On Fri, 15 Oct 2021 at 12:14, Toke Høiland-Jørgensen <[email protected]> wrote: > > 2) Is there any way to force the source ip of the connection from boxA > > to always use address boxA1 ? > > In theory this should be possible to enforce via policy routing. Just > tried this on a simple veth setup: > > # ip a add 10.11.1.1/24 dev veth0 > # ip a add 10.11.2.1/24 dev veth0 > # ping 10.11.1.2 -c 1 > 12:09:22.385888 IP 10.11.1.1 > 10.11.1.2: ICMP echo request, id 15, seq 1, > length 64 > 12:09:22.385903 IP 10.11.1.2 > 10.11.1.1: ICMP echo reply, id 15, seq 1, > length 64 > > # ip r add 10.11.1.2 src 10.11.2.1 dev veth0 > # ping 10.11.1.2 -c 1 > 12:09:53.251386 IP 10.11.2.1 > 10.11.1.2: ICMP echo request, id 16, seq 1, > length 64 > 12:09:53.251403 IP 10.11.1.2 > 10.11.2.1: ICMP echo reply, id 16, seq 1, > length 64 > > I think this ought to work for wireguard's source selection as well. If > you don't have a particular destination, you should be able to do > something similar based on sports with ip-rule using the wireguard > source port: > > # ip rule add sport 1234 lookup 100 > # ip route add table 100 default via 1.2.3.4 src 3.4.5.6 > > That last bit I didn't test, though...
Will have to test this later. If this works. This suggestion would be a great enhancement to wireguard-tools?
