Hi all, I am working on a wireguard network.
I have a setup like this: serverA (10.0.0.0) => serverB (10.0.0.1) => serverC (10.0.0.2) - serverA connects to serverB with AllowedIPs = 0.0.0.0/0 - serverB connectes to serverC with AllowedIPs = 0.0.0.0/0 I cannot access serverC directly from serverA (it does not have a public facing IP), so I go via serverB. I therefore need to set up routing on serverB. If I set my default gateway to serverC: `route change default 10.0.0.2` Then I cannot connect from serverA, because packets from serverA are never returned to serverA. So I need to also add a route like this: `route add serverA_public_ip serverB_local_gateway` However, this is problematic with IP roaming (in other words, I don't have a good solution to dynamically know serverA's endpoint). A solution would be to run a crontab every few minutes, parse the output of `wg show wg0 endpoints` and programatically add the route for the current endpoint. This solution feels atrocious though. The wireguard website proposes a solution with fwmark: https://www.wireguard.com/netns/#improved-rule-based-routing However, this is linux based, and I am not sure this is the optimal solution for an openBSD system. So I have a few questions: - I am currently using /etc/hostname.wg0 and routing table. Should I use wg0-quick instead? Does wg0-quick take care automatically of routing in the case of IP roaming? - Is the fwmark solution a good solution for openBSD as well? If yes, how can I implement it? Should I use routing domains? Thanks!
