FR: interface ListenAddress (Aka:Multihomed server issue)

Jan De Landtsheer jan.delandtsheer at
Thu Aug 10 22:50:15 CEST 2017

TCP connections work all right, as they’re established sockets, where the
kernel does the routing… I assumed you would search for the route yourself
rcu_dereference_bh(rt->>ip_ptr) indeed does , as the packet
effectively comes in through the uplink.

In the firewall config I need to specify both interfaces (Uplink and Public
(eth1 and eth0 in the drawing) to filter

nft add rule ip filter input iif {Uplink,Public} jump public and define my
rules in the public chain
nft add rule ip filter public ip daddr udp dport 443 accept so
a packet coming in on Uplink for the wg gets accepted only if the dst ip

nftables FTW ;-)

That in se is not very important if you have only one uplink, but if you
have multiple routes (default gw’s) you really need the ip behind the

But anyway, tested and confirmed to work now,

Many thanks for the quick reply

On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <Jason at> wrote:

> Hi Jan,
> Thanks for the drawing. So the issue is that you want packets to exit
> through eth1 using the addresses of eth0. I believe applying this
> patch should enable that: Can you apply that and let
> me know if it works?
> I'm curious: do TCP connections generally work correctly with your
> configuration?
> Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list