Yes, I can mark the wireguard packet allowedips but i cannot attach to the associated peer.In my configuration, ip from wireguard ( alllowedip) can come from different peer ( because i'm using different mask for allowedips and multiple tunnel). My issue is that a packet can be used by a peer and come back by an other one ( the packet is routing by allowed-ips, not by it's peer entry
Example : On server side S1 Peer A (client peer) allowedips 192.168.1.0/24 Peer B ( an other "wireguard server" S2 ) allowedIps 192.168.1.100/32 On client Side, allowedIp is set on s2 and if s2 down , set to s1 peer s1 ==> server S1 peer s2 ==> server S2 ==> server S1 Of course it does not work, packet routing does not work client ==> S2 ==> S1 (peer A) ==> then response route to peer (B) Regards, Nicolas Le mer. 27 mai 2020 à 13:46, Arti Zirk <arti.z...@gmail.com> a écrit : > > On K, 2020-05-27 at 11:01 +0200, nicolas prochazka wrote: > > How can i know that a packet come from peer X ? > You can check which peers allowed ips list covers the received packets > source ip > > > Is is possible to mark packet not a level interface (wg0) but at peer > > level ? > Its probably possible to generate iptables rules from peer allowed ips > list that marks packets with different ids >