Re: Strange firewall dnat rule to make WireGuard work on dual-interface

Re: Strange firewall dnat rule to make WireGuard work on dual-interface

[James]

[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

(Apologies in advance if this email gets orphaned. I don't understand how
mailing lists work.)

What I can see is that wireguard uses the default route interface as it's
source IP for any outgoing packets. This means that if you receive a
connection request from eth1, if the default route is eth0 it will attempt
to send out on the IP of eth0.
By design or lack of features, it ignores what the interface and IP the
incoming packet was received on.

I'm trying to do something similar to you but even with your IPtables I
can't get mine to work. I have a more complicated setup and I can't seem to
get the outbound packets to follow a routing table using a mark.
My current solution is to rebuild my vpns and iptables by changing my
routes to make wireguard defaultly reply on the correct interface for my
situation.

[-- Attachment #1.2: Type: text/html, Size: 954 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Strange firewall dnat rule to make WireGuard work on dual-interface

[Simone Rossetto]

Hi James

Il giorno mer 25 set 2019 alle ore 10:51 James
<james.b.price@gmail.com> ha scritto:
> By design or lack of features, it ignores what the interface and IP the incoming packet was received on.

Yes, it seams that.

> I'm trying to do something similar to you but even with your IPtables I can't get mine to work. I have a more complicated setup and I can't seem to get the outbound packets to follow a routing table using a mark.

Maybe I can help you... tell me which is your configuration and what
you need to accomplish.


Bye
Simone
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Strange firewall dnat rule to make WireGuard work on dual-interface

[James]

[-- Attachment #1.1: Type: text/plain, Size: 1201 bytes --]

Thanks for the reply.
I was able to get it to work. I had an issue with my iptables when trying
to copy and understand your example.
I was using the NEW and Related,established marking in the wrong way that
resulted in forward marks being cleared for related an established packets.
All good now. Your original post is the best I've found in regards to
required iptables entries for a dual interface setup.

I still think this behavior is in "bug territory". The wg server should be
replying with the same ip address that it received packets on.

On Fri, 4 Oct 2019 at 08:52, Simone Rossetto <simros85@gmail.com> wrote:

> Hi James
>
> Il giorno mer 25 set 2019 alle ore 10:51 James
> <james.b.price@gmail.com> ha scritto:
> > By design or lack of features, it ignores what the interface and IP the
> incoming packet was received on.
>
> Yes, it seams that.
>
> > I'm trying to do something similar to you but even with your IPtables I
> can't get mine to work. I have a more complicated setup and I can't seem to
> get the outbound packets to follow a routing table using a mark.
>
> Maybe I can help you... tell me which is your configuration and what
> you need to accomplish.
>
>
> Bye
> Simone
>

[-- Attachment #1.2: Type: text/html, Size: 1671 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard