bind to specific ip address

Ivan Labáth labawi-wg at
Fri Mar 1 00:00:27 CET 2019


as has been noted on a thread by Tomas Herceg on 2018-06-22,
a workaround is to internally listen on a different port,
and use NAT so it appears as the desired port on the outside.

If you really wanted to, with some iptables magic (e.g. u32 match),
you could match and split wireguard traffic from normal dns traffic,
all on a single ip.

While Jason says the behaviour is by design, I would like to note
that there are legitimate use cases for listening only on specific
interfaces/IPs and (at least I) would expect such functionality
from serious server software.

Mentioned multiple services on different IPs requiring use of NAT
scenario is a good use case.

An undesired effect might be, for instance, if a server is serving
a wireguard tunnel on a specific ip, a potentially malicious peer
could use wireguard to confirm ownership of different IP on the
same server, or confirm server's access to a different network.
Also, faults and/or transient states could lead wireguard to
inadvertently leak other IPs to the peers, leak presence of wg
tunnels to other networks, or divert the path of wireguard
connection to an alternate path even when policy says it shouldn't.

A malicious network operator might even try delaying/dropping
initiation (or rather rekey) packets, forwarding them to different
IPs with possibly spoofed headers and use it to .. de-anonymize?

A properly configured firewall should filter all these undesired
packets and avoid the effects, but it rarely is.


More information about the WireGuard mailing list