Multiple wireguard tunnels to same server how to force different interfaces

Question

I have multiple wan links on my router and I'd want a wireguard tunnel on each wan interface to the same server.

I started different working tunnels to the server using different destination ports, but of course they're using the default gateway and interface.

How do I force each connection to stick to a different interface?

Answer 1

I managed to do this with iproute2's netns functionality. Wireguard will send the encrypted packets out of the default route within the namespace it's created in¹, even if it's later moved to a different namespace. If you have physical interfaces eth1 and eth2, you can move them each to their own namespace, and create one Wireguard tunnel in each namespace. You can then move both tunnels to namespace 1, and manage them as usual, including using ip route to route traffic through those tunnels.

$ ip netns add wan1
$ ip netns add wan2
# Warning: if you're plugging these commands into SSH, there's a good chance
# this will break your SSH connection. Proceed with caution.
$ ip link set eth1 netns wan1
$ ip link set eth2 netns wan2
$ ip -n wan1 add wg1 type wireguard
$ ip -n wan2 add wg2 type wireguard
$ ip -n wan1 link set wg1 netns 1
$ ip -n wan2 link set wg2 netns 1

I suspect your eth1 and eth2 will be "stuck" in their own namespaces as a result of this setup. You may have luck setting up a bridge instead of moving the interfaces wholesale, if that's a problem.

Answer 2

You can add routing rules based on destination port -- if the (remote) endpoint port of the first WireGuard tunnel was 51821, and the second was 51822, you could add the following routing rules to use routing table 1 for the first, and routing table 2 for the second:

ip rule add dport 58121 table 1 priority 101
ip rule add dport 58122 table 2 priority 102

Then if your WAN interfaces are eth1 and eth2 (and WAN gateway is for example 203.0.113.1), you could set the default route of table 1 to use the first interface, and table 2 to use the second interface:

ip route add default via 203.0.113.1 dev eth1 table 1
ip route add default via 203.0.113.1 dev eth2 table 2

Alternatively, you could add routing rules based on firewall mark, which you may (or may not) find more maintainable than using destination port. If you configured one (local) WireGuard interface with say FwMark = 11 and the second with FwMark = 22, you could use these routing rules instead:

ip rule add fwmark 11 table 1 priority 101
ip rule add fwmark 22 table 2 priority 102