Menu
▾
▴
Re: [Astlinux-devel] Multiple peers with Wireguard
|
From: Lonnie A. <li...@lo...> - 2018-10-10 15:20:38
|
Hi Michael, Given: pbx2 --WG-- pbx4 --WG-- pbx3 Then ping pbx2 -> pbx3, a restart of wireguard (on pbx4) interrupts the ping for 17 seconds, exactly as your results. The advantage of using "wg set wg0 ...", for the active peers not changed, their flows are not effected. While this optimization is possible with WireGuard (unlike OpenVPN) it would involve some tricky coding ... not only changes using "wg set wg0 ..." but the automatic routes created by Allowed IP's would need to be added/removed. Then the question how the /mnt/kd/wireguard.script would be called for a "incremental" reload. This requires some thought... Lonnie > On Oct 9, 2018, at 11:18 PM, Michael Knill <mic...@ip...> wrote: > > Thanks Lonnie > > Yes restarting Wireguard caused a significant packet loss (ping from endpoint to server): > PING 172.29.253.1 (172.29.253.1): 56 data bytes > 64 bytes from 172.29.253.1: seq=0 ttl=64 time=13.475 ms > 64 bytes from 172.29.253.1: seq=1 ttl=64 time=13.277 ms > 64 bytes from 172.29.253.1: seq=2 ttl=64 time=13.039 ms > 64 bytes from 172.29.253.1: seq=3 ttl=64 time=12.660 ms > 64 bytes from 172.29.253.1: seq=4 ttl=64 time=13.301 ms > 64 bytes from 172.29.253.1: seq=5 ttl=64 time=15.457 ms > 64 bytes from 172.29.253.1: seq=6 ttl=64 time=13.471 ms > 64 bytes from 172.29.253.1: seq=7 ttl=64 time=13.273 ms > 64 bytes from 172.29.253.1: seq=8 ttl=64 time=12.644 ms > 64 bytes from 172.29.253.1: seq=9 ttl=64 time=13.139 ms > 64 bytes from 172.29.253.1: seq=10 ttl=64 time=12.931 ms > 64 bytes from 172.29.253.1: seq=27 ttl=64 time=13.851 ms > 64 bytes from 172.29.253.1: seq=28 ttl=64 time=12.701 ms > 64 bytes from 172.29.253.1: seq=29 ttl=64 time=12.899 ms > 64 bytes from 172.29.253.1: seq=30 ttl=64 time=13.522 ms > 64 bytes from 172.29.253.1: seq=31 ttl=64 time=13.188 ms > 64 bytes from 172.29.253.1: seq=32 ttl=64 time=12.696 ms > 64 bytes from 172.29.253.1: seq=33 ttl=64 time=13.680 ms > 64 bytes from 172.29.253.1: seq=34 ttl=64 time=16.112 ms > ^C > --- 172.29.253.1 ping statistics --- > 35 packets transmitted, 19 packets received, 45% packet loss > round-trip min/avg/max = 12.644/13.437/16.112 ms > > It would certainly be good to avoid this. > > Regards > Michael Knill > > On 10/10/18, 2:28 pm, "Lonnie Abelbeck" <li...@lo...> wrote: > > Hi Michael, comments inline... > >> On Oct 8, 2018, at 9:20 PM, Michael Knill <mic...@ip...> wrote: >> >> Hi Devs >> >> I have a couple of questions regarding Wireguard in Astlinux: >> • Having to restart Wireguard to re-read the wg0.peer file is not particularly good for multiple clients as I assume it drops all the current connections? I tried wg setconf wg0 /mnt/kd/wireguard/peer/wg0.peer which re-reads the configuration but you still seem to need to restart to activate it! I did however try to add a peer this way ‘wg set wg0 peer <public key> endpoint <ip:port> allowed-ips <allowed subnet> and it came up immediately without a restart. Could we add this into the GUI somehow? > > WireGuard is "stateless" so adding/deleting/editing configurations should not cause major problems, but some packets could be dropped in the process. > > Various "wg" sub-commands are: > -- > set: Change the current configuration, add peers, remove peers, or change peers > setconf: Applies a configuration file to a WireGuard interface > addconf: Appends a configuration file to a WireGuard interface > -- > > Indeed "wg set wg0 ..." is quite powerful and can change your config in realtime with minimal disruption. > > I will have to some research to completely answer your question. > > >> • Is there an option for a peer name in wg0.peer other than the nonsensical Public Key natively in Wireguard? If not, can we add something > > Funny you should mention this, Michael Keuter and I gave this some major thought on how to do it ... I even submitted a patch to Jason (he rejected it). > > The bottom line is any "label" should be part of the overall wireguard config and as a result be stored in the kernel, this gave Jason some pause with arbitrary label sizes. Also the effect for VPN providers with 1000's of peers needs to be considered. > > The other approach is (in user-space) to hack together some sort of special comment in the text wireguard config associated with the peer PublicKey in a separate database and merge them together with "wg show wg0" to create the label-ized output. Hack'ish to say the least. > > This feature has been a common request in the wireguard mailing list. > > >> • The Wireguard VPN status on the Status Tab will start to use up quite a bit of space with multiple clients as it uses 6 lines per user whereas OpenVPN only uses 1. Should we consider reformatting the output as the Status Tab is already quite large when you have a large number of users? > > Interesting issue, I guess I have not run into that myself. > > The command "wg show wg0 dump" is a more tabular/compact format, though for less then 10 the current method seems better. > > >> Looking forward to discussing this. >> >> Regards >> Michael Knill > > Lonnie > > > > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel > > > > _______________________________________________ > Astlinux-devel mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-devel |
