074861c30f229cfb4db3687c4c055a2cbc65df5e
howto/wireguard.md
| ... | ... | @@ -4,7 +4,7 @@ To quote the [homepage](https://www.wireguard.io/): |
| 4 | 4 | |
| 5 | 5 | # Example configuration for dn42 |
| 6 | 6 | |
| 7 | -Wireguard is a Layer3 VPN. In theory it allows multiple peers to be served with one interface/port, but it does internal routing based on the peer's public key. This means you will need one interface per peering on dn42 |
|
| 7 | +Wireguard is a Layer3 VPN. In theory it allows multiple peers to be served with one interface/port, but it does internal routing based on the peer's public key. This means **you will need one interface per peering** on dn42 |
|
| 8 | 8 | to allow your BGP daemon instead to do routing. This approach is comparable to [OpenVPN p2p tunnels](/howto/openvpn). |
| 9 | 9 | |
| 10 | 10 | First generate on each peer public and private keys. |
| ... | ... | @@ -33,6 +33,8 @@ Endpoint = <end_point_hostname_or_ip:port> |
| 33 | 33 | AllowedIPs = 0.0.0.0/0,::/0 |
| 34 | 34 | ``` |
| 35 | 35 | |
| 36 | +**Make sure that your AllowedIPs include the full dn42 ranges (`172.20.0.0/14`, `fd00::/8`) and not just your peer's next hop IPs!** AllowedIPs functions as a data plane restriction on which target IPs can go over each WireGuard tunnel. If this is misconfigured, you may see errors such as: `ping: sendmsg: Destination address required`. |
|
| 37 | + |
|
| 36 | 38 | ## Configure tunnel: |
| 37 | 39 | |
| 38 | 40 | Wireguard comes with its own interface type. |