WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Re: Strange firewall dnat rule to make WireGuard work on dual-interface
@ 2019-09-24 20:53 James
  2019-10-04 12:52 ` Simone Rossetto
  0 siblings, 1 reply; 2+ messages in thread
From: James @ 2019-09-24 20:53 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

(Apologies in advance if this email gets orphaned. I don't understand how
mailing lists work.)

What I can see is that wireguard uses the default route interface as it's
source IP for any outgoing packets. This means that if you receive a
connection request from eth1, if the default route is eth0 it will attempt
to send out on the IP of eth0.
By design or lack of features, it ignores what the interface and IP the
incoming packet was received on.

I'm trying to do something similar to you but even with your IPtables I
can't get mine to work. I have a more complicated setup and I can't seem to
get the outbound packets to follow a routing table using a mark.
My current solution is to rebuild my vpns and iptables by changing my
routes to make wireguard defaultly reply on the correct interface for my
situation.

[-- Attachment #1.2: Type: text/html, Size: 954 bytes --]

<div dir="ltr"><div>(Apologies in advance if this email gets orphaned. I don&#39;t understand how mailing lists work.)</div><div><br></div><div>What I can see is that wireguard uses the default route interface as it&#39;s source IP for any outgoing packets. This means that if you receive a connection request from eth1, if the default route is eth0 it will attempt to send out on the IP of eth0.<br></div><div>By design or lack of features, it ignores what the interface and IP the incoming packet was received on. </div><div><br></div><div>I&#39;m trying to do something similar to you but even with your IPtables I can&#39;t get mine to work. I have a more complicated setup and I can&#39;t seem to get the outbound packets to follow a routing table using a mark. </div><div>My current solution is to rebuild my vpns and iptables by changing my routes to make wireguard defaultly reply on the correct interface for my situation.<br></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Strange firewall dnat rule to make WireGuard work on dual-interface
  2019-09-24 20:53 Strange firewall dnat rule to make WireGuard work on dual-interface James
@ 2019-10-04 12:52 ` Simone Rossetto
  0 siblings, 0 replies; 2+ messages in thread
From: Simone Rossetto @ 2019-10-04 12:52 UTC (permalink / raw)
  To: James; +Cc: wireguard

Hi James

Il giorno mer 25 set 2019 alle ore 10:51 James
<james.b.price@gmail.com> ha scritto:
> By design or lack of features, it ignores what the interface and IP the incoming packet was received on.

Yes, it seams that.

> I'm trying to do something similar to you but even with your IPtables I can't get mine to work. I have a more complicated setup and I can't seem to get the outbound packets to follow a routing table using a mark.

Maybe I can help you... tell me which is your configuration and what
you need to accomplish.


Bye
Simone
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-24 20:53 Strange firewall dnat rule to make WireGuard work on dual-interface James
2019-10-04 12:52 ` Simone Rossetto

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git