WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: James <james.b.price@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Strange firewall dnat rule to make WireGuard work on dual-interface
Date: Tue, 24 Sep 2019 16:53:43 -0400
Message-ID: <CA+kUo267JEndBxav--GABQ3o02ZXMOVmktB1ZW2R6Tzx-X0v-Q@mail.gmail.com> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

(Apologies in advance if this email gets orphaned. I don't understand how
mailing lists work.)

What I can see is that wireguard uses the default route interface as it's
source IP for any outgoing packets. This means that if you receive a
connection request from eth1, if the default route is eth0 it will attempt
to send out on the IP of eth0.
By design or lack of features, it ignores what the interface and IP the
incoming packet was received on.

I'm trying to do something similar to you but even with your IPtables I
can't get mine to work. I have a more complicated setup and I can't seem to
get the outbound packets to follow a routing table using a mark.
My current solution is to rebuild my vpns and iptables by changing my
routes to make wireguard defaultly reply on the correct interface for my
situation.

[-- Attachment #1.2: Type: text/html, Size: 954 bytes --]

<div dir="ltr"><div>(Apologies in advance if this email gets orphaned. I don&#39;t understand how mailing lists work.)</div><div><br></div><div>What I can see is that wireguard uses the default route interface as it&#39;s source IP for any outgoing packets. This means that if you receive a connection request from eth1, if the default route is eth0 it will attempt to send out on the IP of eth0.<br></div><div>By design or lack of features, it ignores what the interface and IP the incoming packet was received on. </div><div><br></div><div>I&#39;m trying to do something similar to you but even with your IPtables I can&#39;t get mine to work. I have a more complicated setup and I can&#39;t seem to get the outbound packets to follow a routing table using a mark. </div><div>My current solution is to rebuild my vpns and iptables by changing my routes to make wireguard defaultly reply on the correct interface for my situation.<br></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

             reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-24 20:53 James [this message]
2019-10-04 12:52 ` Simone Rossetto

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+kUo267JEndBxav--GABQ3o02ZXMOVmktB1ZW2R6Tzx-X0v-Q@mail.gmail.com \
    --to=james.b.price@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git