Sending just ssh traffic via wg

Jason A. Donenfeld Jason at
Thu Oct 4 20:56:00 CEST 2018

Hey Konstantin,

When you're doing policy routing with packets that are being forwarded
by the system -- a router, for example -- then the prerouting table is
sufficient. But for locally generated packets, you have to use the
OUTPUT table and also probably MASQUERADE. I just reproduced
everything here and confirm this works:

ip route add default dev wg0 table 2468
ip rule add fwmark 1234 table 2468
wg set wg0 peer [...] allowed-ips
sysctl net.ipv4.conf.wg0.rp_filter=0
iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype
--src-type LOCAL -j MASQUERADE
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234

That works pretty well for me. If you don't want to disable rp_filter,
you can do a little dance of setting and restoring the connmark in
egress and ingress so that incoming packets are matched against that
routing table too.

Alternatively, if your goal is actually to just send certain processes
through the tunnel, you have three more options:
- Network namespaces, and then `ip netns exec chicken ssh ...`
- VRFs, and then `ip vrf exec chicken ssh ...`
- Cgroups and net_cls.

All three work well and are differently convenient depending on your
needs. I wrote up the netns stuff on but haven't
gotten around to documenting VRFs and cgroups with wireguard, but they
in fact should work the same as for every other situation that uses
those, so any old tutorial will do.


More information about the WireGuard mailing list