You assign a firewall mark to each wireguard interface to route dedicated routing table using ip rule. wg-quick use this feature for example, when you redirect 0.0.0.0 via a vpn interface:
$ wg-quick up mullvad [#] ip link add mullvad type wireguard [#] wg setconf mullvad /dev/fd/63 [#] ip address add 10.99.1.142/32 dev mullvad [#] ip address add fc00:bbbb:bbbb:bb01::18e/128 dev mullvad [#] ip link set mtu 1420 dev mullvad [#] ip link set mullvad up [#] wg set mullvad fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev mullvad table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 On 2017-09-20 04:12, Florian Werner wrote: > Hi Jason, > > does Wireguard support to bind to a specific interface? > > For e.g. gre interface it is possible with > ip tunnel add name gre0 mode gre remote 1.2.3.4 dev eth0 > to bind the gre0 interface to eth0. > > Quoting ip-tunnel(8): > dev NAME > bind the tunnel to the device NAME so that tunneled > packets will only be routed via this device and will > not be able to escape to another device when the route > to endpoint changes. > > But I don't think ip link supports this. > The question is, why are there 2 commands to create new > interfaces (ip link add, ip tunnel add)... > > With binding support one can simply bind to a vrf master > interface and all outer-traffic is sent to the associated > routing table. Using vrf instead of network namespace has > the advantage of allowing daemons to operate in multiple > vrf (e.g. routing daemons), where network namespace are > more separated but also don't allow much communication. > > Florian > > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard