New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard-tools: add ippeer option #3810
Conversation
@@ -108,6 +108,7 @@ proto_wireguard_setup() { | |||
config_get private_key "${config}" "private_key" | |||
config_get listen_port "${config}" "listen_port" | |||
config_get addresses "${config}" "addresses" | |||
config_get ippeer "${config}" "ippeer" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the sake of uniformity I propose to change this into peeraddr; similar as in the packages ipip (https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/config/ipip/files/ipip.sh;h=15b1c978e31b1809021ce15aef4aa656b23886b7;hb=refs/heads/master#l85) and gre (https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/config/gre/files/gre.sh;h=eb3df5b48c874c7e14b32bd53bb27a8ff0854684;hb=refs/heads/master#l269)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
peerip
could be named endpoint_ip
, and is not at all similar to ippeer
ippeer
is a generic option that could be available for any interface type
ip link add name ipip-test type ipip local 9.10.11.12 remote 13.14.15.16
ip addr add dev ipip-test local 1.2.3.4 peer 5.6.7.8
ip addr show ipip-test
15: ipip-test@NONE: <POINTOPOINT,NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 9.10.11.12 peer 13.14.15.16
inet 1.2.3.4 peer 5.6.7.8/32 scope global ipip-test
valid_lft forever preferred_lft forever
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really good article about tunnel interfaces: https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels/
I'm curious to learn how this simplifies bird and ospf. How does it differ from setting the IP address to a /32 and adding one single interface route of a /32? |
Without the peer bird stays in stub mode, so it doesn't advertise With the peer on the interface
See the state is now just PtP |
Extract from bird conf
|
What I'm wondering about is:
|
Sorry I did a bunch of edits, you should have your response in previous messages It doesn't change the routing, and bird/ospf still uses multicast
But this is how bird/ospf works with point to point /32 links, if there is no peer set it's a stub |
Huh, interesting. Is this something that should be fixed in bird? Or is the |
I have no idea if this is some legacy behavior or important semantic. I've migrated from openvpn p2p tunnel (with /32 & peer) to wireguard last summer and was forced to use /31 and I really prefer /32, it makes the setup way cleaner/easier IMO. |
Email sent (http://trubka.network.cz/pipermail/bird-users/2021-January/015157.html) |
Answer: this is a bird limitation but pretty hard to fix (http://trubka.network.cz/pipermail/bird-users/2021-January/015167.html) |
@zx2c4 can we merge this ? Between rewriting bird and a 3 lines patch, I prefer the 3 lines patch :) |
@zx2c4 friendly ping |
Isn't this a small patch for bird too? Why a "rewrite"? |
This makes me think one will need to change a good part of the logic of BIRD OSPF implementation, not just add one or 2 if. |
@zx2c4 ? |
@zx2c4 silence is hard to parse ;) |
This allow to set IPv4 peer address for point to point tunnel This simplify a lot bird ospf usage / configuration ~# cat /etc/config/network config interface 'test' option proto 'wireguard' option private_key '<key>' list addresses '1.2.3.4' option ippeer '5.6.7.8' option nohostroute '1' ~# ip a show test 9: test: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000 link/[65534] inet 1.2.3.4 peer 5.6.7.8/32 brd 255.255.255.255 scope global test valid_lft forever preferred_lft forever Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Rebased on latest changes |
This isn't a good rationale for adding a non standard knob that will harder to claw back later when we risk breaking compatibility. I'll feel comfortable acking this if I'm more certain that there's no way for bird to do it, or that there's some important semantic place for ippeer. But if the reason amounts to, "because shell scripting is easier than C", I don't want to start taking shortcuts like that. Basically, either me or you or somebody else needs to find the time to really look deeply into this. @tohojo mentioned an interest in adding various forms of WireGuard support to bird at some point. Maybe he has a better idea of the architecture involved. |
After double checking, ippeer is not present in NetworkManager either, so improving bird make sense. |
I don't really know anything about the OSPF implementation in Bird apart from the reply you linked above, sorry. As for adding Wireguard support to bird itself, my idea for that was to teach Bird about the wireguard interface type so it could both learn peers from it, and also update allowedips when it installs new routes. Which would make it possible to run Bird on a multi-peer wireguard link instead of using p2p links. That seems rather orthogonal to this, though... |
This allow to set IPv4 peer address for point to point tunnel
This simplify a lot bird ospf usage / configuration
ippeer
is not really a good fit withaddresses
but I don't have a better idea for now.