Question about origin of packet relative to peer

nicolas prochazka prochazka.nicolas at
Wed May 27 21:41:53 CEST 2020

Yes, I can mark the  wireguard packet  allowedips but i cannot attach
to the associated peer.In my configuration, ip from wireguard (
alllowedip) can come from different peer ( because i'm using different
mask for allowedips and multiple tunnel).
My issue is that a packet can be used by a peer and come back by an
other one ( the packet is routing by allowed-ips, not by it's peer

Example :

On server side S1
Peer A (client peer)

Peer B  ( an other "wireguard server"  S2  )

On client Side, allowedIp is set on s2 and if s2 down , set to s1
peer s1 ==> server S1
peer s2 ==> server S2 ==> server S1

Of course it does not work, packet routing does not work
client ==> S2 ==>  S1 (peer A)  ==>  then response route to peer (B)


Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.zirk at> a écrit :
> On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> > How can i know that a packet come from peer X ?
> You can check which peers allowed ips list covers the received packets
> source ip
> > Is is possible to mark packet not a level interface (wg0) but at peer
> > level ?
> Its probably possible to generate iptables rules from peer allowed ips
> list that marks packets with different ids

More information about the WireGuard mailing list