Question about origin of packet relative to peer
nicolas prochazka
prochazka.nicolas at gmail.com
Wed May 27 21:41:53 CEST 2020
Yes, I can mark the wireguard packet allowedips but i cannot attach
to the associated peer.In my configuration, ip from wireguard (
alllowedip) can come from different peer ( because i'm using different
mask for allowedips and multiple tunnel).
My issue is that a packet can be used by a peer and come back by an
other one ( the packet is routing by allowed-ips, not by it's peer
entry
Example :
On server side S1
Peer A (client peer)
allowedips 192.168.1.0/24
Peer B ( an other "wireguard server" S2 )
allowedIps 192.168.1.100/32
On client Side, allowedIp is set on s2 and if s2 down , set to s1
peer s1 ==> server S1
peer s2 ==> server S2 ==> server S1
Of course it does not work, packet routing does not work
client ==> S2 ==> S1 (peer A) ==> then response route to peer (B)
Regards,
Nicolas
Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.zirk at gmail.com> a écrit :
>
> On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> > How can i know that a packet come from peer X ?
> You can check which peers allowed ips list covers the received packets
> source ip
>
> > Is is possible to mark packet not a level interface (wg0) but at peer
> > level ?
> Its probably possible to generate iptables rules from peer allowed ips
> list that marks packets with different ids
>
More information about the WireGuard
mailing list