I meant cleaning my schedule as a joke, but … well … 
-
One LAN or ten LANs, the only difference is that you’ll have one or ten routes and subnets in allowed-address. And it’s simple example focused on routing and WG, everything is allowed to communicate with everything else. If you’d like to limit something, it would be job for firewall, which is yet another independent layer.
-
Because it is. It’s safe default, it’s same as ethernet, which makes it easy to understand.
-
I was trying to explain relation between the two. How it’s possible to allow more in one and less in the other (or the other way around), but how it’s actually intersection between the two that matters in the end. And yes, it can probably be improved.
-
Fine by me. And as you can see, I have it as those separate black circles, which was supposed to suggest that it’s sort of separate.
-
I think it’s there, right after second image. For each peer you have to define what it can send and receive. And it mustn’t conflict between different peers (this part should probably be mentioned a bit earlier).
-
It’s simply because they are there, and if they should be able to pass through tunnel, they need to be listed as allowed.
-
It’s in the first part, the ethernet config (which is also shared when it’s WG).
-
See 6). The peer has them, you want them to be able to pass through tunnel (doesn’t matter if you actively try to communicate with them, or the communication is initiated by peer), they must be allowed.
-
If you mean 172.16.0.0/24 on B and C, instead of using only existing addresses (e.g. 172.16.0.1 and 172.16.0.3 on B), you can see it either as lazy shortcut or future proof config. Currently there are only .1, .2 and .3, but if I decide to add .4 for another client that won’t have subnet of its own (e.g. a phone), I won’t have to touch Router B or C and everything will work. Only changes needed will be on Router A and on this new client.
-
One thing, all addresses are real. If in 9) I mentioned another phone client, it will get 172.16.0.4/24 and it will be real address, the client will really have and use it. And again, it’s the basic networking, that’s how you’d do it with ethernet.
-
I’m not completely sure if I understand. But I guess it could be related to the past misunderstanding about what’s local and remote. Addresses 172.16.0.x/24 are in local subnet in relation to WG interface. Addresses 10.0.x.x/24 are remote subnets, because they are behind other routers.
It’s true that if you look at it from Router A, then address 172.16.0.2 (owned by Router B) is remote, because it’s on different router. But it’s still in local subnet. Here comes ethernet again. If you have all routers connected using switch, then even though address 172.16.0.2 is on remote router, it’s clearly in local subnet. Same way your PC 192.168.88.10/24 is in same local subnet with your router 192.168.88.1/24. That’s clear, right?
And the only difference with WG is that you don’t have any cables, only virtual links. Physically different, but logically the same thing.
- Important thing, this has nothing to do with just WG, it will happen with other interface types too.
Simple version, when router itself wants to send packet somewhere, it needs to select source address to use. Most common case is that it simply takes whatever address is on the interface where it sends the packet. So if you have your typical home router with 192.168.88.1/24 on LAN and 1.2.3.4 on WAN, then when destination is some 192.168.88.x in LAN, it will use 192.168.88.1 as source, and when it’s something else (e.g. when it checks for updates), it will choose 1.2.3.4, because packet is going to internet. It’s logical, right? But if outgoing interface doesn’t have any address, it doesn’t know what to choose and it fails. So there’s another option (which actually has precedence) and it’s pref-src address on route. When router decides to where it should send this packet, it first checks routes (it’s “routing decision” in some diagrams). It finds the best route, and if this route has pref-src, it will use it as source. And that’s it.
It just has to be some address owned by router, so if you have several LAN subnets, pick one address from any of them. Or completely different one, it would work too (but if it should be completely proper config, all other routers should be aware that this address is on this router, so they ideally should have routes to it; so it’s probably better to stick with something they already have route to). Or you can just keep the connecting subnet (172.16.0.x/24 in example) and not worry about pref-src.
Whether WG must allow this address, of course, it’s still the same thing as in 6) and 8), otherwise it couldn’t pass through tunnel.
-
See 12), I think it’s all explained there.
-
Pref-src is when router itself sends something. It doesn’t influence forwarded packets from other devices.
-
As described, don’t do it when it doesn’t give you any advantage. If you’re doing site to site tunnel and you don’t need another subnet at all, then it can make sense to skip addresses on WG interfaces. But if you do need some subnet, e.g. because you have several phones and each gets 172.16.0.x, then replacing address (172.16.0.1/24) on server’s WG interface with route (172.16.0.0/24) doesn’t help with anything, it’s not better in any way, it’s worse, don’t do it.
-
Yes.
-
No. It’s two different things, gateway and source address. You can have different combinations:
a1) WG interface with address 172.16.0.x/24, route with gateway=172.16.0.y => 172.16.0.x will be used as source
a2) WG interface with address 172.16.0.x/24, route with gateway= => 172.16.0.x will be used as source
b1) WG interface without address, route with gateway=172.16.0.y => won’t work at all (there won’t be any communication with remote subnet), because regular routing doesn’t know where 172.16.0.y is
b2) WG interface without address, route with gateway= => will need pref-src to fix source address
Difference between gateways is that:
a) gateway= clearly relies on WG’s crypto routing based on allowed addresses
b) gateway=172.16.0.y seems to use the specified gateway address, but it doesn’t really do that, it only finds out that 172.16.0.y should be reachable on (a1 above)
So while b) is correct, if you want to keep ethernet-like config, it in fact can be confusing, because you can’t really choose gateway (remote router) this way. For example, “/ip route add dst-address=10.0.1.0/24 gateway=172.16.0.3” on Router B wouldn’t work as it suggests at the first sight. It says that the subnet (10.0.1.0/24) is behing Router C (172.16.0.3), but if WG’s allowed-address says that it should be sent to Router A, it will win.
As for your outstanding issues, bring them back if you still have some after reading this. And if #2 is that thing, don’t even start with that. If you really (really) don’t understand why it’s completely wrong, I can try once more, but I don’t think I should have to do that, it’s such basic thing that it should be obvious (and again, it doesn’t have to do anything with WG).
And your examples:
- Allowed addresses are per-peer, you can’t have 192.168.35.0/24 to cover both peer 1 and 2. Each must have only their 192.168.35.x/32
- Same for 172.168.77.0/24, each peer on main router must have only own 192.168.77.x/32.
- Peers themselves (remote devices) can have allowed-address=172.168.77.0/24 for peer representing server, it will allow them to reach other peers via main server.
- Route dst-address=192.168.35.0/24 gwy=192.168.35.1 is nonsense, in first example you don’t have any 192.168.35.1. You could have your address-less dst-address=192.168.35.0/24 gwy=, but it’s better to not do that, as explained above.
- Other routes are correct (they would also work with gwy=, see 17).
- Address 192.168.35.1/24 in second example is correct.
- If peers have 172.168.77.x/24 on their WG interfaces, you don’t need pref-src for routes (see 17).
- Otherwise it would be pref-src=