Wireguard and VRFs?
joerg at higgsboson.tk
Wed Sep 20 12:01:59 CEST 2017
You assign a firewall mark to each wireguard interface to route dedicated routing table using ip rule.
wg-quick use this feature for example, when you redirect 0.0.0.0 via a vpn interface:
$ wg-quick up mullvad
[#] ip link add mullvad type wireguard
[#] wg setconf mullvad /dev/fd/63
[#] ip address add 10.99.1.142/32 dev mullvad
[#] ip address add fc00:bbbb:bbbb:bb01::18e/128 dev mullvad
[#] ip link set mtu 1420 dev mullvad
[#] ip link set mullvad up
[#] wg set mullvad fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
On 2017-09-20 04:12, Florian Werner wrote:
> Hi Jason,
> does Wireguard support to bind to a specific interface?
> For e.g. gre interface it is possible with
> ip tunnel add name gre0 mode gre remote 188.8.131.52 dev eth0
> to bind the gre0 interface to eth0.
> Quoting ip-tunnel(8):
> dev NAME
> bind the tunnel to the device NAME so that tunneled
> packets will only be routed via this device and will
> not be able to escape to another device when the route
> to endpoint changes.
> But I don't think ip link supports this.
> The question is, why are there 2 commands to create new
> interfaces (ip link add, ip tunnel add)...
> With binding support one can simply bind to a vrf master
> interface and all outer-traffic is sent to the associated
> routing table. Using vrf instead of network namespace has
> the advantage of allowing daemons to operate in multiple
> vrf (e.g. routing daemons), where network namespace are
> more separated but also don't allow much communication.
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
More information about the WireGuard