wg trunk (TM) traffic isolation: VRF vs netns

Tomcsanyi, Domonkos domi at tomcsanyi.net
Tue Dec 22 20:23:25 CET 2020


Using different network ranges for different groups of people + applying correct iptables rules shall be a simple solution, utilizing a single WG interface. People will get a static IP assigned in their respective range, so they are not allowed to use anything else as source address, so cannot circumvent iptables.


> 22.12.2020 dátummal, 16:36 időpontban jrun <darwinskernel at gmail.com> írta:
> hello,
> my use case is, if possible, is to provide vpn to friends and family and also
> peering with other wg nodes (work etc). this obviously needs traffic isolation
> and i have though about it for a while but don't have definitive answer.
> 1. on way i thought of doing is to have a point-to-point (dedicated wg interface
> for each user) solution.
> 2. the other is to group interfaces based on the category of users (think friends
> vs family vs even work).
> they both probably need writing up something for set-up and tear-down each of
> interfaces which should be fine but both would need a way of isolating traffic;
> either between indivitual user's interface or between group interfaces. there is
> also the question of ACL'ing the site-to-site traffic for each group and/or
> user.
> for this i've looked into VRF and netns; this has been brought up before
> here and other place but i don't seem to be able to read the conclusion:
> https://lists.zx2c4.com/pipermail/wireguard/2017-September/001706.html
> from outside it looks like cumulus devs like their VRF, and wireguard devs lean
> recommend using netns
> https://www.wireguard.com/netns/
> that^ link is not a solution for me but i can think of ways to use netns for
> my case.
> thoughts?
> - jrun

More information about the WireGuard mailing list