[PATCH 0/1] Add support to send/receive tunnel packets via Linux VRFs

Maximilian Wilhelm max at sdn.clinic
Mon Nov 15 15:57:58 UTC 2021


this patch adds support to bind the listening/sending UDP sockets to a
specific network interface on Linux to allow sending/receiving encrypted
tunnel packets via a given VRF.

The motivation behind this is to put any external interface(s) of a host
into a VRF (e.g. "vrf_external") and have the rest of the interface in the
main VRF, so all tools and services can be used normally and can't directly
reach/leak to the Internet.  This way different island can be connected
easily and securely without the fear of leaking any communication into the
Internet.  See my blog article on VRF support for OpenVPN [0] for a more
detailed description.

Using VRFs is much simpler than setting up Network Namespaces, shoving
interfaces around and having to care about which processes should run

This patch is very similar to the patch "Basic support for binding the
transport socket to a device" sent in June this year, but adds two more
settings in send4() and send6() without VRF support didn't work for me.

I'm unsure wether it would be better to use the name "bind_dev" within
the kernel or clearly denote that an ifindex is used, as it is now.

The user-space part of this change is available as a PR to the 
repo on GitHub [1], but can be sent as patches to the list as well.


[0] https://blog.sdn.clinic/2018/12/openvpn-and-vrfs/
[1] https://github.com/WireGuard/wireguard-tools/pull/12

Maximilian Wilhelm (1):
   wireguard: Add support to bind socket(s) to device

  drivers/net/wireguard/device.h  |  1 +
  drivers/net/wireguard/netlink.c |  7 ++++++-
  drivers/net/wireguard/socket.c  | 13 +++++++++++++
  include/uapi/linux/wireguard.h  |  2 ++
  4 files changed, 22 insertions(+), 1 deletion(-)


More information about the WireGuard mailing list