search

k4yt3x / wg-meshconf

WireGuard full mesh configuration generator.
GNU General Public License v3.0
952 stars 105 forks source link

wrong side for --allowedips #41

Open osevan opened 1 month ago

osevan commented 1 month ago 
~/compile/wg-meshconf/wg-mesher/bin/wg-meshconf showpeers
┏━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Name    ┃ Address     ┃ ListenPort ┃ PrivateKey                                   ┃ PreUp                                             ┃ PostDown                                           ┃ AllowedIPs                ┃ Endpoint        ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ rack119 │ 10.1.0.1/16 │ 51820      │ mykey │ sysctl -w net.ipv4.ip_forward=1; iptables -A      │ iptables -D FORWARD -i %i -j ACCEPT; iptables -D   │ 10.2.0.1/16,10.10.21.1/16 │ ip.119 │
│         │             │            │                                              │ FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o   │ FORWARD -o %i -j ACCEPT; iptables -t nat -D        │                           │                 │
│         │             │            │                                              │ %i -j ACCEPT; iptables -t nat -A POSTROUTING -o   │ POSTROUTING -o br0 -j MASQUERADE                   │                           │                 │
│         │             │            │                                              │ br0 -j MASQUERADE                                 │                                                    │                           │                 │
├─────────┼─────────────┼────────────┼──────────────────────────────────────────────┼───────────────────────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────────┼─────────────────┤
│ rack75  │ 10.2.0.1/16 │ 51820      │ mykey │ None                                              │ None                                               │ None                      │ ip.75  │
└─────────┴─────────────┴────────────┴──────────────────────────────────────────────┴───────────────────────────────────────────────────┴────────────────────────────────────────────────────┴───────────────────────────┴─────────────────┘

~/compile/wg-meshconf master
❯ ~/compile/wg-meshconf/wg-mesher/bin/wg-meshconf updatepeer rack119 --allowedips 10.2.0.1/16 --allowedips 10.10.21.1/16
~/compile/wg-meshconf master
❯ ~/compile/wg-meshconf/wg-mesher/bin/wg-meshconf showpeers
~/compile/wg-meshconf master
❯

~/compile/wg-meshconf master
❯ cat output/rack119.conf 
[Interface]
# Name: rack119
Address = 10.1.0.1/16
PrivateKey = mykey
ListenPort = 51820
PreUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o br0 -j MASQUERADE

[Peer]
# Name: rack75
PublicKey = RJSVpbaPS8vLxKe0T6OiCoMxn1BhMrJZTmAlYnUXDns=
Endpoint = ip.75:51820
AllowedIPs = 10.2.0.1/16

~/compile/wg-meshconf master
❯ cat output/rack75.conf 
[Interface]
# Name: rack75
Address = 10.2.0.1/16
PrivateKey = mykey
ListenPort = 51820

[Peer]
# Name: rack119
PublicKey = Ya91nYpaVyrc3WnL3rIgoh51bGz4SY0EiUxhQqhmkks=
Endpoint = ip.119:51820
AllowedIPs = 10.1.0.1/16, 10.2.0.1/16, 10.10.21.1/16

you can see in your command line logic existing bugs. you need to execute this line with allowedips inside rack119.conf file instead in rack75.conf, because command above is right i did...

Same for addpeer command both "updatepeer and addpeer" placing allowedips in wrong configs

Thank you very much for wg-mesher.

It works great except this issue with wrong --allowedips line in wrong config

Thanks and Best regards

Aquathing commented 2 weeks ago

I may be wrong, but this behaviour actually makes sense.

AllowedIPs is a client setting, it basically tells to the host machine "whenever you have a request for IP X, route it through the Peer Y"

The tool is creating a mesh, when you add a peer, you are not saying "Add a config file" you are saying "This is a peer for this mesh". When you add AllowedIPs you are not saying "Add those AllowedIPs to this file", but you are saying "This peer routes the following IPs, so each peer should forward those requests to it".

Another way of looking at it would be: wg-meshconf add peer rack119 with IP 10.1.0.1/16, which owns and is capable of routing 10.1.0.1/16, 10.2.0.1/16, 10.10.21.1/16, so each peer should send rack119 the requests to those IPs.