Re: wg trunk (TM) traffic isolation: VRF vs netns

["Tomcsanyi, Domonkos" <domi@tomcsanyi.net>]

Hi,

Using different network ranges for different groups of people + applying correct iptables rules shall be a simple solution, utilizing a single WG interface. People will get a static IP assigned in their respective range, so they are not allowed to use anything else as source address, so cannot circumvent iptables.

Cheers,
Domi

> 22.12.2020 dátummal, 16:36 időpontban jrun <darwinskernel@gmail.com> írta:
> 
> 
> hello,
> 
> my use case is, if possible, is to provide vpn to friends and family and also
> peering with other wg nodes (work etc). this obviously needs traffic isolation
> and i have though about it for a while but don't have definitive answer.
> 
> 1. on way i thought of doing is to have a point-to-point (dedicated wg interface
> for each user) solution.
> 
> 2. the other is to group interfaces based on the category of users (think friends
> vs family vs even work).
> 
> they both probably need writing up something for set-up and tear-down each of
> interfaces which should be fine but both would need a way of isolating traffic;
> either between indivitual user's interface or between group interfaces. there is
> also the question of ACL'ing the site-to-site traffic for each group and/or
> user.
> 
> for this i've looked into VRF and netns; this has been brought up before
> here and other place but i don't seem to be able to read the conclusion:
> https://lists.zx2c4.com/pipermail/wireguard/2017-September/001706.html
> 
> from outside it looks like cumulus devs like their VRF, and wireguard devs lean
> recommend using netns
> 
> https://www.wireguard.com/netns/
> 
> that^ link is not a solution for me but i can think of ways to use netns for
> my case.
> 
> 
> thoughts?
> 
> - jrun