| Key words from that link emphasized: > Cryptokey Routing, which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. > In the server configuration, when the network interface wants to send a packet to a peer (a client), it looks at that packet's destination IP and compares it to each peer's list of allowed IPs to see which peer to send it to. > the list of allowed IPs behaves as a sort of routing table > This is what we call a Cryptokey Routing Table You can just set your peers on separate wg interfaces. At least on Linux and BSD, you have tables to control routing before packets reach the interface. So you can have two wg interfaces, each with a single but distinct peer both with CIDR 0.0.0.0/0 (or what have you), and use ip-route/nftables as usual to pick the appropriate outgoing interface. It makes sense if you think of each wg interface as a NIC connected to an L3 switch, and each peer to a host connected to another port on the same switch. AllowedIPs would correspond to the table+ACL in the switch. But yeah, me saying it "does no routing" was not really correct. But that routing happens after that of the (rest of the) Linux kernel, not overlapping with, replacing, or conflicting with. While this understanding does come from a decent amount of experience, in case I'm wildly misrepresenting things, do set it straight. |