Almalinux 9 as wireguard gateway

i want to use almalinux as a vpn gateway.

its a virtual machine by my internetprovider with 2 public static ip addresses on eth0.

i route traffic from ip1 to and ip2 to (wireguard network). All easy. But i dont know how can i route outgoing traffic: ip should use public ip1, should use public ip2.

is this szenario with firewalld possible?

I do this on Ubuntu, so you probably could find something similar. I have an AL9 intermediate gateway, which connects to an ubuntu VM with a public IP.

Is your AL config doing the NAT masquerade? Or do you have a router/gateway doing that for you?





PERMANENT="--permanent" # simply test szenario if it's blank

firewall-cmd $PERMANENT --zone=public --add-interface=$IF_WG
firewall-cmd $PERMANENT --zone=public --add-masquerade

[[ "$WG_ENDPOINT_PORT" == "51820" ]] && FW_WG_SERVICE="--add-service wireguard" || FW_WG_SERVICE="--add-port=$WG_ENDPOINT_PORT/udp"
firewall-cmd $PERMANENT --zone=public $FW_WG_SERVICE

# forwarding for http and https
for p in 80 443; do
  firewall-cmd $PERMANENT --zone=public --add-rich-rule="\
               rule destination address=$IF_HOST_IP \
               forward-port port=$p  protocol=tcp \
               to-port=$p  to-addr=$IF_WG_IP_CLIENT \

[[ "$PERMANENT" == "--permanent" ]] && firewall-cmd --reload

This is the code for one ip adress. To use for more public ips its only neccassary to modify the firewall-cmd in the for loop.

for outgoing traffic its enough to add masquerade. but masquerade uses always the default ip address

how it is possible (with firewalld) to use a specific outgoing ip address with only one interface (eth0)?