Hey Konstantin, When you're doing policy routing with packets that are being forwarded by the system -- a router, for example -- then the prerouting table is sufficient. But for locally generated packets, you have to use the OUTPUT table and also probably MASQUERADE. I just reproduced everything here and confirm this works:
ip route add default dev wg0 table 2468 ip rule add fwmark 1234 table 2468 wg set wg0 peer [...] allowed-ips 0.0.0.0/0 sysctl net.ipv4.conf.wg0.rp_filter=0 iptables -t nat -A POSTROUTING -p tcp --dport 22 -m addrtype --src-type LOCAL -j MASQUERADE iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1234 That works pretty well for me. If you don't want to disable rp_filter, you can do a little dance of setting and restoring the connmark in egress and ingress so that incoming packets are matched against that routing table too. Alternatively, if your goal is actually to just send certain processes through the tunnel, you have three more options: - Network namespaces, and then `ip netns exec chicken ssh 1.2.3.4 ...` - VRFs, and then `ip vrf exec chicken ssh 1.2.3.4 ...` - Cgroups and net_cls. All three work well and are differently convenient depending on your needs. I wrote up the netns stuff on wireguard.com/netns/ but haven't gotten around to documenting VRFs and cgroups with wireguard, but they in fact should work the same as for every other situation that uses those, so any old tutorial will do. Jason _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
