Fwd: Question about origin of packet relative to peer

David Kerr david at kerr.net
Thu May 28 00:11:44 CEST 2020

I think what you are trying to do is make sure that server S1 replies
to packet from peer s2 via server S2 and not direct.  But that the
default route table on S1 is going to try and send it directly because
it is valid for peer s2 to connect directly to S1, thus the connection
is failing.  The only way I can think to make this work is to have
server S2 connect to server S1 over a different interface.  So have
e.g. wg0 setup for peers to connect and wg1 for servers to connect.
So S1 has both a wg0 and a wg1.  S2 connects in by wg1, all peers
connect through wg0.

Then you can use firewall marks, connmark, saving and restoring in the
mangle table, combined with ip rules to lookup specific (none default)
routing tables such that all traffic that is received from wg1 is
replied to through wg1 rather than going out wherever the default
route would be.  Not for the faint of heart.


On Wed, May 27, 2020 at 3:42 PM nicolas prochazka
<prochazka.nicolas at gmail.com> wrote:
> Yes, I can mark the  wireguard packet  allowedips but i cannot attach
> to the associated peer.In my configuration, ip from wireguard (
> alllowedip) can come from different peer ( because i'm using different
> mask for allowedips and multiple tunnel).
> My issue is that a packet can be used by a peer and come back by an
> other one ( the packet is routing by allowed-ips, not by it's peer
> entry
> Example :
> On server side S1
> Peer A (client peer)
> allowedips
> Peer B  ( an other "wireguard server"  S2  )
> allowedIps
> On client Side, allowedIp is set on s2 and if s2 down , set to s1
> peer s1 ==> server S1
> peer s2 ==> server S2 ==> server S1
> Of course it does not work, packet routing does not work
> client ==> S2 ==>  S1 (peer A)  ==>  then response route to peer (B)
> Regards,
> Nicolas
> Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.zirk at gmail.com> a écrit :
> >
> > On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> > > How can i know that a packet come from peer X ?
> > You can check which peers allowed ips list covers the received packets
> > source ip
> >
> > > Is is possible to mark packet not a level interface (wg0) but at peer
> > > level ?
> > Its probably possible to generate iptables rules from peer allowed ips
> > list that marks packets with different ids
> >

More information about the WireGuard mailing list