Wireguard S2S Tunnel Gateway IP?
-
Perhaps this is per design but I found it very irritating, that by setting up WG with a specified peer (1:1) that both sides create Gateways for their own configured IP instead of the one configured on the peer. I can understand that in a many-to-one configuration it would be hard to set the GW to one peer but in a site2site context - why have a gateway entry with my own IP? Somehow that boggles my mind ;) Do I have to create a second Gateway for the peer for policy routing myself?
Don't forget to upvote ๐ those who kindly offered their time and brainpower to help you!
If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.
-
@jegr This was a discussion point on Redmine and @jimp made some changes to the behavior. For point to point tunnels, set the peer WireGuard address to the remote side of the peer to peer link, this address will then be used build the dynamic interface gateway, which then is actually meaningful in terms of monitoring the status of the link
-
@vbman213 said in Wireguard S2S Tunnel Gateway IP?:
@jegr This was a discussion point on Redmine and @jimp made some changes to the behavior. For point to point tunnels, set the peer WireGuard address to the remote side of the peer to peer link, this address will then be used build the dynamic interface gateway, which then is actually meaningful in terms of monitoring the status of the link
Set it in Routing/Gateways (and let dynamic result in the local IP)? Or change the wireguard peer setup? Because currently my Tunnel "address" ist the local one (.2/30) and the peer wireguard IP (in peer0 the only peer) is already set up to the other side (.1/30) so there's nothing that jumps to my mind, that should be configured in another way?
-
@jegr letโs say your local interface is 10.20.12.1/31 and your remote side is 10.20.12.0/31
So typical point to point /31
Under the peer configuration you would set the โPeer WireGuard Addressโ to the other side of the link, and the IP that is in turn set on the gateway will be this address.
-
@vbman213 said in Wireguard S2S Tunnel Gateway IP?:
Under the peer configuration you would set the โPeer WireGuard Addressโ to the other side of the link, and the IP that is in turn set on the gateway will be this address.
That's already the case.
Remote is .1/30, local ist .2/30.
Shown here:
-
@jegr said in Wireguard S2S Tunnel Gateway IP?:
why have a gateway entry with my own IP? Somehow that boggles my mind ;)
Because there is no way to know automatically what the remote tunnel address is, unless you set it under Peer WireGuard Address. You can't just assume it's the next highest IP address, as that may not be true. Without that, it uses the IP address of the interface itself because that's good enough to nudge traffic to use the interface for routing at the OS level. The only thing it doesn't work for is gateway monitoring.
You can either fill in Peer WireGuard Address with the tunnel address of the remote peer, or edit the automatic WireGuard interface gateway and set a custom monitor IP address.
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp said in Wireguard S2S Tunnel Gateway IP?:
You can either fill in Peer WireGuard Address with the tunnel address of the remote peer
And that IS what I did if you look in the screenshots above! The .1 IS the other side. And it's the only peer (peer 0). So that is why I'm asking if I was overlooking something as I had to manually edit my Gateway to monitor the .1
If you say "yay, that's normal because we don't know if there are multiple peers and we can't take the peer address from them" - alright :) But you both now cite that I "just need to enter the Peer WireGuard address" when I showed you that's what I did
-
I was more explaining the how and why behind what it does what it does.
If it didn't do as I explained, then perhaps you weren't on a current snapshot. Also, leave the subnet mask off the Peer WireGuard Address. (the code removes it before use, but better to be sure).
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
I see that it works to put both IPv4 and IPv6 addresses in the Peer WireGuard Address field. That's not clear from the description.
-
@dem said in Wireguard S2S Tunnel Gateway IP?:
I see that it works to put both IPv4 and IPv6 addresses in the Peer WireGuard Address field. That's not clear from the description.
What is unclear? The description starts with "IPv4/IPv6"
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp It sounds like the field can only take one address, either IPv4 or IPv6, since "address" and "gateway" are singular in the description.
-
@dem said in Wireguard S2S Tunnel Gateway IP?:
@jimp It sounds like the field can only take one address, either IPv4 or IPv6, since "address" and "gateway" are singular in the description.
I noticed that after I replied. I changed it to say "addresses" and added "(comma separated)" which should help.
