From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: jan.delandtsheer@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d28be317 for ; Thu, 10 Aug 2017 20:28:19 +0000 (UTC) Received: from mail-oi0-f67.google.com (mail-oi0-f67.google.com [209.85.218.67]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1432c615 for ; Thu, 10 Aug 2017 20:28:19 +0000 (UTC) Received: by mail-oi0-f67.google.com with SMTP id b130so1701444oii.3 for ; Thu, 10 Aug 2017 13:50:27 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jan De Landtsheer Date: Thu, 10 Aug 2017 20:50:15 +0000 Message-ID: Subject: Re: FR: interface ListenAddress (Aka:Multihomed server issue) To: "Jason A. Donenfeld" Content-Type: multipart/alternative; boundary="94eb2c09564c9b3dc605566c5850" Cc: WireGuard mailing list , Jan De Landtsheer List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c09564c9b3dc605566c5850 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable TCP connections work all right, as they=E2=80=99re established sockets, whe= re the kernel does the routing=E2=80=A6 I assumed you would search for the route y= ourself ;-) rcu_dereference_bh(rt->dst.dev->ip_ptr) indeed does , as the packet effectively comes in through the uplink. In the firewall config I need to specify both interfaces (Uplink and Public (eth1 and eth0 in the drawing) to filter nft add rule ip filter input iif {Uplink,Public} jump public and define my rules in the public chain nft add rule ip filter public ip daddr 134.56.78.5 udp dport 443 accept so a packet coming in on Uplink for the wg gets accepted only if the dst ip matches. nftables FTW ;-) That in se is not very important if you have only one uplink, but if you have multiple routes (default gw=E2=80=99s) you really need the ip behind t= he uplinks. But anyway, tested and confirmed to work now, Many thanks for the quick reply =E2=80=8B On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld wrote: > Hi Jan, > > Thanks for the drawing. So the issue is that you want packets to exit > through eth1 using the addresses of eth0. I believe applying this > patch should enable that: http://ix.io/z3d Can you apply that and let > me know if it works? > > I'm curious: do TCP connections generally work correctly with your > configuration? > > Jason > --94eb2c09564c9b3dc605566c5850 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

TCP connections work all right, as they= =E2=80=99re established sockets, where the kernel does the routing=E2=80=A6= I assumed you would search for the route yourself ;-)
= rcu_dereference_bh(rt->dst.dev->ip_ptr) indeed does , as the p= acket effectively comes in through the uplink.

In the firewall config I need t= o specify both interfaces (Uplink and Public (eth1 and eth0 in the drawing)= to filter

nft add rule i= p filter input iif {Uplink,Public} jump public and define my rules i= n the public chain
nft add rule ip filter public ip dad= dr 134.56.78.5 udp dport 443 accept so a packet coming in on Uplink = for the wg gets accepted only if the dst ip matches.

nftables FTW ;-)

That in se is not very importan= t if you have only one uplink, but if you have multiple routes (default gw= =E2=80=99s) you really need the ip behind the uplinks.

But anyway, tested and confirmed to work now,= =C2=A0

Many thanks for the q= uick reply

=E2=80=8B

On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
Hi Jan,

Thanks for the drawing. So the issue is that you want packets to exit
through eth1 using the addresses of eth0. I believe applying this
patch should enable that: http://ix.io/z3d Can you apply that and let
me know if it works?

I'm curious: do TCP connections generally work correctly with your
configuration?

Jason
--94eb2c09564c9b3dc605566c5850--