Ability to use one udp port for multiple wg interfaces

Jason A. Donenfeld Jason at zx2c4.com
Tue May 2 18:32:56 CEST 2017

On Tue, May 2, 2017 at 11:56 AM, Damian Kaczkowski
<damian.kaczkowski at gmail.com> wrote:
> Hello Janson.

My name is Jason.

> 3. Well if one uses firewall to control flows between zones in environment
> with mix protocols (eg. gre, ipsec, openvpn and so on) then using second
> tool just to control only wireguard ACLs is not very convenient way from
> administrative point of view. Also in case where peer is roaming and
> changing its source IP (eg. road warrior) then maintaining wireguard ACLs
> will be a huge PITA, if not impossible at large scale.

No, you are wrong. Allowed-ips controls the IP addresses _within_ the
tunnel. Thus your iptables rules can use "-i wg0 -s" or
similar to match a _precise_ peer.

> 4. Does wireguard have some means so that iptables can easily differentiate
> tunnels (peers) and put them in appropriate 'zone'? like eg.
> iptables -m policy --help
> iptables -m ah --help
> iptables -m esp --help
> Or something similar?

WireGuard has gone out of its way to explicitly avoid this brain
damage. Use the allowed-ips concept instead.

More information about the WireGuard mailing list