I there a way to NAT traffic leaving the wireguard interface (Egress) per user VPN IP?
eg:-
10.3.2.2 → 10.140.0.2
10.3.2.3 → 10.140.0.3
10.3.2.4 → 10.140.0.4
Not at the moment, but it’s in our backlog. We are planning to have per user/device to destination IP rules (vs. source IP).
You can keep an eye on progress here: Enforce per-user|device rules · Issue #423 · firezone/firezone · GitHub.
1 Like
@jason I think @remy is referring to customization the masquerade address, or effectively adding nftables rules to decide which interface the packets leave the tunnel. Is that accurate @remy?
If so, I’m assuming these interfaces already exist with IPs assigned?
@jamil , yes thats correct, it is kind of NATing the VPN IP, default configuration is to NAT all VPN IPs to one NAT IP, but I need NATing per VPN ip.
I see, so you want to set up custom routes. Hmm we don’t support this now, but will keep it in mind for a future release.
In the meantime, if you’re familiar with nftables, you could add a table of your own that takes priority over the firezone table with rules to NAT specific VPN IPs.