> On 10 Aug 2024, at 18:18, 04-psyche.tot...@icloud.com wrote:
>
> Hi all,
>
> I am working on a wireguard network.
>
> I have a setup like this:
>
> serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2)
>
> - serverA connects to serverB with AllowedIPs = 0.0.0.0/0
> - serverB connectes to serverC with AllowedIPs = 0.0.0.0/0
>
> I cannot access serverC directly from serverA (it does not have a public
> facing IP), so I go via serverB.
>
> I therefore need to set up routing on serverB.
>
> If I set my default gateway to serverC:
> `route change default 10.0.0.2`
>
> Then I cannot connect from serverA, because packets from serverA are never
> returned to serverA.
>
> So I need to also add a route like this:
>
> `route add serverA_public_ip serverB_local_gateway`
>
> However, this is problematic with IP roaming (in other words, I don't have a
> good solution to dynamically know serverA's endpoint).
>
> A solution would be to run a crontab every few minutes, parse the output of
> `wg show wg0 endpoints` and programatically add the route for the current
> endpoint.
>
> This solution feels atrocious though.
>
> The wireguard website proposes a solution with fwmark:
> https://www.wireguard.com/netns/#improved-rule-based-routing
>
> However, this is linux based, and I am not sure this is the optimal solution
> for an openBSD system.
>
> So I have a few questions:
>
> - I am currently using /etc/hostname.wg0 and routing table. Should I use
> wg0-quick instead? Does wg0-quick take care automatically of routing in the
> case of IP roaming?
> - Is the fwmark solution a good solution for openBSD as well? If yes, how can
> I implement it? Should I use routing domains?
does serverB have seperate wg(4) interfaces for talking to serverA and serverB?
or is it the one interface for both?
if serverB has one interface, you'll need to configure wgaip for each peer so
the cryptokey routing stuff knows which peer has which address. if you use
separate interfaces you'll need more IPs...
assuming one wg on each server:
serverA# cat /etc/hostname.wg0
# wg stuff goes here
wgpeer ... wgdescr serverB wgaip 0.0.0.0/0
inet 10.0.0.0 255.255.255.255
!route -qn add 10.0.0.1/32 10.0.0.0
!route -qn add 10.0.0.2/32 10.0.0.0
serverB# cat /etc/hostname.wg0
# wg stuff goes here
wgpeer ... wgdescr serverA wgaip 10.0.0.0/32
wgpeer ... wgdescr serverC wgaip 10.0.0.2/32
inet 10.0.0.1 255.255.255.255
!route -qn add 10.0.0.0/32 10.0.0.1
!route -qn add 10.0.0.2/32 10.0.0.1
serverB# cat /etc/hostname.wg0
# wg stuff goes here
wgpeer ... wgdescr serverB wgaip 0.0.0.0/0
inet 10.0.0.2 255.255.255.255
!route -qn add 10.0.0.1/32 10.0.0.2
!route -qn add 10.0.0.2/32 10.0.0.2
so, the routes tell the kernel to push the packets for each peer out the wg
interface. using the local ip as the route destination is enough for the kernel
to be able to send each peers packets out the wg interface. after that, the
wgaip config tell wireguards cryptokey routing stuff how to map each
destination ip to which peer.
i much prefer a wg interface per peer with wgaip 0.0.0.0/0, and then i can use
routes and pf for policy.
dlg
