Background
I am adding support for WireGuard VPN to an embedded device. The user will be able to set the AllowedIPs configuration themselves. WireGuard uses the allowed IPs to set routes on the host, so it will be possible for a user to isolate the device (make it impossible to connect via TCP). I have been thinking about ways to prevent this.
Potential Solution
One potential solution is to add IP rules for the host interfaces, such that any traffic with the source IP of an interface is always routed via that interface. If we had one host interface eth0 with IP 172.17.0.2 and one wireguard interface wg0 with IP 172.22.0.4 the configuration would look something like this:
ip route add default via 172.17.0.1 dev eth0 table 1
ip rule add from 172.17.0.2 table 1
This means that connections originating from the device should still be routed normally but if someone connects to the device using TCP - for HTTP or ssh - the responses should be routed back.
Questions
On the surface this looks like a really elegant solution, but I can't help thinking that this isn't the default for a good reason. I just have not thought of what that reason could be. Is this a bad idea? Will it add a potential vulnerability to the device or something similar? Is there a better way to achieve my desired goal of avoiding device isolation?
