Fwd: Wireguard address binding - how to fix?

Fwd: Wireguard address binding - how to fix?

[Adrian Larsen]

Hi Friends,

You can achieve address binding on a Linux box with a mix of marking, ip 
rules, ip route and Source NAT.

1) On WG interface, add "FwMark = 0x34" (the value 0x34 is an example, 
you can put any value here)

2) Create IP Rule "from all fwmark 0x34 lookup rt_wg0_out" -> this will 
force the outgoing packet to use the route table "rt_wg0_out"

3) On the route table "rt_wg0_out" create the default or specific route 
to force the packet market with 0x34 to leave using the interface where 
your desire "IP address" resides.

4) Create a POSTROUTING -> SNAT forcing mark 0x34 via the desired "IP 
address". This will bind your "IP address".

Done! The packet with mark 0x34 will be routed via the correct interface 
using the source IP you want.

I hope this helps.

Best regards,

Adrian Larsen
Maidenhead Bridge
Cloud Security Connectors for SSE vendors.
m: +44 7487640352
e:alarsen@maidenheadbridge.com

On 09/06/2024 16:39, Nico Schottelius wrote:
> Jason,
>
> may I shortly ask what your opinion is on the patch and whether there is
> a way forward to make wireguard usable on systems with multiple IP
> addresses?
>
> Best regards,
>
> Nico
>
> Nico Schottelius<nico.schottelius@ungleich.ch>  writes:
>
>> d tbsky<tbskyd@gmail.com>  writes:
>>> I  remembered how exciting when I tested wireguard at 2017. until I
>>> asked muti-home question in the list.
>>> wiregurad is beautiful,elegant,fast but not easy to get along with.
>>> openvpn is not so amazing but it can get the job done.
>> Nice summary, hits the nail quite well.
>>
>> Jason, do you mind having a look at the submitted patches for IP address
>> binding and comment on them? Or alternatively can you give green light
>> for generally moving forward so that a direct inclusion in the Linux
>> kernel would be accepted?
>>
>> Best regards,
>>
>> Nico
>>

Re: Fwd: Wireguard address binding - how to fix?

[Nico Schottelius]

[-- Attachment #1: Type: text/plain, Size: 3305 bytes --]


Hello Adrian,

I tried 1,2 and 3 and observed that wireguard seems to be taking the correct
routing table when using fwmark:

--------------------------------------------------------------------------------
# cat /etc/wireguard/or3ge.conf
[Interface]
PrivateKey = ...
Address = 2a0a:5480:5:2::2/64
Table = off
FwMark = 0x42

[Peer]
PublicKey = 3WNj2YuTTm+5wpsAOauRQ3bEMv/WXcKMDZXbJPB8fx0=
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = 194.5.220.43:5001
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
[09:32] server142.place10:~# ip r sh table 42
194.5.220.0/24 via 192.168.1.254 dev eth1 proto bird metric 32
194.187.90.23 via 192.168.1.254 dev eth1 proto bird metric 32
212.103.65.231 via 192.168.1.254 dev eth1 proto bird metric 32
[09:32] server142.place10:~# ip rule ls
0:      from all lookup local
32765:  from all fwmark 0x42 lookup 42
32766:  from all lookup main
32767:  from all lookup default
--------------------------------------------------------------------------------

So the long story short is that one cannot match on the ip address with
wireguard, potentially because it does not do the address binding by
default.

But I have to say thanks, at least one problem solevd for the moment!

Best regards,

Nico

Adrian Larsen <alarsen@maidenheadbridge.com> writes:

> Hi Friends,
>
> You can achieve address binding on a Linux box with a mix of marking,
> ip rules, ip route and Source NAT.
>
> 1) On WG interface, add "FwMark = 0x34" (the value 0x34 is an example,
> you can put any value here)
>
> 2) Create IP Rule "from all fwmark 0x34 lookup rt_wg0_out" -> this
> will force the outgoing packet to use the route table "rt_wg0_out"
>
> 3) On the route table "rt_wg0_out" create the default or specific
> route to force the packet market with 0x34 to leave using the
> interface where your desire "IP address" resides.
>
> 4) Create a POSTROUTING -> SNAT forcing mark 0x34 via the desired "IP
> address". This will bind your "IP address".
>
> Done! The packet with mark 0x34 will be routed via the correct
> interface using the source IP you want.
>
> I hope this helps.
>
> Best regards,
>
> Adrian Larsen
> Maidenhead Bridge
> Cloud Security Connectors for SSE vendors.
> m: +44 7487640352
> e:alarsen@maidenheadbridge.com
>
> On 09/06/2024 16:39, Nico Schottelius wrote:
>> Jason,
>>
>> may I shortly ask what your opinion is on the patch and whether there is
>> a way forward to make wireguard usable on systems with multiple IP
>> addresses?
>>
>> Best regards,
>>
>> Nico
>>
>> Nico Schottelius<nico.schottelius@ungleich.ch>  writes:
>>
>>> d tbsky<tbskyd@gmail.com>  writes:
>>>> I  remembered how exciting when I tested wireguard at 2017. until I
>>>> asked muti-home question in the list.
>>>> wiregurad is beautiful,elegant,fast but not easy to get along with.
>>>> openvpn is not so amazing but it can get the job done.
>>> Nice summary, hits the nail quite well.
>>>
>>> Jason, do you mind having a look at the submitted patches for IP address
>>> binding and comment on them? Or alternatively can you give green light
>>> for generally moving forward so that a direct inclusion in the Linux
>>> kernel would be accepted?
>>>
>>> Best regards,
>>>
>>> Nico
>>>

[-- Attachment #2.1: Type: text/plain, Size: 58 bytes --]


--
Sustainable and modern Infrastructures by ungleich.ch

[-- Attachment #2.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 873 bytes --]