Fwd: Wireguard address binding - how to fix?
Nico Schottelius
nico.schottelius at ungleich.ch
Thu Jun 27 11:33:18 UTC 2024
Hello Adrian,
I tried 1,2 and 3 and observed that wireguard seems to be taking the correct
routing table when using fwmark:
--------------------------------------------------------------------------------
# cat /etc/wireguard/or3ge.conf
[Interface]
PrivateKey = ...
Address = 2a0a:5480:5:2::2/64
Table = off
FwMark = 0x42
[Peer]
PublicKey = 3WNj2YuTTm+5wpsAOauRQ3bEMv/WXcKMDZXbJPB8fx0=
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = 194.5.220.43:5001
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[09:32] server142.place10:~# ip r sh table 42
194.5.220.0/24 via 192.168.1.254 dev eth1 proto bird metric 32
194.187.90.23 via 192.168.1.254 dev eth1 proto bird metric 32
212.103.65.231 via 192.168.1.254 dev eth1 proto bird metric 32
[09:32] server142.place10:~# ip rule ls
0: from all lookup local
32765: from all fwmark 0x42 lookup 42
32766: from all lookup main
32767: from all lookup default
--------------------------------------------------------------------------------
So the long story short is that one cannot match on the ip address with
wireguard, potentially because it does not do the address binding by
default.
But I have to say thanks, at least one problem solevd for the moment!
Best regards,
Nico
Adrian Larsen <alarsen at maidenheadbridge.com> writes:
> Hi Friends,
>
> You can achieve address binding on a Linux box with a mix of marking,
> ip rules, ip route and Source NAT.
>
> 1) On WG interface, add "FwMark = 0x34" (the value 0x34 is an example,
> you can put any value here)
>
> 2) Create IP Rule "from all fwmark 0x34 lookup rt_wg0_out" -> this
> will force the outgoing packet to use the route table "rt_wg0_out"
>
> 3) On the route table "rt_wg0_out" create the default or specific
> route to force the packet market with 0x34 to leave using the
> interface where your desire "IP address" resides.
>
> 4) Create a POSTROUTING -> SNAT forcing mark 0x34 via the desired "IP
> address". This will bind your "IP address".
>
> Done! The packet with mark 0x34 will be routed via the correct
> interface using the source IP you want.
>
> I hope this helps.
>
> Best regards,
>
> Adrian Larsen
> Maidenhead Bridge
> Cloud Security Connectors for SSE vendors.
> m: +44 7487640352
> e:alarsen at maidenheadbridge.com
>
> On 09/06/2024 16:39, Nico Schottelius wrote:
>> Jason,
>>
>> may I shortly ask what your opinion is on the patch and whether there is
>> a way forward to make wireguard usable on systems with multiple IP
>> addresses?
>>
>> Best regards,
>>
>> Nico
>>
>> Nico Schottelius<nico.schottelius at ungleich.ch> writes:
>>
>>> d tbsky<tbskyd at gmail.com> writes:
>>>> I remembered how exciting when I tested wireguard at 2017. until I
>>>> asked muti-home question in the list.
>>>> wiregurad is beautiful,elegant,fast but not easy to get along with.
>>>> openvpn is not so amazing but it can get the job done.
>>> Nice summary, hits the nail quite well.
>>>
>>> Jason, do you mind having a look at the submitted patches for IP address
>>> binding and comment on them? Or alternatively can you give green light
>>> for generally moving forward so that a direct inclusion in the Linux
>>> kernel would be accepted?
>>>
>>> Best regards,
>>>
>>> Nico
>>>
-------------- next part --------------
--
Sustainable and modern Infrastructures by ungleich.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20240627/2d945c9f/attachment.sig>
More information about the WireGuard
mailing list