Ability to bind wireguard to specific interface / ip address

Jason A. Donenfeld Jason at zx2c4.com
Thu May 11 13:44:09 CEST 2017

Hi Damian,

Indeed right now WireGuard lets you specify a "listen port", but then
defaults to opening two sockets, one for v4 and one for v6, on the ANY
address. This generally isn't a problem because WireGuard is silent
unless it's sent fully authenticated packets. For ease of use, I
figured that it should accept these from anywhere, since if it's
authenticated, it's authenticated. But there is the sysadmin concern
of wanting to run other services on the same port, like a local DNS
resolver on 53. I can't think of a clean interface for allowing this,
however. Maybe you have some ideas? For example, if I simply allow
specifying IP:port, then how does this work for supporting v4&v6?
Maybe I should then allow for specifying an arbitrarily large sized
list of IP:port combos, and reserve one special case one for "both v4
and v6"? But this gets super complicated and I don't want that. Or
maybe I should rely on using the v6-mapped-v4 hack, except this isn't
available on all systems and isn't really efficient for what we're
doing inside WireGuard. So, hmm... I couldn't come up with a clean way
of doing this, so I just stuck with the simplest thing I could think
of... Ideas?


More information about the WireGuard mailing list