<div dir="ltr"><div class="markdown-here-wrapper" style=""><p style="margin:0px 0px 1.2em!important">TCP connections work all right, as they’re established sockets, where the kernel does the routing… I assumed you would search for the route yourself ;-)<br><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">rcu_dereference_bh(rt->dst.dev->ip_ptr)</code> indeed does , as the packet effectively comes in through the uplink.</p>
<p style="margin:0px 0px 1.2em!important">In the firewall config I need to specify both interfaces (Uplink and Public (eth1 and eth0 in the drawing) to filter</p>
<p style="margin:0px 0px 1.2em!important"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">nft add rule ip filter input iif {Uplink,Public} jump public</code> and define my rules in the public chain<br><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">nft add rule ip filter public ip daddr 134.56.78.5 udp dport 443 accept</code> so a packet coming in on Uplink for the wg gets accepted only if the dst ip matches.</p><p style="margin:0px 0px 1.2em!important">nftables FTW ;-)</p>
<p style="margin:0px 0px 1.2em!important">That in se is not very important if you have only one uplink, but if you have multiple routes (default gw’s)  you really need the ip behind the uplinks.</p><p style="margin:0px 0px 1.2em!important">But anyway, tested and confirmed to work now, </p><p style="margin:0px 0px 1.2em!important">Many thanks for the quick reply</p>
<div title="MDH:VENQIGNvbm5lY3Rpb25zIHdvcmsgYWxsIHJpZ2h0LCBhcyB0aGV5J3JlIGVzdGFibGlzaGVkIHNv
Y2tldHMsIHdoZXJlIHRoZSBrZXJuZWwgZG9lcyB0aGUgcm91dGluZy4uLiBJIGFzc3VtZWQgeW91
IHdvdWxkIHNlYXJjaCBmb3IgdGhlIHJvdXRlIHlvdXJzZWxmIDstKcKgPGRpdj5gcmN1X2RlcmVm
ZXJlbmNlX2JoKHJ0LSZndDtkc3QuZGV2LSZndDtpcF9wdHIpYCBpbmRlZWQgZG9lcyAsIGFzIHRo
ZSBwYWNrZXQgZWZmZWN0aXZlbHkgY29tZXMgaW4gdGhyb3VnaCB0aGUgdXBsaW5rLjwvZGl2Pjxk
aXY+PGJyPjwvZGl2PjxkaXY+SW4gdGhlIGZpcmV3YWxsIGNvbmZpZyBJIG5lZWQgdG8gc3BlY2lm
eSBib3RoIGludGVyZmFjZXMgKFVwbGluayBhbmQgUHVibGljIChldGgxIGFuZCBldGgwIGluIHRo
ZSBkcmF3aW5nKSB0byBmaWx0ZXI8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PmBuZnQgYWRkIHJ1
bGUgaXAgZmlsdGVyIGlucHV0IGlpZiB7VXBsaW5rLFB1YmxpY30ganVtcCBwdWJsaWNgIGFuZCBk
ZWZpbmUgbXkgcnVsZXMgaW4gdGhlIHB1YmxpYyBjaGFpbiZuYnNwOzwvZGl2PjxkaXY+YGlwIGFk
ZHIgMTM0LjU2Ljc4LjUgdWRwIGRwb3J0IDQ0MyBhY2NlcHRgIHNvIGEgcGFja2V0IGNvbWluZyBp
biBvbiBVcGxpbmsgZm9yIHRoZSB3ZyBnZXRzIGFjY2VwdGVkIG9ubHkgaWYgdGhlIGRzdCBpcCBt
YXRjaGVzLjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+VGhhdCBpbiBzZSBpcyBub3QgdmVyeSBp
bXBvcnRhbnQgaWYgeW91IGhhdmUgb25seSBvbmUgdXBsaW5rLCBidXQgaWYgeW91IGhhdmUgbXVs
dGlwbGUgcm91dGVzIChkZWZhdWx0IGd3J3MpICZuYnNwO3lvdSByZWFsbHkgbmVlZCB0aGUgaXAg
YmVoaW5kIHRoZSB1cGxpbmtzLjwvZGl2PjxkaXY+PGJyPjwvZGl2Pg==" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0">​</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Jan,<br>
<br>
Thanks for the drawing. So the issue is that you want packets to exit<br>
through eth1 using the addresses of eth0. I believe applying this<br>
patch should enable that: <a href="http://ix.io/z3d" rel="noreferrer" target="_blank">http://ix.io/z3d</a> Can you apply that and let<br>
me know if it works?<br>
<br>
I'm curious: do TCP connections generally work correctly with your<br>
configuration?<br>
<br>
Jason<br>
</blockquote></div>