Re: [Astlinux-devel] Multiple peers with Wireguard

[Michael K. <mic...@ip...>]

Maybe using the 'wg set' commands, we completely abstract ourselves away from the configuration file and use something like the firewall tab to configure peers. You could put the label in there as well.

Regards
Michael Knill

On 10/10/18, 3:19 pm, "Michael Knill" <mic...@ip...> wrote:

    Thanks Lonnie
    
    Yes restarting Wireguard caused a significant packet loss (ping from endpoint to server):
    PING 172.29.253.1 (172.29.253.1): 56 data bytes
    64 bytes from 172.29.253.1: seq=0 ttl=64 time=13.475 ms
    64 bytes from 172.29.253.1: seq=1 ttl=64 time=13.277 ms
    64 bytes from 172.29.253.1: seq=2 ttl=64 time=13.039 ms
    64 bytes from 172.29.253.1: seq=3 ttl=64 time=12.660 ms
    64 bytes from 172.29.253.1: seq=4 ttl=64 time=13.301 ms
    64 bytes from 172.29.253.1: seq=5 ttl=64 time=15.457 ms
    64 bytes from 172.29.253.1: seq=6 ttl=64 time=13.471 ms
    64 bytes from 172.29.253.1: seq=7 ttl=64 time=13.273 ms
    64 bytes from 172.29.253.1: seq=8 ttl=64 time=12.644 ms
    64 bytes from 172.29.253.1: seq=9 ttl=64 time=13.139 ms
    64 bytes from 172.29.253.1: seq=10 ttl=64 time=12.931 ms
    64 bytes from 172.29.253.1: seq=27 ttl=64 time=13.851 ms
    64 bytes from 172.29.253.1: seq=28 ttl=64 time=12.701 ms
    64 bytes from 172.29.253.1: seq=29 ttl=64 time=12.899 ms
    64 bytes from 172.29.253.1: seq=30 ttl=64 time=13.522 ms
    64 bytes from 172.29.253.1: seq=31 ttl=64 time=13.188 ms
    64 bytes from 172.29.253.1: seq=32 ttl=64 time=12.696 ms
    64 bytes from 172.29.253.1: seq=33 ttl=64 time=13.680 ms
    64 bytes from 172.29.253.1: seq=34 ttl=64 time=16.112 ms
    ^C
    --- 172.29.253.1 ping statistics ---
    35 packets transmitted, 19 packets received, 45% packet loss
    round-trip min/avg/max = 12.644/13.437/16.112 ms
    
    It would certainly be good to avoid this.
    
    Regards
    Michael Knill
    
    On 10/10/18, 2:28 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
    
        Hi Michael, comments inline...
        
        > On Oct 8, 2018, at 9:20 PM, Michael Knill <mic...@ip...> wrote:
        > 
        > Hi Devs
        >  
        > I have a couple of questions regarding Wireguard in Astlinux:
        > • Having to restart Wireguard to re-read the wg0.peer file is not particularly good for multiple clients as I assume it drops all the current connections? I tried wg setconf wg0 /mnt/kd/wireguard/peer/wg0.peer which re-reads the configuration but you still seem to need to restart to activate it! I did however try to add a peer this way ‘wg set wg0 peer <public key> endpoint <ip:port> allowed-ips <allowed subnet> and it came up immediately without a restart. Could we add this into the GUI somehow?
        
        WireGuard is "stateless" so adding/deleting/editing configurations should not cause major problems, but some packets could be dropped in the process.
        
        Various "wg" sub-commands are:
        --
        set: Change the current configuration, add peers, remove peers, or change peers
        setconf: Applies a configuration file to a WireGuard interface
        addconf: Appends a configuration file to a WireGuard interface
        --
        
        Indeed "wg set wg0 ..." is quite powerful and can change your config in realtime with minimal disruption.
        
        I will have to some research to completely answer your question.
        
        
        > • Is there an option for a peer name in wg0.peer other than the nonsensical Public Key natively in Wireguard? If not, can we add something
        
        Funny you should mention this, Michael Keuter and I gave this some major thought on how to do it ... I even submitted a patch to Jason (he rejected it).
        
        The bottom line is any "label" should be part of the overall wireguard config and as a result be stored in the kernel, this gave Jason some pause with arbitrary label sizes.  Also the effect for VPN providers with 1000's of peers needs to be considered.
        
        The other approach is (in user-space) to hack together some sort of special comment in the text wireguard config associated with the peer PublicKey in a separate database and merge them together with "wg show wg0" to create the label-ized output.  Hack'ish to say the least.
        
        This feature has been a common request in the wireguard mailing list.
        
        
        > • The Wireguard VPN status on the Status Tab will start to use up quite a bit of space with multiple clients as it uses 6 lines per user whereas OpenVPN only uses 1. Should we consider reformatting the output as the Status Tab is already quite large when you have a large number of users?
        
        Interesting issue, I guess I have not run into that myself.
        
        The command "wg show wg0 dump" is a more tabular/compact format, though for less then 10 the current method seems better.
        
        
        > Looking forward to discussing this.
        >  
        > Regards
        > Michael Knill
        
        Lonnie
        
        
        
        _______________________________________________
        Astlinux-devel mailing list
        Ast...@li...
        https://lists.sourceforge.net/lists/listinfo/astlinux-devel
        
    
    
    _______________________________________________
    Astlinux-devel mailing list
    Ast...@li...
    https://lists.sourceforge.net/lists/listinfo/astlinux-devel