Re: Fwd: Wireguard address binding - how to fix?

[Nico Schottelius <nico.schottelius@ungleich.ch>]

[-- Attachment #1: Type: text/plain, Size: 3305 bytes --]


Hello Adrian,

I tried 1,2 and 3 and observed that wireguard seems to be taking the correct
routing table when using fwmark:

--------------------------------------------------------------------------------
# cat /etc/wireguard/or3ge.conf
[Interface]
PrivateKey = ...
Address = 2a0a:5480:5:2::2/64
Table = off
FwMark = 0x42

[Peer]
PublicKey = 3WNj2YuTTm+5wpsAOauRQ3bEMv/WXcKMDZXbJPB8fx0=
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = 194.5.220.43:5001
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
[09:32] server142.place10:~# ip r sh table 42
194.5.220.0/24 via 192.168.1.254 dev eth1 proto bird metric 32
194.187.90.23 via 192.168.1.254 dev eth1 proto bird metric 32
212.103.65.231 via 192.168.1.254 dev eth1 proto bird metric 32
[09:32] server142.place10:~# ip rule ls
0:      from all lookup local
32765:  from all fwmark 0x42 lookup 42
32766:  from all lookup main
32767:  from all lookup default
--------------------------------------------------------------------------------

So the long story short is that one cannot match on the ip address with
wireguard, potentially because it does not do the address binding by
default.

But I have to say thanks, at least one problem solevd for the moment!

Best regards,

Nico

Adrian Larsen <alarsen@maidenheadbridge.com> writes:

> Hi Friends,
>
> You can achieve address binding on a Linux box with a mix of marking,
> ip rules, ip route and Source NAT.
>
> 1) On WG interface, add "FwMark = 0x34" (the value 0x34 is an example,
> you can put any value here)
>
> 2) Create IP Rule "from all fwmark 0x34 lookup rt_wg0_out" -> this
> will force the outgoing packet to use the route table "rt_wg0_out"
>
> 3) On the route table "rt_wg0_out" create the default or specific
> route to force the packet market with 0x34 to leave using the
> interface where your desire "IP address" resides.
>
> 4) Create a POSTROUTING -> SNAT forcing mark 0x34 via the desired "IP
> address". This will bind your "IP address".
>
> Done! The packet with mark 0x34 will be routed via the correct
> interface using the source IP you want.
>
> I hope this helps.
>
> Best regards,
>
> Adrian Larsen
> Maidenhead Bridge
> Cloud Security Connectors for SSE vendors.
> m: +44 7487640352
> e:alarsen@maidenheadbridge.com
>
> On 09/06/2024 16:39, Nico Schottelius wrote:
>> Jason,
>>
>> may I shortly ask what your opinion is on the patch and whether there is
>> a way forward to make wireguard usable on systems with multiple IP
>> addresses?
>>
>> Best regards,
>>
>> Nico
>>
>> Nico Schottelius<nico.schottelius@ungleich.ch>  writes:
>>
>>> d tbsky<tbskyd@gmail.com>  writes:
>>>> I  remembered how exciting when I tested wireguard at 2017. until I
>>>> asked muti-home question in the list.
>>>> wiregurad is beautiful,elegant,fast but not easy to get along with.
>>>> openvpn is not so amazing but it can get the job done.
>>> Nice summary, hits the nail quite well.
>>>
>>> Jason, do you mind having a look at the submitted patches for IP address
>>> binding and comment on them? Or alternatively can you give green light
>>> for generally moving forward so that a direct inclusion in the Linux
>>> kernel would be accepted?
>>>
>>> Best regards,
>>>
>>> Nico
>>>

[-- Attachment #2.1: Type: text/plain, Size: 58 bytes --]


--
Sustainable and modern Infrastructures by ungleich.ch

[-- Attachment #2.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 873 bytes --]