diff options
author | Julien Dessaux | 2023-02-21 23:28:00 +0100 |
---|---|---|
committer | Julien Dessaux | 2023-02-21 23:28:00 +0100 |
commit | c867116905d42360005cdc30f3ebfd5ce572ec07 (patch) | |
tree | 4ceb1e5689f0d7e8878a115354c17892fad34acb | |
parent | added wireguard on linux blog article (diff) | |
download | www-c867116905d42360005cdc30f3ebfd5ce572ec07.tar.gz www-c867116905d42360005cdc30f3ebfd5ce572ec07.tar.bz2 www-c867116905d42360005cdc30f3ebfd5ce572ec07.zip |
Added wireguard routing part one blog article
Diffstat (limited to '')
-rw-r--r-- | content/blog/miscellaneous/wireguard-routing.md | 92 | ||||
-rw-r--r-- | static/static/wireguard-routing-1.drawio.svg | 4 |
2 files changed, 96 insertions, 0 deletions
diff --git a/content/blog/miscellaneous/wireguard-routing.md b/content/blog/miscellaneous/wireguard-routing.md new file mode 100644 index 0000000..46343b7 --- /dev/null +++ b/content/blog/miscellaneous/wireguard-routing.md @@ -0,0 +1,92 @@ +--- +title: Wireguard routing part one +description: The basics to know about wireguard routing +date: 2023-02-21 +tage: +- vpn +- wireguard +--- + +## Introduction + +Now that we learned how to configure wireguard on multiple operating systems, let's take a break and review what running wireguard does to your routing table. + +## Wireguard routing basics + +The most important thing to understand is that you do not configure routes with wireguard: the `AllowedIPs` you configure for a peer become your routes! + +This has several consequences: +- These routes are always in your routing table, even when the peer is unreachable. +- If you accept traffic from a range of IPs through wireguard, all traffic towards this range will go through wireguard too. + +This is what you want most of the time, but it is cumbersome if you ever: +- want to redirect all your internet traffic through wireguard. +- would like to have redundancy to reach a distant host through more than one wireguard peer. +- want to route all traffic destined to the internet. + +## The simplest setup + +Let's consider the two hosts and two networks in the following schematic: + +![Simplest setup](/static/wireguard-routing-1.drawio.svg) + +The first network is physical and connects the eth0 interfaces of the two hosts on `192.168.1.0/24`. The second network is virtual and virtually connects the wg0 wireguard interfaces of the two hosts on `10.1.2.0/24`. + +The first host is named Dalinar and has a single physical network interface eth0 with ip address `192.168.1.10/24`. We will configure wireguard with ip address `10.1.2.1/24`, wireguard private key `kIrQqJA1kEX56J9IbF8crSZOEZQLIAywjyoOqmjzjHU=` and public key `zfxxxWIMFYbEoX55mXO0gMuHk26iybehNR9tv3ZwJSg=`. + +The second host is named Kaladin and has a single physical network interface eth0 with ip address `192.168.1.20/24`. We will configure wireguard with ip address `10.1.2.2/24`, wireguard private key `SIg6cOoTyJRGIYSZ9ACRryL182yufKAtTLHK/Chb+lo=` and public key `BN89Ckhy4TEHjy37zz/Mvi6cOksnKzHHrnHXx5YkMlg=`. + +## Wireguard configurations + +Dalinar's wireguard configuration looks like: +```cfg +[Interface] +PrivateKey = kIrQqJA1kEX56J9IbF8crSZOEZQLIAywjyoOqmjzjHU= +ListenPort = 342 +Address = 10.1.2.1/32 + +[Peer] +PublicKey = BN89Ckhy4TEHjy37zz/Mvi6cOksnKzHHrnHXx5YkMlg= +Endpoint = 192.168.1.20:342 +AllowedIPs = 10.1.2.2/32 +``` + +Kaladin's wireguard configuration looks like: +```cfg +[Interface] +PrivateKey = SIg6cOoTyJRGIYSZ9ACRryL182yufKAtTLHK/Chb+lo= +ListenPort = 342 +Address = 10.1.2.2/32 + +[Peer] +PublicKey = zfxxxWIMFYbEoX55mXO0gMuHk26iybehNR9tv3ZwJSg= +Endpoint = 192.168.1.10:342 +AllowedIPs = 10.1.2.1/32 +``` + +## Important things to note + +Look carefully at the netmask in the `Address` and `AllowedIPs`: I did not use `/24` anywhere! I did this because: +- wireguard does not need it. +- it would become confusing with many peers. +- we should try and keep the cleanest routing tables possible. + +I could have used a `/24` netmask for the `Address` field, this would work and look natural as this is how all networking devices usually work. I do not because I do not want the OS to have a `/24` route to the wg0 interface without a next hop, I will need it when we introduce a distant host to our configuration in the next article. + +I could have put one for the AllowedIPs though, but this would only work in this particular case. As soon as you add more than one peer the configuration would break. + +A key takeaway is this: Even though with other vpn solutions (or traditional networking) we are used to have hosts logically sharing a network like `10.1.2.0/24` in our case, this is absolutely not a wireguard requirement. We could have used `10.1.2.1` for Dalinar's wg0 and `172.16.0.1` for Kaladin's wg0 and besides changing these IPs the configuration would be exactly the same and work directly. Let that sink in! + +## Routing tables + +With this setup if Dalinar was a Linux, its routing table would looks like this with `ip -4 r`: +``` +10.1.2.2 dev wg0 scope link +192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10 metric 600 +``` + +Kaladin's would look very similar: +``` +10.1.2.1 dev wg0 scope link +192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.20 metric 600 +```
\ No newline at end of file diff --git a/static/static/wireguard-routing-1.drawio.svg b/static/static/wireguard-routing-1.drawio.svg new file mode 100644 index 0000000..51e8a19 --- /dev/null +++ b/static/static/wireguard-routing-1.drawio.svg @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Do not edit this file with editors other than diagrams.net --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="601px" height="102px" viewBox="-0.5 -0.5 601 102" content="<mxfile host="app.diagrams.net" modified="2023-02-21T22:00:41.196Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36" etag="0u7OUUASk5mmZVDRo_v3" version="20.0.3" type="device"><diagram id="-8aDvL2Yv33GjBWb1LGq" name="Page-1">3Vlbb9sgFP41eVxkG9/y2CS9TNukSpW29pHExEYlJiLktl8/iMEXcJa0dZu0shTB4YDhfB/nA6cHRvPtLYOL7BdNEOl5TrLtgXHP8yJnIH6lYVcY/MArDCnDSWFyK8MD/ouU0VHWFU7QsuHIKSUcL5rGKc1zNOUNG2SMbppuM0qab13AFFmGhykktvUPTnhWWOPAqex3CKeZfrPrqJYJnD6njK5y9b6eB9xYPkXzHOqxlP8ygwnd1EzgugdGjFJelObbESIytDpsRb+bA63lvBnK+SkdwPer6Pc6nrjzYDG6HaO7hF59U6OsIVmpeIwhwTlkas58p+O0XymSYzk9MNxkmKOHBZzK1o0ghrBlfE5EzRXFNWIcixhfEZzmwsapdCBwgsg9XWKOqbROxcwRq7n/NBwmlHM6Fw5QjVP2mGFCRpRQUR7nNBezGC45o89IGwUak4F8pDPNec0+HMhH2NXaxcvR9mBQ3RIqsQMQnSPOdsJFd9DoKvZ7QNU3FZfcUNmyGo9iZYOKvmk5dAWhKCgUX4CoZyH6AxKY4PxtiHaIXTs5LgXRILw0RIGFqAUlypMrmQur2NWga+KMtpg/qhZZfpL2fqBq423NbbzTlVys47FeqfWS1arbvqb7LTlk3JhYMXeUWFnZAEisj67YFP0nMKGSC8hSxI9tCRvwGqBBC57axhCBHK+b020DWb3hnmKxkJJPvt/kEwAGT4plql71/H1kIItwRRysgfacK5f9ehrGFg03qZa2VyaVS9nzbmyENrL3vN9CEe+9tvzg68Y6NBXz3LHWB9FPmF87zKX66H0slwbnzKWeuU/NFHhqLg1MEn5wLnXtc7c78PpuGPfdvpjKjed/Fg62abyRPq7D6MYHbQmnbNkfL4fljarmou5UnZI9OJHs4TnJDo5x9NOQ3b6S9DVSFb2FovAmp5ts0dSyZUxfMAia8ZbrRXkRaRPI5r4xeIvCaLZnZweyZ6EZ2LLntZDJPC12J3v2taJvC9/bUWHFWjqEpUwaHcASOJcGS2ArgyNEwTtdFhK4zPaxc9uQ0x+5vGNhjpyhD0BNTSoFeaoLyBE1qQTkqd52UE0MhYicSTGLj1WI+ESFGJz1OGSSN3qlQoTm1dIc6IBCCOLBXc1tIR2WL5hw4LxsXk1/UShm0K1cRR8jV90nxnLHdpAYrSuxf+7EaH9/eBe96vwU0SUq1oY4Nyq2WiGefZEvFdZt89xfKsIvHGzrkvJ+wRbV6l+3QjWqfzbB9T8=</diagram></mxfile>" style="background-color: rgb(24, 24, 24);"><defs/><g><rect x="0" y="0" width="160" height="80" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 87px; margin-left: 1px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Dalinar</div></div></div></foreignObject><text x="80" y="99" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">Dalinar</text></switch></g><rect x="440" y="0" width="160" height="80" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 87px; margin-left: 441px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">Kaladin</div></div></div></foreignObject><text x="520" y="99" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">Kaladin</text></switch></g><path d="M 440 50 L 440 40" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><rect x="60" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 61px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">wg0</div></div></div></foreignObject><text x="80" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">wg0</text></switch></g><rect x="500" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 501px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">wg0</div></div></div></foreignObject><text x="520" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">wg0</text></switch></g><path d="M 160 40 L 160 50" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 200 50 L 400 50" fill="none" stroke="#e67f43" stroke-miterlimit="10" pointer-events="stroke"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 50px; margin-left: 300px;"><div data-drawio-colors="color: #E67F43; background-color: #181818; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(230, 127, 67); line-height: 1.2; pointer-events: all; background-color: rgb(24, 24, 24); white-space: nowrap;">192.168.1.0/24</div></div></div></foreignObject><text x="300" y="53" fill="#E67F43" font-family="Helvetica" font-size="11px" text-anchor="middle">192.168.1....</text></switch></g><rect x="200" y="20" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 18px; height: 1px; padding-top: 47px; margin-left: 202px;"><div data-drawio-colors="color: #e67f43; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(230, 127, 67); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.1</div></div></div></foreignObject><text x="202" y="47" fill="#e67f43" font-family="Helvetica" font-size="12px">.1</text></switch></g><rect x="380" y="20" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-end; width: 18px; height: 1px; padding-top: 47px; margin-left: 380px;"><div data-drawio-colors="color: #E67F43; " style="box-sizing: border-box; font-size: 0px; text-align: right;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(230, 127, 67); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.2</div></div></div></foreignObject><text x="398" y="47" fill="#E67F43" font-family="Helvetica" font-size="12px" text-anchor="end">.2</text></switch></g><path d="M 80 40 L 80 20 L 520 20 L 520 40" fill="none" stroke="#70b433" stroke-width="2" stroke-miterlimit="10" stroke-dasharray="6 6" pointer-events="stroke"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 20px; margin-left: 300px;"><div data-drawio-colors="color: #70B433; background-color: #181818; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(112, 180, 51); line-height: 1.2; pointer-events: all; background-color: rgb(24, 24, 24); white-space: nowrap;">10.1.2.0/24</div></div></div></foreignObject><text x="300" y="23" fill="#70B433" font-family="Helvetica" font-size="11px" text-anchor="middle">10.1.2.0/24</text></switch></g><rect x="60" y="10" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-end; width: 18px; height: 1px; padding-top: 37px; margin-left: 60px;"><div data-drawio-colors="color: #70B433; " style="box-sizing: border-box; font-size: 0px; text-align: right;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(112, 180, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.1</div></div></div></foreignObject><text x="78" y="37" fill="#70B433" font-family="Helvetica" font-size="12px" text-anchor="end">.1</text></switch></g><rect x="520" y="10" width="20" height="30" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 18px; height: 1px; padding-top: 37px; margin-left: 522px;"><div data-drawio-colors="color: #70B433; " style="box-sizing: border-box; font-size: 0px; text-align: left;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(112, 180, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">.2</div></div></div></foreignObject><text x="522" y="37" fill="#70B433" font-family="Helvetica" font-size="12px">.2</text></switch></g><rect x="160" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 161px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">eth0</div></div></div></foreignObject><text x="180" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">eth0</text></switch></g><rect x="400" y="40" width="40" height="20" fill="none" stroke="#b9b9b9" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 50px; margin-left: 401px;"><div data-drawio-colors="color: #B9B9B9; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(185, 185, 185); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">eth0</div></div></div></foreignObject><text x="420" y="54" fill="#B9B9B9" font-family="Helvetica" font-size="12px" text-anchor="middle">eth0</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file |