Feature request: tag incoming packets
Jason A. Donenfeld
Jason at zx2c4.com
Sat Feb 20 14:33:23 UTC 2021
There is no need for this and WireGuard was designed to avoid needing
something like this. The AllowedIPs binding gives you a mapping
between source IP and peer public key.
So, if you have on wg0:
PublicKey = ABCD
AllowedIPs = 192.168.33.99/32
Then you can safely have a netfilter rule that says:
iptables -A INPUT -i wg0 -s 192.168.33.99/32 -j ACCEPT
You only need to match two things: the wireguard interface and the
source IP. The strong binding to the public key is the primary
security property that WireGuard gives you via cryptokey routing.
More information about the WireGuard
mailing list