seeing the latest & greatest, this patch will not apply cleanly, so I don't
know ... is this train of thought going to be kept for later releases ?

On Thu, Aug 10, 2017 at 10:50 PM Jan De Landtsheer <> wrote:

> TCP connections work all right, as they’re established sockets, where the
> kernel does the routing… I assumed you would search for the route yourself
> ;-)
> rcu_dereference_bh(rt->>ip_ptr) indeed does , as the packet
> effectively comes in through the uplink.
> In the firewall config I need to specify both interfaces (Uplink and
> Public (eth1 and eth0 in the drawing) to filter
> nft add rule ip filter input iif {Uplink,Public} jump public and define
> my rules in the public chain
> nft add rule ip filter public ip daddr udp dport 443 accept
> so a packet coming in on Uplink for the wg gets accepted only if the dst ip
> matches.
> nftables FTW ;-)
> That in se is not very important if you have only one uplink, but if you
> have multiple routes (default gw’s) you really need the ip behind the
> uplinks.
> But anyway, tested and confirmed to work now,
> Many thanks for the quick reply
> ​
> On Thu, Aug 10, 2017 at 9:46 PM Jason A. Donenfeld <>
> wrote:
>> Hi Jan,
>> Thanks for the drawing. So the issue is that you want packets to exit
>> through eth1 using the addresses of eth0. I believe applying this
>> patch should enable that: Can you apply that and let
>> me know if it works?
>> I'm curious: do TCP connections generally work correctly with your
>> configuration?
>> Jason
WireGuard mailing list

Reply via email to