Hacker News new | past | comments | ask | show | jobs | submit login

How is Cloudflare handling IP allocation here? I might be mis-understanding how WireGuard works, but it doesn't look like there is an official method for IP dynamic assignment.



I would like to know the answer to this too :)

Maybe they are using one tunnel interface per single customer then always assign the same address to everybody and use policy routing to handle this (EDIT: just realized there might not be using the network stack at all for this and do something alike in their userspace implementation). This would not solve key exchange though. But maybe it is possible to accept any key (if the public key is transmitted this should be easy). Otherwise connecting probably requires requesting an IP address for your key prior to connecting via WireGuard to allow the endpoint to setup required configuration.

This is really something WireGuard did not quite expect to be needed apparently. It is also hard to do dynamic routing with WireGuard which could also possibly allow fully meshed networks directly on top of WireGuard but i have not tried really hard yet. It would also be very useful to me to be able to have a CA so i do not have to update configuration everywhere. Last but not least its not possible to bridge the WireGuard interface at all. I have an experimental setup where i would like to use WireGuard as a sole network interface for a virtual machine, somewhat like advertised for containers where it works beautifully. However, its not possible because its not an Ethernet interface in Linux. Instead i have setup a VLAN on my switch and route traffic through WireGuard using my gateway. I would like to terminate the tunnels at the hypervisor a lot more, but don't want to route traffic there.

I think all of this boils down to the usage of their cryptographic routing and trickery around it to make it work as intended. I would probably abandon WireGuard if a fork would allow my use cases as i am otherwise a really happy user.


From what I reckon this (and almost any other VPN, or even Tor) will give you the outside appearance of the IP of the exit node. Think like NAT.


He is most likely talking about the IP address inside the tunnel which in case of WireGuard is intervened with the exchange of cryptographic keys. You can not use a DHCP server as only unicast traffic is possible.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: