Policy-based routing

Policy-based routing

[Bruno]

Hello,

I'm trying to set up a policy-based routing on a wireguard instance. I 
didn't want to call it server, because it acts more like a proxy.

Let's say I have 6 peers plus this wireguard server.

Peer 2  Peer 3   Peer 4
  \/       \/       \/
______________________
|                     |
| Wireguard "server"  |
|                     |
|_____________________|
  \/       \/       \/
Peer 5  Peer 6   Peer 7

Wireguard "server"
Address = 10.0.0.1/24

Peers 2-7
Address = 10.0.0.2-7/24, respectively.

So, what I'm trying to do is route traffic to Peer 7, for example, if it 
is coming from Peer 2. I can do it doing some `ip rule` and `ip route` 
commands. However, wireguard seems to be blocking that traffic. So, I 
want peers 5-7 act as gateways to the internet and I would choose it via 
Linux environment.

Peers 5-7 would be wireguard servers that would route all traffic to the 
internet. So, on the wireguard instance (10.0.0.1/24, "server"), I have 
to set allowed IPs to peers 5-7 as "0.0.0.0/0", correct? Does wireguard 
accept that? On my tests it would just pick one as allowed IPs as 
0.0.0.0/0 and set others to (none). Then, I couldn't reach traffic 
neither from nor to that others peers.

On the wireguard "server" I would set allowed-IPs to peers 2-4 as 
10.0.0.2/32-10.0.0.4/32 as I don't need traffic going through it, just 
coming from it.

Is it possible to achieve that with wireguard?

Thanks!

Re: Policy-based routing

[Matthias Urlichs]

Hi,
> Is it possible to achieve that with wireguard? 

You need to set up multiple wireguard interfaces (on different ports of
course).

Then you can use traditional Linux routing techniques.

-- 
-- Matthias Urlichs

Re: Policy-based routing

[Jason A. Donenfeld]

Hi Bruno,

You can't set multiple peers to use 0.0.0.0/0 at the same time on the
same interface. How would it be able to choose which peer to send
traffic to then? Instead, if you want some kind of redundancy or
bonding, you can try using multiple interfaces, and then use whatever
traditional routing or load balancing tools that you ordinarily would.

Jason

Re: Policy-based routing

[Bruno]

Hi Jason,

Thanks for your input. I agree with you.

But I could have the peers based on table routing and marking packets, 
were all the traffic (0.0.0.0/0) would be routed based on the prior 
conditions (tables and marking).

I'm doing one interface per peer right now, but I thought it could be 
possible to achieve the same results with just one interface.

Bruno



On 04/13/2018 11:09 PM, Jason A. Donenfeld wrote:
> Hi Bruno,
>
> You can't set multiple peers to use 0.0.0.0/0 at the same time on the
> same interface. How would it be able to choose which peer to send
> traffic to then? Instead, if you want some kind of redundancy or
> bonding, you can try using multiple interfaces, and then use whatever
> traditional routing or load balancing tools that you ordinarily would.
>
> Jason