<div dir="ltr"><div class="markdown-here-wrapper" style=""><p style="margin:0px 0px 1.2em!important">Jason,<br>To elaborate on <a href="https://lists.zx2c4.com/pipermail/wireguard/2017-August/001598.html">https://lists.zx2c4.com/pipermail/wireguard/2017-August/001598.html</a>, there is something that can be clarified …</p>
<p style="margin:0px 0px 1.2em!important">I have a multihomed server (our router for everything) attached to a core switch with vlans, and the router runs openvswitch (but that’s besides the point).</p>
<p style="margin:0px 0px 1.2em!important">We run a bunch of wg peers, interconnected to each other (30 or so), but most connect directly to our router.</p>
<p style="margin:0px 0px 1.2em!important">The router has an <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Uplink</code> interface with a /30 and I use that interface solely to forward packets to our (bgp routed) default gw (Provider).</p>
<p style="margin:0px 0px 1.2em!important">On the same router, I have a <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Public</code> Interface, also with a public IP (/24) and have on the router itself some IP addresses used for DNAT, and here specifically one for Wireguard. (so NOT the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Uplink</code> IP address)</p>
<p style="margin:0px 0px 1.2em!important">When wireguard clients connect, their config shows their peer to be the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Uplink</code> IP address instead of the IP on the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Public</code> interface that was specifically assigned for wireguard (<code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">wgsrv</code>), and as such packets sent to the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Uplink</code> IP address were dropped by the firewall.</p>
<p style="margin:0px 0px 1.2em!important">You might say: open up the port for wireguard on the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Uplink</code> and off you go. Which I did, to solve my immediate problem. (still find it ugly)</p>
<p style="margin:0px 0px 1.2em!important">But no we’re getting a second provider in da house, that will be connected the same way as the other, with that link being <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Uplink2</code>. So now I <em>really</em> need my bgp routed <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Public</code> IP address to be the sole answering wireguard IP packets, so that I can be sure that if one of my bgp peers dies, the same <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">Public</code> ip address is used by the clients, not the one wireguard deduces from the subnet with the default route.</p>
<p style="margin:0px 0px 1.2em!important">Now, wireguard will use the incoming <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">UplinkX</code> ip as source and advertise it to the clients connected through either one  that has the same metric and routing policy</p>
<p style="margin:0px 0px 1.2em!important">Voila… in a nutshell ;-)</p>
<p style="margin:0px 0px 1.2em!important">Jan</p>
<div title="MDH:SmFzb24swqA8ZGl2PlRvIGVsYWJvcmF0ZSBvbiZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vbGlzdHMu
engyYzQuY29tL3BpcGVybWFpbC93aXJlZ3VhcmQvMjAxNy1BdWd1c3QvMDAxNTk4Lmh0bWwiPmh0
dHBzOi8vbGlzdHMuengyYzQuY29tL3BpcGVybWFpbC93aXJlZ3VhcmQvMjAxNy1BdWd1c3QvMDAx
NTk4Lmh0bWw8L2E+LCB0aGVyZSBpcyBzb21ldGhpbmcgdGhhdCBjYW4gYmUgY2xhcmlmaWVkIC4u
LjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+SSBoYXZlIGEgbXVsdGlob21lZCBzZXJ2ZXIgKG91
ciByb3V0ZXIgZm9yIGV2ZXJ5dGhpbmcpIGF0dGFjaGVkIHRvIGEgY29yZSBzd2l0Y2ggd2l0aCB2
bGFucywgYW5kIHRoZSByb3V0ZXIgcnVucyBvcGVudnN3aXRjaCAoYnV0IHRoYXQncyBiZXNpZGVz
IHRoZSBwb2ludCkuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5XZSBydW4gYSBidW5jaCBvZiB3
ZyBwZWVycywgaW50ZXJjb25uZWN0ZWQgdG8gZWFjaCBvdGhlciAoMzAgb3Igc28pLCBidXQgbW9z
dCBjb25uZWN0IGRpcmVjdGx5IHRvIG91ciByb3V0ZXIuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRp
dj5UaGUgcm91dGVyIGhhcyBhbiBgVXBsaW5rYCBpbnRlcmZhY2Ugd2l0aCBhIC8zMCBhbmQgSSB1
c2UgdGhhdCBpbnRlcmZhY2Ugc29sZWx5IHRvIGZvcndhcmQgcGFja2V0cyB0byBvdXIgKGJncCBy
b3V0ZWQpIGRlZmF1bHQgZ3cgKFByb3ZpZGVyKS48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pk9u
IHRoZSBzYW1lIHJvdXRlciwgSSBoYXZlIGEgYFB1YmxpY2AgSW50ZXJmYWNlLCBhbHNvIHdpdGgg
YSBwdWJsaWMgSVAgKC8yNCkgYW5kIGhhdmUgb24gdGhlIHJvdXRlciBpdHNlbGYgc29tZSBJUCBh
ZGRyZXNzZXMgdXNlZCBmb3IgRE5BVCwgYW5kIGhlcmUgc3BlY2lmaWNhbGx5IG9uZSBmb3IgV2ly
ZWd1YXJkLiAoc28gTk9UIHRoZSBgVXBsaW5rYCBJUCBhZGRyZXNzKTwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+V2hlbiB3aXJlZ3VhcmQgY2xpZW50cyBjb25uZWN0LCB0aGVpciBjb25maWcgc2hv
d3MgdGhlaXIgcGVlciB0byBiZSB0aGUgYFVwbGlua2AgSVAgYWRkcmVzcyBpbnN0ZWFkIG9mIHRo
ZSBJUCBvbiB0aGUgYFB1YmxpY2AgaW50ZXJmYWNlIHRoYXQgd2FzIHNwZWNpZmljYWxseSBhc3Np
Z25lZCBmb3Igd2lyZWd1YXJkIChgd2dzcnZgKSwgYW5kIGFzIHN1Y2ggcGFja2V0cyBzZW50IHRv
IHRoZSBgVXBsaW5rYCBJUCBhZGRyZXNzIHdlcmUgZHJvcHBlZCBieSB0aGUgZmlyZXdhbGwuPC9k
aXY+PGRpdj48YnI+PC9kaXY+PGRpdj5Zb3UgbWlnaHQgc2F5OiBvcGVuIHVwIHRoZSBwb3J0IGZv
ciB3aXJlZ3VhcmQgb24gdGhlIGBVcGxpbmtgIGFuZCBvZmYgeW91IGdvLiBXaGljaCBJIGRpZCwg
dG8gc29sdmUgbXkgaW1tZWRpYXRlIHByb2JsZW0uIChzdGlsbCBmaW5kIGl0IHVnbHkpPC9kaXY+
PGRpdj48YnI+PC9kaXY+PGRpdj5CdXQgbm8gd2UncmUgZ2V0dGluZyBhIHNlY29uZCBwcm92aWRl
ciBpbiBkYSBob3VzZSwgdGhhdCB3aWxsIGJlIGNvbm5lY3RlZCB0aGUgc2FtZSB3YXkgYXMgdGhl
IG90aGVyLCB3aXRoIHRoYXQgbGluayBiZWluZyBgVXBsaW5rMmAuIFNvIG5vdyBJICpyZWFsbHkq
IG5lZWQgbXkgYmdwIHJvdXRlZCBgUHVibGljYCBJUCBhZGRyZXNzIHRvIGJlIHRoZSBzb2xlIGFu
c3dlcmluZyB3aXJlZ3VhcmQgSVAgcGFja2V0cywgc28gdGhhdCBJIGNhbiBiZSBzdXJlIHRoYXQg
aWYgb25lIG9mIG15IGJncCBwZWVycyBkaWVzLCB0aGUgc2FtZSBgUHVibGljYCBpcCBhZGRyZXNz
IGlzIHVzZWQgYnkgdGhlIGNsaWVudHMsIG5vdCB0aGUgb25lIHdpcmVndWFyZCBkZWR1Y2VzIGZy
b20gdGhlIHN1Ym5ldCB3aXRoIHRoZSBkZWZhdWx0IHJvdXRlLjwvZGl2PjxkaXY+PGJyPjwvZGl2
PjxkaXY+Tm93LCB3aXJlZ3VhcmQgd2lsbCB1c2UgdGhlIGluY29taW5nIGBVcGxpbmtYYCBpcCBh
cyBzb3VyY2UgYW5kIGFkdmVydGlzZSBpdCB0byB0aGUgY2xpZW50cyBjb25uZWN0ZWQgdGhyb3Vn
aCBlaXRoZXIgb25lICZuYnNwO3RoYXQgaGFzIHRoZSBzYW1lIG1ldHJpYyBhbmQgcm91dGluZyBw
b2xpY3k8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlZvaWxhLi4uIGlu
IGEgbnV0c2hlbGwgOy0pPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5KYW48L2Rpdj4=" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0">​</div></div></div>