Question about origin of packet relative to peer

Question about origin of packet relative to peer

[nicolas prochazka]

Hello,
Using one wireguard Interface, with multiple peer
How can i know that a packet come from peer X ?
Is is possible to mark packet not a level interface (wg0) but at peer level ?
I can dump packet at wg0 but i lost the peer origin.

Thanks,
Nicolas

interface: wg0
  public key: A
  private key: (hidden)
  listening port: 6081

peer: B
  preshared key: (hidden)
  endpoint: ipb
  allowed ips:
  latest handshake: 1 minute, 27 seconds ago
  transfer: 1.61 MiB received, 6.20 MiB sent
  persistent keepalive: every 25 seconds

peer:C
  preshared key: (hidden)
  endpoint: ipc
  allowed ips:
  latest handshake: 1 minute, 38 seconds ago
  transfer: 24.75 KiB received, 309.71 KiB sent
  persistent keepalive: every 25 seconds

Re: Question about origin of packet relative to peer

[Arti Zirk]

On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> How can i know that a packet come from peer X ?
You can check which peers allowed ips list covers the received packets
source ip

> Is is possible to mark packet not a level interface (wg0) but at peer
> level ?
Its probably possible to generate iptables rules from peer allowed ips
list that marks packets with different ids

Re: Question about origin of packet relative to peer

[nicolas prochazka]

Yes, I can mark the  wireguard packet  allowedips but i cannot attach
to the associated peer.In my configuration, ip from wireguard (
alllowedip) can come from different peer ( because i'm using different
mask for allowedips and multiple tunnel).
My issue is that a packet can be used by a peer and come back by an
other one ( the packet is routing by allowed-ips, not by it's peer
entry

Example :

On server side S1
Peer A (client peer)
allowedips 192.168.1.0/24

Peer B  ( an other "wireguard server"  S2  )
allowedIps 192.168.1.100/32

On client Side, allowedIp is set on s2 and if s2 down , set to s1
peer s1 ==> server S1
peer s2 ==> server S2 ==> server S1

Of course it does not work, packet routing does not work
client ==> S2 ==>  S1 (peer A)  ==>  then response route to peer (B)

Regards,
Nicolas




Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.zirk@gmail.com> a écrit :
>
> On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> > How can i know that a packet come from peer X ?
> You can check which peers allowed ips list covers the received packets
> source ip
>
> > Is is possible to mark packet not a level interface (wg0) but at peer
> > level ?
> Its probably possible to generate iptables rules from peer allowed ips
> list that marks packets with different ids
>

Fwd: Question about origin of packet relative to peer

[David Kerr]

I think what you are trying to do is make sure that server S1 replies
to packet from peer s2 via server S2 and not direct.  But that the
default route table on S1 is going to try and send it directly because
it is valid for peer s2 to connect directly to S1, thus the connection
is failing.  The only way I can think to make this work is to have
server S2 connect to server S1 over a different interface.  So have
e.g. wg0 setup for peers to connect and wg1 for servers to connect.
So S1 has both a wg0 and a wg1.  S2 connects in by wg1, all peers
connect through wg0.

Then you can use firewall marks, connmark, saving and restoring in the
mangle table, combined with ip rules to lookup specific (none default)
routing tables such that all traffic that is received from wg1 is
replied to through wg1 rather than going out wherever the default
route would be.  Not for the faint of heart.

DAK.


On Wed, May 27, 2020 at 3:42 PM nicolas prochazka
<prochazka.nicolas@gmail.com> wrote:
>
> Yes, I can mark the  wireguard packet  allowedips but i cannot attach
> to the associated peer.In my configuration, ip from wireguard (
> alllowedip) can come from different peer ( because i'm using different
> mask for allowedips and multiple tunnel).
> My issue is that a packet can be used by a peer and come back by an
> other one ( the packet is routing by allowed-ips, not by it's peer
> entry
>
> Example :
>
> On server side S1
> Peer A (client peer)
> allowedips 192.168.1.0/24
>
> Peer B  ( an other "wireguard server"  S2  )
> allowedIps 192.168.1.100/32
>
> On client Side, allowedIp is set on s2 and if s2 down , set to s1
> peer s1 ==> server S1
> peer s2 ==> server S2 ==> server S1
>
> Of course it does not work, packet routing does not work
> client ==> S2 ==>  S1 (peer A)  ==>  then response route to peer (B)
>
> Regards,
> Nicolas
>
>
>
>
> Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.zirk@gmail.com> a écrit :
> >
> > On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote:
> > > How can i know that a packet come from peer X ?
> > You can check which peers allowed ips list covers the received packets
> > source ip
> >
> > > Is is possible to mark packet not a level interface (wg0) but at peer
> > > level ?
> > Its probably possible to generate iptables rules from peer allowed ips
> > list that marks packets with different ids
> >