Sequence of creating peers and host blurry about wireguard-rs HOT 3 CLOSED

Hi.
You make good points, let me clarify a bit.

In the simplest case for the interface to work you need to perform two steps:

• create a WireGuard network interface
• configure the interface

This is broadly the same thing that would happen if you used wg-quick with a config file.

The "peer preparation" step is meant to show that the interface configuration method performs all the necessary steps required to have a working WireGuard server, including configuring peers. The InterfaceConfiguration struct can be thought of as being mostly equivalent to a wg0.conf file that you would have for your server or client.

The configure_peer and remove_peer methods are there for convenience, because we found out that after we initialize our VPN gateway we then only need to modify specific peers at runtime (because someone added or removed a device etc.), without passing all the interface data (including other peers).

why in the example would you give an allowed_ip like 10.20.30.40 if the 40 digit is stripped and replaced by a 0

This is just how IP subnets work. The 40 is meaningless in this case and gets stripped when parsing.

Also, is it possible to push multiple addresses to have multiple allowed_ips ?

Yes, although I haven't encountered such a configuration when adding clients. Usually when configuring a server you give peers a specific IP address (with a /32 subnet mask) within your VPN subnet. Technically there's nothing within WireGuard itself stopping you.
Multiple allowed_ips are probably more common on the client side, for example when you have multiple internal subnets in your homelab.

After that, you create some peers, but you don't initialize them with any ip address neither allowed ips. How so ?
Do you need to (or can you) manually give them addresses, is it managed already by the host ?

No, there's no automated addressing. Due to the way WireGuard works you can add peers without specifying allowed IPs, they just won't be able to actually send any packets.

for context, my goal is to make an API that generates Wireguard Configurations, and then be able to start them with > > the wireguard client (lot complexity that defguard doesn't manage because of my very personal use case).

In this case you should be able to use the available data to prepare a complete InterfaceConfiguration and then just create & configure the interface.

And finally could you please explain why does the privatekey has to be initialized with a string, wouldn't it be easier to > manage keys rather than the string ? Also for security purposes.

This was just our use case. Ultimately the key has to be converted to a byte array anyway. I'm not sure it's inherently less secure. You can always initialize this value in some secure way to avoid passing around bare secrets in other parts of your system.

I hope this clears some things up. I'll go back to update the example again :)

from wireguard-rs.

Hi @wojcik91

Thank you for the clarifications, it makes a lot more sens to me now. There is still something I can't put a finger on.

My question is therefore, how can I set the peer address with wireguard-rs and what difference do you make between the AllowedIps of the server's peer and the allowedIps you directly push ?

Let's illustrate :

In the server.rs example :

    // prepare peer configuration
    let secret = EphemeralSecret::random();
    let key = PublicKey::from(&secret);
    let peer_key: Key = key.as_ref().try_into().unwrap();
    let mut peer = Peer::new(peer_key.clone());
    let addr = IpAddrMask::from_str("10.20.30.40/24").unwrap();
    peer.allowed_ips.push(addr);

I understood that in order to have an allowed_ips it is mandatory to have a peer. You created a peer that you initialized with no address, but you set the allowed_ips with the 10.20.30.40/24 (that is stripped to have 10.20.30.0/24)

And now you create peers :

 // Create peers
    for _ in 0..32 {
        let secret = EphemeralSecret::random();
        let key = PublicKey::from(&secret);
        let peer = Peer::new(key.as_ref().try_into().unwrap());
        wgapi.configure_peer(&peer)?;
        wgapi.remove_peer(&peer.public_key)?;
    }

You firstly made the peer mutable, but now you create a new peer every time, so you create another structure every time.
So basically there is no allowed_ips in this for loop. So what did you prepare the peer configuration for ?

And to my first question, how do you give the peer an address, the exact same way you did to the host ?

    let interface_config = InterfaceConfiguration {
        name: ifname.clone(),
        prvkey: "AAECAwQFBgcICQoLDA0OD/Dh0sO0pZaHeGlaSzwtHg8=".to_string(),
        address: "10.6.0.30".to_string(),
        port: 12345,
        peers: vec![peer],
    };

here you have "10.6.0.30" so it means you have an actual way of setting the ip address, but impossible to find it for the peer.

Until now the things that I understood from the server.rs is :

You created a peer as an example that has no ip address and only allowed_ip,

You created the interface and configured it,

You created 32 peers that have no ip address and no allowed_ips, and that are deleted just after they are created, which explains why after a sudo cargo run we only have one peer, that has the allowed ip 10.20.30.0.

All of that part makes sense, but i'd like to know how to populate the ip address inside the peer when it's created.

Let's say we have a client configuration file (wg0.conf)

You might have something like this :

[Interface]
PrivateKey = redacted
Address = 10.0.0.3/32
ListenPort = 51820

[Peer]
PublicKey = redacted
AllowedIps = 10.0.1.0/24, 10.6.3.1/32, 10.0.0.0/24
Endpoint = 192.168.64.3:51820
PersistentKeepAlive = 60

In the interface section, there is an address (10.0.0.3). This is the one i'm refering to.

Thank you for your hard work,
Best,
Ange

from wireguard-rs.

Hey,

The Ip addresses for the peers can actually be a range, that's why it's confusing and the reason is explained in the #19.

It's actually an allowed_ips (if only one is allowed it should be a /32)

Best,
Ange

from wireguard-rs.