Hi there,
Good point on the VPN. To avoid unnecessarily induced artefacts, I tried the same set-up without any VPN, mimicking a multi-wan scenario, no failover, no load-balancing. Simply added routes to test traffic via different interfaces, 1.1.1.1 via eth0, 8.8.8.8 via eth1. As soon as I have more than one source nat ruleset, no traffic makes it through.
What I’m trying to achieve is the equivalent of:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
How do you do that?
To somewhat answer your question, though:
About interface tailscale0:
I’m not sure how I can share my Tailscale configuration, but there is nothing fancy. I just log-in to my Headscale instance, and voilà. No special routes, nada, just an internal IP to access other machines via their Tailscale IPs. I need masquerading so I can route natted traffic from my LAN clients.
About interface wg222
That one is a bit particular. I have a public IP from my Wireguard endpoint. I’ve created a separate routing table, and can route 0.0.0.0/0 via that interface, so reverse path works fine. The outside world can ping my additional public IP and VyOS will happily pong back. As for the above, I need masquerading so that I can permit my LAN clients to exit via the Wireguard interface onto the Internet.