From: "Steven Honson" <steven@honson.id.au>
To: wireguard@lists.zx2c4.com
Subject: Re: Tunnel traffic in VRF
Date: Sat, 25 Jan 2020 17:55:55 +1100 [thread overview]
Message-ID: <ea889cc3-9599-4218-a8cc-6daa9d2965e2@www.fastmail.com> (raw)
In-Reply-To: <9420fa01-61b9-73cb-21f4-681bf8015b7b@orlandi.com>
Hi Daniele,
By VRFs, do you mean Linux network namespaces, or something different?
If network namespaces, https://www.wireguard.com/netns/#routing-network-namespace-integration talks a little about WireGuards behaviour, but the TLDR is that you need to create the WireGuard interface in the namespace you wish for the outer packets to be bound to, and then move it to the namespace you wish the inner packets to be in, which can be the `init` namespace if you desire.
Cheers,
Steven
On Fri, 24 Jan 2020, at 11:03 AM, Daniele Orlandi wrote:
>
> Hello,
>
> I'm attempting to route the WG tunnel traffic (not the inside traffic)
> on a VRF.
>
> I was able to use an ip rule + fwmark to route outgoing packets to the
> proper VRF, however the incoming traffic *seems* to be rejected due to
> the UDP socket not being bound to an interface in the VRF.
>
> 00:56:35.606766 IP 172.16.16.32.5180 > 45.66.80.144.5180: UDP, length 148
> 00:56:35.922547 IP 45.66.80.144.5180 > 172.16.16.32.5180: UDP, length 92
> 00:56:35.922680 IP 172.16.16.32 > 45.66.80.144: ICMP 172.16.16.32 udp
> port 5180 unreachable, length 128
>
>
> Is there any workaround you know of? Would you consider implementing
> binding to an interface like other tunnel interfaces do?
>
>
> (The infrastructure is already present by using the bind_ifindex field
> of udp_port_cfg passed to udp_sock_create)
>
> Thank you,
> regards,
>
> --
> Daniele Orlandi
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2020-01-25 6:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-24 0:03 Daniele Orlandi
2020-01-25 6:55 ` Steven Honson [this message]
2020-01-25 9:13 ` Toke Høiland-Jørgensen
2020-01-25 14:10 ` Daniele Orlandi
2020-01-25 16:03 ` b13253
2020-01-26 19:46 ` Serge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea889cc3-9599-4218-a8cc-6daa9d2965e2@www.fastmail.com \
--to=steven@honson.id.au \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).