What would be the opposite approach, to make sure all traffic goes through VPN, and only VPN, even if user didn't start the VPN connection (default to no connectivity)? Is there better approach then just disabling all other network interfaces?
AFAIK Wireguard will always listen in the default namespace, thus you need to isolate everything else. A fun way of doing it though is to do an ip rule that uses the VRF table, and matches on the user id. That way all traffic from certain users will always end up in the same routing table. You can go further and match on everything except the Wireguard endpoint. With iptables you can MARK the traffic you want to be differently and then catch that traffic with ip rule.
rnewme|1 year ago
isodude|1 year ago