Hello Adrian, I tried 1,2 and 3 and observed that wireguard seems to be taking the correct routing table when using fwmark: -------------------------------------------------------------------------------- # cat /etc/wireguard/or3ge.conf [Interface] PrivateKey = ... Address = 2a0a:5480:5:2::2/64 Table = off FwMark = 0x42 [Peer] PublicKey = 3WNj2YuTTm+5wpsAOauRQ3bEMv/WXcKMDZXbJPB8fx0= AllowedIPs = ::/0, 0.0.0.0/0 Endpoint = 194.5.220.43:5001 -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- [09:32] server142.place10:~# ip r sh table 42 194.5.220.0/24 via 192.168.1.254 dev eth1 proto bird metric 32 194.187.90.23 via 192.168.1.254 dev eth1 proto bird metric 32 212.103.65.231 via 192.168.1.254 dev eth1 proto bird metric 32 [09:32] server142.place10:~# ip rule ls 0: from all lookup local 32765: from all fwmark 0x42 lookup 42 32766: from all lookup main 32767: from all lookup default -------------------------------------------------------------------------------- So the long story short is that one cannot match on the ip address with wireguard, potentially because it does not do the address binding by default. But I have to say thanks, at least one problem solevd for the moment! Best regards, Nico Adrian Larsen writes: > Hi Friends, > > You can achieve address binding on a Linux box with a mix of marking, > ip rules, ip route and Source NAT. > > 1) On WG interface, add "FwMark = 0x34" (the value 0x34 is an example, > you can put any value here) > > 2) Create IP Rule "from all fwmark 0x34 lookup rt_wg0_out" -> this > will force the outgoing packet to use the route table "rt_wg0_out" > > 3) On the route table "rt_wg0_out" create the default or specific > route to force the packet market with 0x34 to leave using the > interface where your desire "IP address" resides. > > 4) Create a POSTROUTING -> SNAT forcing mark 0x34 via the desired "IP > address". This will bind your "IP address". > > Done! The packet with mark 0x34 will be routed via the correct > interface using the source IP you want. > > I hope this helps. > > Best regards, > > Adrian Larsen > Maidenhead Bridge > Cloud Security Connectors for SSE vendors. > m: +44 7487640352 > e:alarsen@maidenheadbridge.com > > On 09/06/2024 16:39, Nico Schottelius wrote: >> Jason, >> >> may I shortly ask what your opinion is on the patch and whether there is >> a way forward to make wireguard usable on systems with multiple IP >> addresses? >> >> Best regards, >> >> Nico >> >> Nico Schottelius writes: >> >>> d tbsky writes: >>>> I remembered how exciting when I tested wireguard at 2017. until I >>>> asked muti-home question in the list. >>>> wiregurad is beautiful,elegant,fast but not easy to get along with. >>>> openvpn is not so amazing but it can get the job done. >>> Nice summary, hits the nail quite well. >>> >>> Jason, do you mind having a look at the submitted patches for IP address >>> binding and comment on them? Or alternatively can you give green light >>> for generally moving forward so that a direct inclusion in the Linux >>> kernel would be accepted? >>> >>> Best regards, >>> >>> Nico >>>