Backstory:
I've set up my firewall rules to prevent traffic from leaking outside of the wireguard vpn tunnel, because it happened before that the wg interface was active, but there was no active tunnel with the peer due to the internet connection outside of that node getting lost. What I first attempted with static routes, didn't seem to be an ideal setup, as the wg setup wouldn't be complete (e.g. the interface didn't get its static IP).
So in the end I took the firewall approach, but what I still see is activity on the main network interface, despite the tunnel being active.
These are my nftables output rules:
chain output {
type filter hook output priority filter; policy drop;
oifname "lo" accept comment "allow to loopback"
meta l4proto { icmp, ipv6-icmp } counter packets 6 bytes 582 accept
# Skip default gateway
ip daddr 192.168.1.2-192.168.1.254 accept
oifname "wg0" accept
oifname "enp100s0" ip daddr $PEER_IP udp dport $PEER_PORT accept comment "wireguard traffic"
ip daddr { 1.1.1.1, 192.168.1.1 } udp dport 53 accept
ip daddr { 1.1.1.1, 192.168.1.1 } tcp dport 853 accept
counter packets 21709 bytes 2030855
}
As you can see, the final counter shows "a lot" of traffic on the enp100s0 interface and logs show that the traffic is going to many public destinations (which is logical, taking into account what's running on the node). But why does that log show so much traffic (both UDP and TCP), while it should be going through the tunnel to the peer (oifname "enp100s0" part), AFAIU?
