Hacker News new | ask | show | jobs
by octoberfranklin 1544 days ago
Wireguard is not a link layer (layer 2) tunnel; it is a network (layer 3) tunnel. It operates at the IP layer. You cannot use Wireguard with any non-IP layer3.

AllowedIPs can be disabled if you want; just set it to 0.0.0.0/0. AllowedIPs is needed because netfilter can't "see" which public key an inbound packet is coming from, so by the time a packet gets to netfilter it's too late to accept/reject based on which peer sent it to us.
2 comments
_dh54 1543 days ago
> Wireguard is not a link layer (layer 2)

Yes but UI wise it presents itself as one, since it’s acts as an interface. The fact that it is not a true data link layer is the basis of my comment.

> AllowedIPs can be disabled if you want; just set it to 0.0.0.0/0.

Only one peer is allowed to use 0.0.0.0/0 for AllowedIPs

link
octoberfranklin 1543 days ago
> Only one peer is allowed to use 0.0.0.0/0 for AllowedIPs

This is simply incorrect. You can have two peers with the same AllowedIP; you just have to put them on separate interfaces (wg0 and wg1 for example). This is for exactly the same reason that a routing table can only have one default entry. If you want two default entries, make two routing tables.

> Yes but UI wise it presents itself as one

No, it doesn't present itself as one.

> since it’s acts as an interface

So does /dev/net/tun, which is definitely not a layer 2 interface either.

link
_dh54 1543 days ago
> you just have to put them on separate interfaces

I don’t have to do this with normal data link layers. That’s the point of the complaint. Wireguard is not a true data link layer. Manually configuring multiple interfaces for something I can do with just one interface with a normal data link layer at runtime is an extra inconvenience.

> This is for exactly the same reason that a routing table can only have one default entry. If you want two default entries, make two routing tables.

Using nftables I can specify different routers to use based on arbitrarily complex packet rules. Using just one interface. I can’t do this with wireguard, it will only allow me to to route arbitrary packets to a single peer on an interface. This is an inconvenience.

link
zekica 1544 days ago
This is less important although useful in some cases. The more important thing is outbound - since Wireguard is layer 3, in the routing table you can't specify a peer to send the packet to like you can with ethernet, and it has to choose one using AllowedIPs.
link
3np 1543 days ago
Why not just split the peers up over separate wg interfaces?
link