Tunnel traffic in VRF

Steven Honson steven at honson.id.au
Sat Jan 25 07:55:55 CET 2020


Hi Daniele,

By VRFs, do you mean Linux network namespaces, or something different?

If network namespaces, https://www.wireguard.com/netns/#routing-network-namespace-integration talks a little about WireGuards behaviour, but the TLDR is that you need to create the WireGuard interface in the namespace you wish for the outer packets to be bound to, and then move it to the namespace you wish the inner packets to be in, which can be the `init` namespace if you desire.

Cheers,
Steven

On Fri, 24 Jan 2020, at 11:03 AM, Daniele Orlandi wrote:
> 
> Hello,
> 
> I'm attempting to route the WG tunnel traffic (not the inside traffic)
> on a VRF.
> 
> I was able to use an ip rule + fwmark to route outgoing packets to the
> proper VRF, however the incoming traffic *seems* to be rejected due to
> the UDP socket not being bound to an interface in the VRF.
> 
> 00:56:35.606766 IP 172.16.16.32.5180 > 45.66.80.144.5180: UDP, length 148
> 00:56:35.922547 IP 45.66.80.144.5180 > 172.16.16.32.5180: UDP, length 92
> 00:56:35.922680 IP 172.16.16.32 > 45.66.80.144: ICMP 172.16.16.32 udp
> port 5180 unreachable, length 128
> 
> 
> Is there any workaround you know of? Would you consider implementing
> binding to an interface like other tunnel interfaces do?
> 
> 
> (The infrastructure is already present by using the bind_ifindex field
> of udp_port_cfg passed to udp_sock_create)
> 
> Thank you,
> regards,
> 
> -- 
>   Daniele Orlandi
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>


More information about the WireGuard mailing list