FR: interface ListenAddress (Aka:Multihomed server issue)

Jan De Landtsheer jan.delandtsheer at
Thu Aug 10 23:00:47 CEST 2017

seeing the latest & greatest, this patch will not apply cleanly, so I don't
know ... is this train of thought going to be kept for later releases ?

On Thu, Aug 10, 2017 at 10:50 PM Jan De Landtsheer <
jan.delandtsheer at> wrote:

> TCP connections work all right, as they’re established sockets, where the
> kernel does the routing… I assumed you would search for the route yourself
> ;-)
> rcu_dereference_bh(rt->>ip_ptr) indeed does , as the packet
> effectively comes in through the uplink.
> In the firewall config I need to specify both interfaces (Uplink and
> Public (eth1 and eth0 in the drawing) to filter
> nft add rule ip filter input iif {Uplink,Public} jump public and define
> my rules in the public chain
> nft add rule ip filter public ip daddr udp dport 443 accept
> so a packet coming in on Uplink for the wg gets accepted only if the dst ip
> matches.
> nftables FTW ;-)
> That in se is not very important if you have only one uplink, but if you
> have multiple routes (default gw’s) you really need the ip behind the
> uplinks.
> But anyway, tested and confirmed to work now,
> Many thanks for the quick reply
> On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <Jason at>
> wrote:
>> Hi Jan,
>> Thanks for the drawing. So the issue is that you want packets to exit
>> through eth1 using the addresses of eth0. I believe applying this
>> patch should enable that: Can you apply that and let
>> me know if it works?
>> I'm curious: do TCP connections generally work correctly with your
>> configuration?
>> Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list