Egress NAT IP per user

I there a way to NAT traffic leaving the wireguard interface (Egress) per user VPN IP?

eg:- → → →

Not at the moment, but it’s in our backlog. We are planning to have per user/device to destination IP rules (vs. source IP).

You can keep an eye on progress here: Enforce per-user|device rules · Issue #423 · firezone/firezone · GitHub.

1 Like

@jason I think @remy is referring to customization the masquerade address, or effectively adding nftables rules to decide which interface the packets leave the tunnel. Is that accurate @remy?

If so, I’m assuming these interfaces already exist with IPs assigned?

@jamil , yes thats correct, it is kind of NATing the VPN IP, default configuration is to NAT all VPN IPs to one NAT IP, but I need NATing per VPN ip.


I see, so you want to set up custom routes. Hmm we don’t support this now, but will keep it in mind for a future release.

In the meantime, if you’re familiar with nftables, you could add a table of your own that takes priority over the firezone table with rules to NAT specific VPN IPs.