search

sandialabs / wiretap

Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
Other
843 stars 37 forks source link

Simple connect without RELAY + E2EE? #11

Closed SkyperTHC closed 1 year ago

SkyperTHC commented 1 year ago

Hello,

thanks for your great work. I noticed that the API changed and now it requires two tunnels (Relay + E2EE).

Is there any way to use the new wiretap in a mode how it used to be? A single tunnel between Client <-> Server without Relay+E2EE?

(I'm operating wiretap in a setting where I can only supply a single private + public key on the client (through an RPC interface) and there is no way to add two private and two public keys to achieve a E2EE tunnel inside a Relay tunnel. The last working wiretap that supports simple P2P tunnels seems to be v0.2.1)

luker983 commented 1 year ago

Sorry for breaking your setup. There's no technical reason for requiring two interfaces if you're just going to do one hop, we just went in that direction because it was easier to implement one solution for single-hop and multi-hop.

For now you will have to keep using v0.2.1 if you can only configure one interface on the client, but we can consider adding support for a situation like this. What do you think about a flag like --simple that you could provide to the configure and serve commands that would work like the old version but without any of the multihop/client sharing features?

SkyperTHC commented 1 year ago

Thanks for you quick reply. Sounds good. An alternative is to do simple (original mode) when only WIRETAP_E2EE_* is supplied (and WIRETAP_RELAY_* is not supplied). e.g. dont insist on multihop.

My gut feeling is that most users need the simple E2EE onlh and multihop tunnels are the special case (--multihop?) that will be used by just a few.

Aptimex commented 1 year ago

Related: the e2ee interface should probably use the port specified by the configure command instead of assigning that to the relay interface. Currently the e2ee interface seems to get 51821 by default with no way to change it.

That way a client that doesn't need multihop can use just the e2ee interface in environments where the server can only reach out on limited ports. Though ideally you would also be able to specify the listening port for the relay interface too.

luker983 commented 1 year ago

@SkyperTHC Please checkout #12 and let me know if this works for you. Just use --simple with the configure command.

SkyperTHC commented 1 year ago

@luker983 thanks for --simple. It works. I also had to add --ipv4-relay 192.168.0.1 --ipv6-relay fd::1 --allowed 192.168.0.1/28,fd::1/125 for v0.2 compatibility.