WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Re: Strange firewall dnat rule to make WireGuard work on dual-interface
@ 2019-09-24 20:53 James
  2019-10-04 12:52 ` Simone Rossetto
  0 siblings, 1 reply; 2+ messages in thread
From: James @ 2019-09-24 20:53 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

(Apologies in advance if this email gets orphaned. I don't understand how
mailing lists work.)

What I can see is that wireguard uses the default route interface as it's
source IP for any outgoing packets. This means that if you receive a
connection request from eth1, if the default route is eth0 it will attempt
to send out on the IP of eth0.
By design or lack of features, it ignores what the interface and IP the
incoming packet was received on.

I'm trying to do something similar to you but even with your IPtables I
can't get mine to work. I have a more complicated setup and I can't seem to
get the outbound packets to follow a routing table using a mark.
My current solution is to rebuild my vpns and iptables by changing my
routes to make wireguard defaultly reply on the correct interface for my
situation.

[-- Attachment #1.2: Type: text/html, Size: 954 bytes --]

<div dir="ltr"><div>(Apologies in advance if this email gets orphaned. I don&#39;t understand how mailing lists work.)</div><div><br></div><div>What I can see is that wireguard uses the default route interface as it&#39;s source IP for any outgoing packets. This means that if you receive a connection request from eth1, if the default route is eth0 it will attempt to send out on the IP of eth0.<br></div><div>By design or lack of features, it ignores what the interface and IP the incoming packet was received on. </div><div><br></div><div>I&#39;m trying to do something similar to you but even with your IPtables I can&#39;t get mine to work. I have a more complicated setup and I can&#39;t seem to get the outbound packets to follow a routing table using a mark. </div><div>My current solution is to rebuild my vpns and iptables by changing my routes to make wireguard defaultly reply on the correct interface for my situation.<br></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-24 20:53 Strange firewall dnat rule to make WireGuard work on dual-interface James
2019-10-04 12:52 ` Simone Rossetto

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git