TCP connections work all right, as they’re established sockets, where the
kernel does the routing… I assumed you would search for the route yourself
;-)
rcu_dereference_bh(rt->dst.dev->ip_ptr) indeed does , as the packet
effectively comes in through the uplink.

In the firewall config I need to specify both interfaces (Uplink and Public
(eth1 and eth0 in the drawing) to filter

nft add rule ip filter input iif {Uplink,Public} jump public and define my
rules in the public chain
nft add rule ip filter public ip daddr 134.56.78.5 udp dport 443 accept so
a packet coming in on Uplink for the wg gets accepted only if the dst ip
matches.

nftables FTW ;-)

That in se is not very important if you have only one uplink, but if you
have multiple routes (default gw’s) you really need the ip behind the
uplinks.

But anyway, tested and confirmed to work now,

Many thanks for the quick reply
​

On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <ja...@zx2c4.com> wrote:

> Hi Jan,
>
> Thanks for the drawing. So the issue is that you want packets to exit
> through eth1 using the addresses of eth0. I believe applying this
> patch should enable that: http://ix.io/z3d Can you apply that and let
> me know if it works?
>
> I'm curious: do TCP connections generally work correctly with your
> configuration?
>
> Jason
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Reply via email to