wireguard-tools: add ippeer option #3810
Conversation
| @@ -108,6 +108,7 @@ proto_wireguard_setup() { | |||
| config_get private_key "${config}" "private_key" | |||
| config_get listen_port "${config}" "listen_port" | |||
| config_get addresses "${config}" "addresses" | |||
| config_get ippeer "${config}" "ippeer" | |||
There was a problem hiding this comment.
For the sake of uniformity I propose to change this into peeraddr; similar as in the packages ipip (https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/config/ipip/files/ipip.sh;h=15b1c978e31b1809021ce15aef4aa656b23886b7;hb=refs/heads/master#l85) and gre (https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/config/gre/files/gre.sh;h=eb3df5b48c874c7e14b32bd53bb27a8ff0854684;hb=refs/heads/master#l269)
There was a problem hiding this comment.
peerip could be named endpoint_ip, and is not at all similar to ippeer
ippeer is a generic option that could be available for any interface type
ip link add name ipip-test type ipip local 9.10.11.12 remote 13.14.15.16
ip addr add dev ipip-test local 1.2.3.4 peer 5.6.7.8
ip addr show ipip-test
15: ipip-test@NONE: <POINTOPOINT,NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 9.10.11.12 peer 13.14.15.16
inet 1.2.3.4 peer 5.6.7.8/32 scope global ipip-test
valid_lft forever preferred_lft forever
There was a problem hiding this comment.
Really good article about tunnel interfaces: https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels/
|
I'm curious to learn how this simplifies bird and ospf. How does it differ from setting the IP address to a /32 and adding one single interface route of a /32? |
Without the peer bird stays in stub mode, so it doesn't advertise With the peer on the interface See the state is now just PtP |
|
Extract from bird conf |
|
What I'm wondering about is: |
|
Sorry I did a bunch of edits, you should have your response in previous messages It doesn't change the routing, and bird/ospf still uses multicast But this is how bird/ospf works with point to point /32 links, if there is no peer set it's a stub |
|
Huh, interesting. Is this something that should be fixed in bird? Or is the |
|
I have no idea if this is some legacy behavior or important semantic. I've migrated from openvpn p2p tunnel (with /32 & peer) to wireguard last summer and was forced to use /31 and I really prefer /32, it makes the setup way cleaner/easier IMO. |
|
Email sent (http://trubka.network.cz/pipermail/bird-users/2021-January/015157.html) |
|
Answer: this is a bird limitation but pretty hard to fix (http://trubka.network.cz/pipermail/bird-users/2021-January/015167.html) |
|
@zx2c4 can we merge this ? Between rewriting bird and a 3 lines patch, I prefer the 3 lines patch :) |
|
@zx2c4 friendly ping |
|
Isn't this a small patch for bird too? Why a "rewrite"? |
This makes me think one will need to change a good part of the logic of BIRD OSPF implementation, not just add one or 2 if. |
|
@zx2c4 ? |
|
@zx2c4 silence is hard to parse ;) |
This allow to set IPv4 peer address for point to point tunnel
This simplify a lot bird ospf usage / configuration
~# cat /etc/config/network
config interface 'test'
option proto 'wireguard'
option private_key '<key>'
list addresses '1.2.3.4'
option ippeer '5.6.7.8'
option nohostroute '1'
~# ip a show test
9: test: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
link/[65534]
inet 1.2.3.4 peer 5.6.7.8/32 brd 255.255.255.255 scope global test
valid_lft forever preferred_lft forever
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
Rebased on latest changes |
This isn't a good rationale for adding a non standard knob that will harder to claw back later when we risk breaking compatibility. I'll feel comfortable acking this if I'm more certain that there's no way for bird to do it, or that there's some important semantic place for ippeer. But if the reason amounts to, "because shell scripting is easier than C", I don't want to start taking shortcuts like that. Basically, either me or you or somebody else needs to find the time to really look deeply into this. @tohojo mentioned an interest in adding various forms of WireGuard support to bird at some point. Maybe he has a better idea of the architecture involved. |
|
After double checking, ippeer is not present in NetworkManager either, so improving bird make sense. |
|
I don't really know anything about the OSPF implementation in Bird apart from the reply you linked above, sorry. As for adding Wireguard support to bird itself, my idea for that was to teach Bird about the wireguard interface type so it could both learn peers from it, and also update allowedips when it installs new routes. Which would make it possible to run Bird on a multi-peer wireguard link instead of using p2p links. That seems rather orthogonal to this, though... |
This allow to set IPv4 peer address for point to point tunnel
This simplify a lot bird ospf usage / configuration
ippeeris not really a good fit withaddressesbut I don't have a better idea for now.