I want to have the following setup. There are two interfaces: wlan0 and wg0. wlan0 is the default, wg0 is a wireguard interface, configured manually.
By default traffic goes to wlan0. But if a process is put inside a cgroup, say wgcgrp (classid is 1), traffic must go over the wg0.
I have absolutely no idea how to do this. What I attempted is this. I will be very verbose, because I am very frustrated.
[Wireguard Setup]
This is fairly simple, first ip l a wg0 name wg0 type wireguard. Then, I have a w.conf file, which contains data fed to wg setconf wg0. It sets private key, public key, allowed IPs (0.0.0.0/0, ::0/0) and the endpoint. Nothing more. Then I also set the IP address of the wg0 interface, which I know beforehand: ip ad a $ip dev wg0; ip -6 ad a $ip6 dev wg0. Now I add the route: ip l s wg0 up; ip r a default dev wg0 t wg
[Firewall]
So far as I understand I must make the cgroup traffic to somehow reach the wg routing table. I know how to do this. I must mark the cgroup traffic inside a chain of the type route and then masquerade it. Here are the rules.
table inet t {
chain post {
type route hook output priority mangle; policy accept
meta cgroup 1 counter meta mark set meta cgroup
}
chain masq {
type nat hook postrouting priority srcnat; policy accept
meta cgroup 1 oifname "wg0" counter masquerade
}
}
There are no more rules in my firewall.
[Routes setup]
Marked traffic must get in the wg table, so I run ip ru a fwmark 1 lookup wg
[Result]
cgexec -g net_cls:wg ping 8.8.8.8
and I get nothing. Why??? I do not even know how to start debugging. This should be simple, yet I am not even near.
