From: "Jörg Thalheim" <joerg@higgsboson.tk>
To: wireguard@lists.zx2c4.com
Subject: Re: Wireguard and VRFs?
Date: Wed, 20 Sep 2017 11:01:59 +0100 [thread overview]
Message-ID: <3b671530-b335-e61b-edcd-d9cb4a804188@higgsboson.tk> (raw)
In-Reply-To: <000001d331be$4e5d4900$eb17db00$@dev.xod.de>
You assign a firewall mark to each wireguard interface to route dedicated routing table using ip rule.
wg-quick use this feature for example, when you redirect 0.0.0.0 via a vpn interface:
$ wg-quick up mullvad
[#] ip link add mullvad type wireguard
[#] wg setconf mullvad /dev/fd/63
[#] ip address add 10.99.1.142/32 dev mullvad
[#] ip address add fc00:bbbb:bbbb:bb01::18e/128 dev mullvad
[#] ip link set mtu 1420 dev mullvad
[#] ip link set mullvad up
[#] wg set mullvad fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
On 2017-09-20 04:12, Florian Werner wrote:
> Hi Jason,
>
> does Wireguard support to bind to a specific interface?
>
> For e.g. gre interface it is possible with
> ip tunnel add name gre0 mode gre remote 1.2.3.4 dev eth0
> to bind the gre0 interface to eth0.
>
> Quoting ip-tunnel(8):
> dev NAME
> bind the tunnel to the device NAME so that tunneled
> packets will only be routed via this device and will
> not be able to escape to another device when the route
> to endpoint changes.
>
> But I don't think ip link supports this.
> The question is, why are there 2 commands to create new
> interfaces (ip link add, ip tunnel add)...
>
> With binding support one can simply bind to a vrf master
> interface and all outer-traffic is sent to the associated
> routing table. Using vrf instead of network namespace has
> the advantage of allowing daemons to operate in multiple
> vrf (e.g. routing daemons), where network namespace are
> more separated but also don't allow much communication.
>
> Florian
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2017-09-20 9:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-20 3:12 Florian Werner
2017-09-20 10:01 ` Jörg Thalheim [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-09-15 0:52 Maximilian Wilhelm
2017-09-15 2:17 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b671530-b335-e61b-edcd-d9cb4a804188@higgsboson.tk \
--to=joerg@higgsboson.tk \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).