WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Re: Strange firewall dnat rule to make WireGuard work on dual-interface
@ 2019-09-24 20:53 James
  2019-10-04 12:52 ` Simone Rossetto
  0 siblings, 1 reply; 3+ messages in thread
From: James @ 2019-09-24 20:53 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

(Apologies in advance if this email gets orphaned. I don't understand how
mailing lists work.)

What I can see is that wireguard uses the default route interface as it's
source IP for any outgoing packets. This means that if you receive a
connection request from eth1, if the default route is eth0 it will attempt
to send out on the IP of eth0.
By design or lack of features, it ignores what the interface and IP the
incoming packet was received on.

I'm trying to do something similar to you but even with your IPtables I
can't get mine to work. I have a more complicated setup and I can't seem to
get the outbound packets to follow a routing table using a mark.
My current solution is to rebuild my vpns and iptables by changing my
routes to make wireguard defaultly reply on the correct interface for my
situation.

[-- Attachment #1.2: Type: text/html, Size: 954 bytes --]

<div dir="ltr"><div>(Apologies in advance if this email gets orphaned. I don&#39;t understand how mailing lists work.)</div><div><br></div><div>What I can see is that wireguard uses the default route interface as it&#39;s source IP for any outgoing packets. This means that if you receive a connection request from eth1, if the default route is eth0 it will attempt to send out on the IP of eth0.<br></div><div>By design or lack of features, it ignores what the interface and IP the incoming packet was received on. </div><div><br></div><div>I&#39;m trying to do something similar to you but even with your IPtables I can&#39;t get mine to work. I have a more complicated setup and I can&#39;t seem to get the outbound packets to follow a routing table using a mark. </div><div>My current solution is to rebuild my vpns and iptables by changing my routes to make wireguard defaultly reply on the correct interface for my situation.<br></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Strange firewall dnat rule to make WireGuard work on dual-interface
  2019-09-24 20:53 Strange firewall dnat rule to make WireGuard work on dual-interface James
@ 2019-10-04 12:52 ` Simone Rossetto
  2019-10-05 13:26   ` James
  0 siblings, 1 reply; 3+ messages in thread
From: Simone Rossetto @ 2019-10-04 12:52 UTC (permalink / raw)
  To: James; +Cc: wireguard

Hi James

Il giorno mer 25 set 2019 alle ore 10:51 James
<james.b.price@gmail.com> ha scritto:
> By design or lack of features, it ignores what the interface and IP the incoming packet was received on.

Yes, it seams that.

> I'm trying to do something similar to you but even with your IPtables I can't get mine to work. I have a more complicated setup and I can't seem to get the outbound packets to follow a routing table using a mark.

Maybe I can help you... tell me which is your configuration and what
you need to accomplish.


Bye
Simone
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Strange firewall dnat rule to make WireGuard work on dual-interface
  2019-10-04 12:52 ` Simone Rossetto
@ 2019-10-05 13:26   ` James
  0 siblings, 0 replies; 3+ messages in thread
From: James @ 2019-10-05 13:26 UTC (permalink / raw)
  To: Simone Rossetto; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1201 bytes --]

Thanks for the reply.
I was able to get it to work. I had an issue with my iptables when trying
to copy and understand your example.
I was using the NEW and Related,established marking in the wrong way that
resulted in forward marks being cleared for related an established packets.
All good now. Your original post is the best I've found in regards to
required iptables entries for a dual interface setup.

I still think this behavior is in "bug territory". The wg server should be
replying with the same ip address that it received packets on.

On Fri, 4 Oct 2019 at 08:52, Simone Rossetto <simros85@gmail.com> wrote:

> Hi James
>
> Il giorno mer 25 set 2019 alle ore 10:51 James
> <james.b.price@gmail.com> ha scritto:
> > By design or lack of features, it ignores what the interface and IP the
> incoming packet was received on.
>
> Yes, it seams that.
>
> > I'm trying to do something similar to you but even with your IPtables I
> can't get mine to work. I have a more complicated setup and I can't seem to
> get the outbound packets to follow a routing table using a mark.
>
> Maybe I can help you... tell me which is your configuration and what
> you need to accomplish.
>
>
> Bye
> Simone
>

[-- Attachment #1.2: Type: text/html, Size: 1671 bytes --]

<div dir="ltr">Thanks for the reply. <div>I was able to get it to work. I had an issue with my iptables when trying to copy and understand your example.</div><div>I was using the NEW and Related,established marking in the wrong way that resulted in forward marks being cleared for related an established packets. All good now. Your original post is the best I&#39;ve found in regards to required iptables entries for a dual interface setup.</div><div><br></div><div>I still think this behavior is in &quot;bug territory&quot;. The wg server should be replying with the same ip address that it received packets on.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 4 Oct 2019 at 08:52, Simone Rossetto &lt;<a href="mailto:simros85@gmail.com">simros85@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi James<br>
<br>
Il giorno mer 25 set 2019 alle ore 10:51 James<br>
&lt;<a href="mailto:james.b.price@gmail.com" target="_blank">james.b.price@gmail.com</a>&gt; ha scritto:<br>
&gt; By design or lack of features, it ignores what the interface and IP the incoming packet was received on.<br>
<br>
Yes, it seams that.<br>
<br>
&gt; I&#39;m trying to do something similar to you but even with your IPtables I can&#39;t get mine to work. I have a more complicated setup and I can&#39;t seem to get the outbound packets to follow a routing table using a mark.<br>
<br>
Maybe I can help you... tell me which is your configuration and what<br>
you need to accomplish.<br>
<br>
<br>
Bye<br>
Simone<br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-24 20:53 Strange firewall dnat rule to make WireGuard work on dual-interface James
2019-10-04 12:52 ` Simone Rossetto
2019-10-05 13:26   ` James

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git