I have a wg-quick wireguard vpn on my linux box. It uses the FwMark routing technique, and therefore by default all packets get sent over the wireguard interface. It also acts the default gateway for my local network, and therefore forwards all network packets over the VPN as well.
I also use nftables for my firewall.
I am trying to bypass the wireguard interface for a specific user "no_vpn" (uid 1003).
I have tried a few approaches but none have worked completely.
Leverage wireguards Fw mark.
I figured that since wireguard uses a fw to route the packets & packets with the fw mark get routed down the default interface, e.g. eth0.
So I tried to add the fw mark to all packets originating from user "no_vpn". I attempted this by adding an nfttable chain as such:
chain outbound_mangle {
type route hook output priority mangle; policy accept;
meta skuid 1003 meta mark set 0x76BA
}
However, this didn't quite have the effect I desired, The mark did not seem to be added before the packet was routed to an interface. When I added logs to the rule, the output inteface was already set to "wg0" before the mark was added.
Custom routing rule
My second attempt was to add a routing rule with a higher priority than the wireguard rules.
The rule was as follows: ip rule add uidrange 1003-1003 lookup main
This seems to have more luck when I looked at the packets, the outbound packets were routed through eth0, however, no response packets were recieved. My nftables allows established & related packets on all interfaces.
Network namespace
I set up a network namespace with a macvlan interface linked to eth0 in bridge mode. This works to bypass the VPN when commands are executed within it. However, macvlan cannot reach the host namespace, and my local DNS server is located there. So I cannot resolve DNS.
What is the best approach for bypassing/split tunnelling a wireguard VPN?
