no, very simple …
I have (for the sake of brevity) 2 interfaces:

one is eth0 with ip 123.45.67.1/30 and I have on the box 123.45.67.2 as default gateway.
on that link I bgp peer with 123.45.67.2 and announce my own /24, let’s say 134.56.78.0/24

another eth interface (eth1) hosts several ip addresses and one of these is 134.56.78.5/24

for that interface I allow port 443 to accept packets for

[Interface]
ListenPort = 443

but I do not allow packets to connect to 123.45.67.1/30 on port 443 (as this iface is just my Provider’s /30

when a client connects to 134.56.78.5/24, the wg server tells the client that it’s destination is 123.45.67.1/30 for this link , and that gets of course firewalled.
So reluctantly I opened up port 443 on the uplink interface to accomodate this, erm, inconvenience.

on client side I have a config :

[Peer]
PublicKey = (hidden)
EndPoint = 134.56.78.5:443
AllowedIPs =  0.0.0.0/0

but when connection is established
wg show says :

peer: (hidden)
  endpoint: 123.34.56.1:443
  allowed ips: 10.0.0.0/8
  latest handshake: 36 seconds ago
  transfer: 468.40 MiB received, 17.88 MiB sent

but now of course, when the third interface eth2 will arrive, with another subnet to another provider, my announced IP 134.56.78.5/24 may not be altered by the path taken, otherwise the clients need to reconnect…

but I don’t know for sure… it seems to be a regression somewhere as I don’t recall to have that problem before… I had to add this accept rule last week, suddenly, as some peers could connect, but not transfer packets any more.

Now I understand that wg finds it’s IP by following the shortest path, but that is, in my case, counterproductive.
It should reply with the IP it was spoken to (here 134.56.78.5)

I think ;-)

Jan

On Thu, Aug 10, 2017 at 5:51 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote: