do this in the future. If using /32 addressing switch to /31 or /30 addressing to avoid the need to do this.
• You have issued set interfaces wireguard wg0 ip ospf network point-to-point on both routers but OSPF is not working. Wireguard doesn't support broadcast or multicast. OSPF point-to-point uses multicast. You need to set protocols ospf neighbor x.x.x.x on each router which should make OSPF use unicast for communication to the neighbor.

[RipperFox]

Sorry again. Have a look at the command in the title- "ip a a $host peer $mypeer dev wg0" That's the usage of 'peer' I meant in this matter. If I specify this command after deleting the ip set by the configuration, OSPF works as expected (actually wireguard then has no problem transporting multicast over the POINTOPOINT link, as 'allowed-ips 0.0.0.0/0' allows, seen in tcpdump)

I'm going to try /31 adresses - will report back if this works.

Edit: Ok, OSPF works now, too. Thanks very much for your help :)

A little irritating: Now there's a this route inserted, even with "route-allowed-ips false" set: 0.0.0.0/31 dev wg0 proto kernel scope link

[sslupsky]

Hi @RipperFox, regarding the mysterious route, see issue #7

[mbilker]

Wireguard does support multicast if you allow multicast IPs in allowed-ips.

EDIT: I looked this up more. Wireguard does not support Ethernet multicast as Wireguard operates at L3, but this does not exclude IP multicast in the 224.0.0.0/4 and equivalent IPv6 address range. You can route multicast packets this way if your allowed-ips permits multicast addresses.