search

masipcat / wireguard-go-docker

Wireguard docker image
https://hub.docker.com/r/masipcat/wireguard-go
GNU General Public License v3.0
182 stars 42 forks source link

Clients that are NATed #1

Closed joeblew99 closed 4 years ago

joeblew99 commented 4 years ago

Wondering is NATed clients can use this to find each others IP addresses ?

I have a situation where i need to connect users that are all on Mobiles and Desktops and so are NATed.

masipcat commented 4 years ago

You can use wireguard (or any vpn) to connect all devices that are behind a NAT in the same (virtual) network (as long as the VPN server is accessible from the internet by all peers).

Wondering is NATed clients can use this to find each others IP addresses ?

I'm not sure what do you mean... In the case of wireguard, you'll assign a private static IP (10.x.x.x) to each peer. Your wg0.conf in your server would be something like:

[Interface]
Address = 10.33.0.1/24
ListenPort = 51820
PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -t nat -A POSTROUTING -s 10.33.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Desktop 1
[Peer]
PublicKey = ...
AllowedIPs = 10.33.0.2/32

# Desktop 2
[Peer]
PublicKey = ...
AllowedIPs = 10.33.0.3/32

# Mobile 1
[Peer]
PublicKey = ...
AllowedIPs = 10.33.0.4/32

I hope I've answered your question!

joeblew99 commented 4 years ago

Thanks for the answer.

I think it looks like it will work from the example you have.

Just to be sure here's a use case.

5 sites. None have a public static IP and are behind symmetric routers. So NAT punch through using webrtc etc won't work without using a full proxy relay hence defeating the purpose.

The cloud proxy knows all users in each sites user auth key.

Site A , user 1 wants to connect with site B, user 2 and so initiates a call to that user via the cloud proxy.

The cloud proxy probably does an auth check and let's the two communicate doing whatever wireguard goes for session initiation.

The data between the users is encrypted such that the cloud proxy cannot eaves drop !

This is for a secure messaging system btw. If any user is not online and when they do come online each party is told so that messages will then be forwarded.

For wake-up on a mobile we will probably use standard Girish from appleboy. It's written in golang

Thanks ..

On Thu, 12 Sep 2019, 12:23 Jordi Masip, notifications@github.com wrote:

You can use wireguard (or any vpn) to connect all devices that are behind a NAT in the same (virtual) network.

Wondering is NATed clients can use this to find each others IP addresses ?

I'm not sure what do you mean... In the case of wireguard, you'll assign a private static IP (10.x.x.x) to each peer. Your wg0.conf in your server would be something like:

[Interface] Address = 10.33.0.1/24 ListenPort = 51820 PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -t nat -A POSTROUTING -s 10.33.0.0/24 -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Desktop 1

[Peer] PublicKey = ... AllowedIPs = 10.33.0.2/32

Desktop 2

[Peer] PublicKey = ... AllowedIPs = 10.33.0.3/32

Mobile 1

[Peer] PublicKey = ... AllowedIPs = 10.33.0.4/32

I hope I've answered your question!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/masipcat/wireguard-go-docker/issues/1?email_source=notifications&email_token=AC3RU4Z6BYDVLSWD2LK3Z6TQJIKARA5CNFSM4IUHXH3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6RM4TI#issuecomment-530763341, or mute the thread https://github.com/notifications/unsubscribe-auth/AC3RU45JECHF7KCTWNEJAL3QJIKARANCNFSM4IUHXH3A .

masipcat commented 4 years ago

I think this would work but if you only need the vpn to make WebRTC work, maybe using a 'webrtc hub' like https://jitsi.org/jitsi-videobridge/ would do it better.