Sending just ssh traffic via wg

Toke Høiland-Jørgensen toke at
Fri Oct 5 12:03:04 CEST 2018

"Jason A. Donenfeld" <Jason at> writes:

> Hey Konstantin,
> When you're doing policy routing with packets that are being forwarded
> by the system -- a router, for example -- then the prerouting table is
> sufficient. But for locally generated packets, you have to use the
> OUTPUT table and also probably MASQUERADE. I just reproduced
> everything here and confirm this works:
> ip route add default dev wg0 table 2468
> ip rule add fwmark 1234 table 2468
> wg set wg0 peer [...] allowed-ips
> sysctl net.ipv4.conf.wg0.rp_filter=0
> iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype
> --src-type LOCAL -j MASQUERADE
> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234

Any reason why you can't just do

ip rule add dport 22 lookup 2468



More information about the WireGuard mailing list