Fwd: Wireguard address binding - how to fix?
Adrian Larsen
alarsen at maidenheadbridge.com
Mon Jun 24 09:36:06 UTC 2024
Hi Friends,
You can achieve address binding on a Linux box with a mix of marking, ip
rules, ip route and Source NAT.
1) On WG interface, add "FwMark = 0x34" (the value 0x34 is an example,
you can put any value here)
2) Create IP Rule "from all fwmark 0x34 lookup rt_wg0_out" -> this will
force the outgoing packet to use the route table "rt_wg0_out"
3) On the route table "rt_wg0_out" create the default or specific route
to force the packet market with 0x34 to leave using the interface where
your desire "IP address" resides.
4) Create a POSTROUTING -> SNAT forcing mark 0x34 via the desired "IP
address". This will bind your "IP address".
Done! The packet with mark 0x34 will be routed via the correct interface
using the source IP you want.
I hope this helps.
Best regards,
Adrian Larsen
Maidenhead Bridge
Cloud Security Connectors for SSE vendors.
m: +44 7487640352
e:alarsen at maidenheadbridge.com
On 09/06/2024 16:39, Nico Schottelius wrote:
> Jason,
>
> may I shortly ask what your opinion is on the patch and whether there is
> a way forward to make wireguard usable on systems with multiple IP
> addresses?
>
> Best regards,
>
> Nico
>
> Nico Schottelius<nico.schottelius at ungleich.ch> writes:
>
>> d tbsky<tbskyd at gmail.com> writes:
>>> I remembered how exciting when I tested wireguard at 2017. until I
>>> asked muti-home question in the list.
>>> wiregurad is beautiful,elegant,fast but not easy to get along with.
>>> openvpn is not so amazing but it can get the job done.
>> Nice summary, hits the nail quite well.
>>
>> Jason, do you mind having a look at the submitted patches for IP address
>> binding and comment on them? Or alternatively can you give green light
>> for generally moving forward so that a direct inclusion in the Linux
>> kernel would be accepted?
>>
>> Best regards,
>>
>> Nico
>>
More information about the WireGuard
mailing list