Fwd: Question about origin of packet relative to peer
I think what you are trying to do is make sure that server S1 replies to packet from peer s2 via server S2 and not direct. But that the default route table on S1 is going to try and send it directly because it is valid for peer s2 to connect directly to S1, thus the connection is failing. The only way I can think to make this work is to have server S2 connect to server S1 over a different interface. So have e.g. wg0 setup for peers to connect and wg1 for servers to connect. So S1 has both a wg0 and a wg1. S2 connects in by wg1, all peers connect through wg0. Then you can use firewall marks, connmark, saving and restoring in the mangle table, combined with ip rules to lookup specific (none default) routing tables such that all traffic that is received from wg1 is replied to through wg1 rather than going out wherever the default route would be. Not for the faint of heart. DAK. On Wed, May 27, 2020 at 3:42 PM nicolas prochazka wrote: > > Yes, I can mark the wireguard packet allowedips but i cannot attach > to the associated peer.In my configuration, ip from wireguard ( > alllowedip) can come from different peer ( because i'm using different > mask for allowedips and multiple tunnel). > My issue is that a packet can be used by a peer and come back by an > other one ( the packet is routing by allowed-ips, not by it's peer > entry > > Example : > > On server side S1 > Peer A (client peer) > allowedips 192.168.1.0/24 > > Peer B ( an other "wireguard server" S2 ) > allowedIps 192.168.1.100/32 > > On client Side, allowedIp is set on s2 and if s2 down , set to s1 > peer s1 ==> server S1 > peer s2 ==> server S2 ==> server S1 > > Of course it does not work, packet routing does not work > client ==> S2 ==> S1 (peer A) ==> then response route to peer (B) > > Regards, > Nicolas > > > > > Le mer. 27 mai 2020 à 13:46, Arti Zirk a écrit : > > > > On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote: > > > How can i know that a packet come from peer X ? > > You can check which peers allowed ips list covers the received packets > > source ip > > > > > Is is possible to mark packet not a level interface (wg0) but at peer > > > level ? > > Its probably possible to generate iptables rules from peer allowed ips > > list that marks packets with different ids > >
Re: Question about origin of packet relative to peer
Yes, I can mark the wireguard packet allowedips but i cannot attach to the associated peer.In my configuration, ip from wireguard ( alllowedip) can come from different peer ( because i'm using different mask for allowedips and multiple tunnel). My issue is that a packet can be used by a peer and come back by an other one ( the packet is routing by allowed-ips, not by it's peer entry Example : On server side S1 Peer A (client peer) allowedips 192.168.1.0/24 Peer B ( an other "wireguard server" S2 ) allowedIps 192.168.1.100/32 On client Side, allowedIp is set on s2 and if s2 down , set to s1 peer s1 ==> server S1 peer s2 ==> server S2 ==> server S1 Of course it does not work, packet routing does not work client ==> S2 ==> S1 (peer A) ==> then response route to peer (B) Regards, Nicolas Le mer. 27 mai 2020 à 13:46, Arti Zirk a écrit : > > On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote: > > How can i know that a packet come from peer X ? > You can check which peers allowed ips list covers the received packets > source ip > > > Is is possible to mark packet not a level interface (wg0) but at peer > > level ? > Its probably possible to generate iptables rules from peer allowed ips > list that marks packets with different ids >
Re: Question about origin of packet relative to peer
On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote: > How can i know that a packet come from peer X ? You can check which peers allowed ips list covers the received packets source ip > Is is possible to mark packet not a level interface (wg0) but at peer > level ? Its probably possible to generate iptables rules from peer allowed ips list that marks packets with different ids
Question about origin of packet relative to peer
Hello, Using one wireguard Interface, with multiple peer How can i know that a packet come from peer X ? Is is possible to mark packet not a level interface (wg0) but at peer level ? I can dump packet at wg0 but i lost the peer origin. Thanks, Nicolas interface: wg0 public key: A private key: (hidden) listening port: 6081 peer: B preshared key: (hidden) endpoint: ipb allowed ips: latest handshake: 1 minute, 27 seconds ago transfer: 1.61 MiB received, 6.20 MiB sent persistent keepalive: every 25 seconds peer:C preshared key: (hidden) endpoint: ipc allowed ips: latest handshake: 1 minute, 38 seconds ago transfer: 24.75 KiB received, 309.71 KiB sent persistent keepalive: every 25 seconds