site2site vpn

[alesti]

Hi,

the biggest impediment for my team to use innernet in production is the lack of routing capabilities of innernet.

I'd like to discuss and try to help to develop this, but first: Where is the proper place to do this? I joined the discord channel, but it feels like a bot driven gateway to a matrix chat i do not know :-)
I think for most things a board is better than a chat as it is more easy to catch it up on a later point, but anyhow - where should we discuss thoughts to improvements?

--

We started to discuss routing in #42 and i am sure also on other points #22 at least.

I built a test rig with some single-board computers to do some tests, please see site2site with wireguard / innernet for a diagram, details, configs.

This test rig should help me to clarify, what i need and how i built a solution in wireguard times, and now i am aware (again) of the style of wireguards routing - the next section is for me to use my own words to recap it.

Wireguard does the decision what it sends to the vpn interface by the ip address of the target, the target needs to be part of the networks in the peer configuration section option AllowedIPs =. In this case wireguard will use the connected public key to encrypt the payload and send it.

It is not sufficient to have a routing entry to your target bound to the vpn interface - you will get sendmsg: Required key not available error. See https://www.wireguard.com/#cryptokey-routing

You will need something like (see human peer for a real world example)

PostUp = route add -net <lan behind vpn gateway> <vpn ip lan gateway>
AllowedIPs = <vpn network>, <lan behind vpn gateway>

And suitable [Peer] parts on the vpn server (see vpn server for a real world example).

As innernet works different (no central server), and the peers do not have a static config for other peers, we need the information which networks are connected behind a vpn peer on the innernet servers database, to be able to search them and fetch the right public key to encrypt the traffic.

We would also need to fire hooks (same as Post/Pre-Up/Down in wireguard) to add routing and/or firewall thingies.

Is there more we need to consider?

How can we support you at this point?
Aleks