aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Dessaux2023-02-21 23:28:00 +0100
committerJulien Dessaux2023-02-21 23:28:00 +0100
commitc867116905d42360005cdc30f3ebfd5ce572ec07 (patch)
tree4ceb1e5689f0d7e8878a115354c17892fad34acb
parentadded wireguard on linux blog article (diff)
downloadwww-c867116905d42360005cdc30f3ebfd5ce572ec07.tar.gz
www-c867116905d42360005cdc30f3ebfd5ce572ec07.tar.bz2
www-c867116905d42360005cdc30f3ebfd5ce572ec07.zip
Added wireguard routing part one blog article
-rw-r--r--content/blog/miscellaneous/wireguard-routing.md92
-rw-r--r--static/static/wireguard-routing-1.drawio.svg4
2 files changed, 96 insertions, 0 deletions
diff --git a/content/blog/miscellaneous/wireguard-routing.md b/content/blog/miscellaneous/wireguard-routing.md
new file mode 100644
index 0000000..46343b7
--- /dev/null
+++ b/content/blog/miscellaneous/wireguard-routing.md
@@ -0,0 +1,92 @@
+---
+title: Wireguard routing part one
+description: The basics to know about wireguard routing
+date: 2023-02-21
+tage:
+- vpn
+- wireguard
+---
+
+## Introduction
+
+Now that we learned how to configure wireguard on multiple operating systems, let's take a break and review what running wireguard does to your routing table.
+
+## Wireguard routing basics
+
+The most important thing to understand is that you do not configure routes with wireguard: the `AllowedIPs` you configure for a peer become your routes!
+
+This has several consequences:
+- These routes are always in your routing table, even when the peer is unreachable.
+- If you accept traffic from a range of IPs through wireguard, all traffic towards this range will go through wireguard too.
+
+This is what you want most of the time, but it is cumbersome if you ever:
+- want to redirect all your internet traffic through wireguard.
+- would like to have redundancy to reach a distant host through more than one wireguard peer.
+- want to route all traffic destined to the internet.
+
+## The simplest setup
+
+Let's consider the two hosts and two networks in the following schematic:
+
+![Simplest setup](/static/wireguard-routing-1.drawio.svg)
+
+The first network is physical and connects the eth0 interfaces of the two hosts on `192.168.1.0/24`. The second network is virtual and virtually connects the wg0 wireguard interfaces of the two hosts on `10.1.2.0/24`.
+
+The first host is named Dalinar and has a single physical network interface eth0 with ip address `192.168.1.10/24`. We will configure wireguard with ip address `10.1.2.1/24`, wireguard private key `kIrQqJA1kEX56J9IbF8crSZOEZQLIAywjyoOqmjzjHU=` and public key `zfxxxWIMFYbEoX55mXO0gMuHk26iybehNR9tv3ZwJSg=`.
+
+The second host is named Kaladin and has a single physical network interface eth0 with ip address `192.168.1.20/24`. We will configure wireguard with ip address `10.1.2.2/24`, wireguard private key `SIg6cOoTyJRGIYSZ9ACRryL182yufKAtTLHK/Chb+lo=` and public key `BN89Ckhy4TEHjy37zz/Mvi6cOksnKzHHrnHXx5YkMlg=`.
+
+## Wireguard configurations
+
+Dalinar's wireguard configuration looks like:
+```cfg
+[Interface]
+PrivateKey = kIrQqJA1kEX56J9IbF8crSZOEZQLIAywjyoOqmjzjHU=
+ListenPort = 342
+Address = 10.1.2.1/32
+
+[Peer]
+PublicKey = BN89Ckhy4TEHjy37zz/Mvi6cOksnKzHHrnHXx5YkMlg=
+Endpoint = 192.168.1.20:342
+AllowedIPs = 10.1.2.2/32
+```
+
+Kaladin's wireguard configuration looks like:
+```cfg
+[Interface]
+PrivateKey = SIg6cOoTyJRGIYSZ9ACRryL182yufKAtTLHK/Chb+lo=
+ListenPort = 342
+Address = 10.1.2.2/32
+
+[Peer]
+PublicKey = zfxxxWIMFYbEoX55mXO0gMuHk26iybehNR9tv3ZwJSg=
+Endpoint = 192.168.1.10:342
+AllowedIPs = 10.1.2.1/32
+```
+
+## Important things to note
+
+Look carefully at the netmask in the `Address` and `AllowedIPs`: I did not use `/24` anywhere! I did this because:
+- wireguard does not need it.
+- it would become confusing with many peers.
+- we should try and keep the cleanest routing tables possible.
+
+I could have used a `/24` netmask for the `Address` field, this would work and look natural as this is how all networking devices usually work. I do not because I do not want the OS to have a `/24` route to the wg0 interface without a next hop, I will need it when we introduce a distant host to our configuration in the next article.
+
+I could have put one for the AllowedIPs though, but this would only work in this particular case. As soon as you add more than one peer the configuration would break.
+
+A key takeaway is this: Even though with other vpn solutions (or traditional networking) we are used to have hosts logically sharing a network like `10.1.2.0/24` in our case, this is absolutely not a wireguard requirement. We could have used `10.1.2.1` for Dalinar's wg0 and `172.16.0.1` for Kaladin's wg0 and besides changing these IPs the configuration would be exactly the same and work directly. Let that sink in!
+
+## Routing tables
+
+With this setup if Dalinar was a Linux, its routing table would looks like this with `ip -4 r`:
+```
+10.1.2.2 dev wg0 scope link
+192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10 metric 600
+```
+
+Kaladin's would look very similar:
+```
+10.1.2.1 dev wg0 scope link
+192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.20 metric 600
+``` \ No newline at end of file
diff --git a/static/static/wireguard-routing-1.drawio.svg b/static/static/wireguard-routing-1.drawio.svg
new file mode 100644
index 0000000..51e8a19
--- /dev/null
+++ b/static/static/wireguard-routing-1.drawio.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="601px" height="102px" viewBox="-0.5 -0.5 601 102" content="&lt;mxfile host=&quot;app.diagrams.net&quot; modified=&quot;2023-02-21T22:00:41.196Z&quot; agent=&quot;5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36&quot; etag=&quot;0u7OUUASk5mmZVDRo_v3&quot; version=&quot;20.0.3&quot; type=&quot;device&quot;&gt;&lt;diagram id=&quot;-8aDvL2Yv33GjBWb1LGq&quot; name=&quot;Page-1&quot;&gt;3Vlbb9sgFP41eVxkG9/y2CS9TNukSpW29pHExEYlJiLktl8/iMEXcJa0dZu0shTB4YDhfB/nA6cHRvPtLYOL7BdNEOl5TrLtgXHP8yJnIH6lYVcY/MArDCnDSWFyK8MD/ouU0VHWFU7QsuHIKSUcL5rGKc1zNOUNG2SMbppuM0qab13AFFmGhykktvUPTnhWWOPAqex3CKeZfrPrqJYJnD6njK5y9b6eB9xYPkXzHOqxlP8ygwnd1EzgugdGjFJelObbESIytDpsRb+bA63lvBnK+SkdwPer6Pc6nrjzYDG6HaO7hF59U6OsIVmpeIwhwTlkas58p+O0XymSYzk9MNxkmKOHBZzK1o0ghrBlfE5EzRXFNWIcixhfEZzmwsapdCBwgsg9XWKOqbROxcwRq7n/NBwmlHM6Fw5QjVP2mGFCRpRQUR7nNBezGC45o89IGwUak4F8pDPNec0+HMhH2NXaxcvR9mBQ3RIqsQMQnSPOdsJFd9DoKvZ7QNU3FZfcUNmyGo9iZYOKvmk5dAWhKCgUX4CoZyH6AxKY4PxtiHaIXTs5LgXRILw0RIGFqAUlypMrmQur2NWga+KMtpg/qhZZfpL2fqBq423NbbzTlVys47FeqfWS1arbvqb7LTlk3JhYMXeUWFnZAEisj67YFP0nMKGSC8hSxI9tCRvwGqBBC57axhCBHK+b020DWb3hnmKxkJJPvt/kEwAGT4plql71/H1kIItwRRysgfacK5f9ehrGFg03qZa2VyaVS9nzbmyENrL3vN9CEe+9tvzg68Y6NBXz3LHWB9FPmF87zKX66H0slwbnzKWeuU/NFHhqLg1MEn5wLnXtc7c78PpuGPfdvpjKjed/Fg62abyRPq7D6MYHbQmnbNkfL4fljarmou5UnZI9OJHs4TnJDo5x9NOQ3b6S9DVSFb2FovAmp5ts0dSyZUxfMAia8ZbrRXkRaRPI5r4xeIvCaLZnZweyZ6EZ2LLntZDJPC12J3v2taJvC9/bUWHFWjqEpUwaHcASOJcGS2ArgyNEwTtdFhK4zPaxc9uQ0x+5vGNhjpyhD0BNTSoFeaoLyBE1qQTkqd52UE0MhYicSTGLj1WI+ESFGJz1OGSSN3qlQoTm1dIc6IBCCOLBXc1tIR2WL5hw4LxsXk1/UShm0K1cRR8jV90nxnLHdpAYrSuxf+7EaH9/eBe96vwU0SUq1oY4Nyq2WiGefZEvFdZt89xfKsIvHGzrkvJ+wRbV6l+3QjWqfzbB9T8=&lt;/diagram&gt;&lt;/mxfile&gt;" style="background-color: rgb(24, 24, 24);"><defs/><g><rect x="0" y="0" width="160" height="80" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 87px; margin-left: 1px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Dalinar</div></div></div></foreignObject><text x="80" y="99" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">Dalinar</text></switch></g><rect x="440" y="0" width="160" height="80" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 87px; margin-left: 441px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Kaladin</div></div></div></foreignObject><text x="520" y="99" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">Kaladin</text></switch></g><path d="M 440 50 L 440 40" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="60" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 61px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">wg0</div></div></div></foreignObject><text x="80" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">wg0</text></switch></g><rect x="500" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 501px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">wg0</div></div></div></foreignObject><text x="520" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">wg0</text></switch></g><path d="M 160 40 L 160 50" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 200 50 L 400 50" fill="none" stroke="#e67f43" stroke-miterlimit="10" pointer-events="stroke"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 50px; margin-left: 300px;"><div data-drawio-colors="color: #E67F43; background-color: #181818; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(230, 127, 67); line-height: 1.2; pointer-events: all; background-color: rgb(24, 24, 24); white-space: nowrap;">192.168.1.0/24</div></div></div></foreignObject><text x="300" y="53" fill="#E67F43" font-family="Helvetica" font-size="11px" text-anchor="middle">192.168.1....</text></switch></g><rect x="200" y="20" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 18px; height: 1px; padding-top: 47px; margin-left: 202px;"><div data-drawio-colors="color: #e67f43; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(230, 127, 67); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.1</div></div></div></foreignObject><text x="202" y="47" fill="#e67f43" font-family="Helvetica" font-size="12px">.1</text></switch></g><rect x="380" y="20" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-end; width: 18px; height: 1px; padding-top: 47px; margin-left: 380px;"><div data-drawio-colors="color: #E67F43; " style="box-sizing: border-box; font-size: 0px; text-align: right;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(230, 127, 67); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.2</div></div></div></foreignObject><text x="398" y="47" fill="#E67F43" font-family="Helvetica" font-size="12px" text-anchor="end">.2</text></switch></g><path d="M 80 40 L 80 20 L 520 20 L 520 40" fill="none" stroke="#70b433" stroke-width="2" stroke-miterlimit="10" stroke-dasharray="6 6" pointer-events="stroke"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 20px; margin-left: 300px;"><div data-drawio-colors="color: #70B433; background-color: #181818; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(112, 180, 51); line-height: 1.2; pointer-events: all; background-color: rgb(24, 24, 24); white-space: nowrap;">10.1.2.0/24</div></div></div></foreignObject><text x="300" y="23" fill="#70B433" font-family="Helvetica" font-size="11px" text-anchor="middle">10.1.2.0/24</text></switch></g><rect x="60" y="10" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-end; width: 18px; height: 1px; padding-top: 37px; margin-left: 60px;"><div data-drawio-colors="color: #70B433; " style="box-sizing: border-box; font-size: 0px; text-align: right;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(112, 180, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.1</div></div></div></foreignObject><text x="78" y="37" fill="#70B433" font-family="Helvetica" font-size="12px" text-anchor="end">.1</text></switch></g><rect x="520" y="10" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 18px; height: 1px; padding-top: 37px; margin-left: 522px;"><div data-drawio-colors="color: #70B433; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(112, 180, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.2</div></div></div></foreignObject><text x="522" y="37" fill="#70B433" font-family="Helvetica" font-size="12px">.2</text></switch></g><rect x="160" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 161px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">eth0</div></div></div></foreignObject><text x="180" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">eth0</text></switch></g><rect x="400" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 401px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">eth0</div></div></div></foreignObject><text x="420" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">eth0</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg> \ No newline at end of file