From: Dominik Sander <mail@dsander.de>
To: wireguard@lists.zx2c4.com
Subject: Re: Responses send by wireguard always use the default route
Date: Thu, 7 Jan 2021 22:33:43 +0100 [thread overview]
Message-ID: <09551513-c315-20ab-9f2c-93a6d8814920@dsander.de> (raw)
In-Reply-To: <CAJJxGdHrrpr+NPXztZz+QBy=g+E=oOEQsW6Qh9eKGuFiVXN+Mg@mail.gmail.com>
Thank you for confirming that this is working as intended.
regards,
Dominik
On 02/01/2021 20:54, David Kerr wrote:
> This is expected behavior... outbound packets follow routing table
> rules to select the "best" interface to send from. You can use
> iptables to mark packets coming in from one interface and then set up
> an ip routing table to make sure that replies to traffic on an
> incoming interface go back out on the same interface. Search for that
> on google for suggested solutions. By way of an example, here is what
> I have on my router to make sure that any traffic coming in on wg0 to
> my local network(s) is sent back out over wg0.
>
> # iptables -t mangle -S | grep restore-mark
> -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
> -A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
> # iptables -t mangle -S | grep WG0
> -N PREROUTING_WG0
> -A PREROUTING -i wg0 -j PREROUTING_WG0
> -A PREROUTING_WG0 -m state --state NEW -j MARK --set-xmark 0x4/0x4
> -A PREROUTING_WG0 -m state --state NEW -j CONNMARK --save-mark
> --nfmask 0xffffffff --ctmask 0xffffffff
> # ip rule
> 0: from all lookup local
> 1000: from 192.168.1.1/24 fwmark 0x4/0x4 lookup 300
> 1001: from all to <redacted> lookup 51820
> 32766: from all lookup main
> 32767: from all lookup default
> # ip route show table 300
> default dev wg0 scope link
>
> David.
>
>
> On Sat, Jan 2, 2021 at 10:34 AM Dominik Sander <mail@dsander.de> wrote:
>>
>> Hi!
>>
>> I would like to confirm if the behavior I am seeing is intended or if my
>> use case should be supported without additional configuration.
>>
>> When wireguard is configured on a server that has multiple network
>> interfaces the response is always send through the route with the lowest
>> metric, even when the connection was initiated via a different interface.
>>
>> The Wireguard server is exposed via my router, port 13377 is forwarded
>> to 192.168.1.246, the peer is connecting via an external IP:
>>
>> # ip route
>> default via 10.0.0.1 dev eth1 proto dhcp src 10.0.0.171 metric 50
>> default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.246 metric 100
>> 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.171 metric 50
>> 10.0.0.1 dev eth1 proto dhcp scope link src 10.0.0.171 metric 50
>> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.246 metric 100
>> 192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.246 metric 100
>>
>> # tcpdump -i any -vn "(host 80.xxx.xxx.xxx or src port 13377 or dst port 13377)"
>> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
>> 14:13:08.767409 IP (tos 0x0, ttl 50, id 12125, offset 0, flags [none], proto UDP (17), length 176)
>> 80.xxx.xxx.xxx.17819 > 192.168.1.246.13377: UDP, length 148
>> 14:13:08.768076 IP (tos 0x88, ttl 64, id 180, offset 0, flags [none], proto UDP (17), length 120)
>> 10.0.0.171.13377 > .xxx.xxx.xxx.17819: UDP, length 92
>>
>> Because the response is send from the "wrong" IP address the router does not know
>> how to forward it and the client never is properly connected.
>>
>> I was wondering if the IP/interface of the request could also be used for the response,
>> to remove the need for policy based routing or iptable rules.
>>
>> The actual use case is wireguard on a OpenWRT router which has multiple WAN interfaces.
>> The WAN with the lowest metric is not the interface that should be used for wireguard
>> because it has better download speed, the wireguard WAN has better upload speed.
>>
>> Fore reference a thread discussing the problem on GitHub [1] and on the OpenWRT Forum [2].
>>
>> Thanks for creating/working on wireguard!
>>
>> Kind regards,
>>
>> Dominik
>>
>> [1] https://github.com/openwrt/packages/issues/9538
>> [2] https://forum.openwrt.org/t/wireguard-server-can-only-successfully-be-used-via-one-wan-interface/83374
prev parent reply other threads:[~2021-01-07 21:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 17:41 Dominik Sander
2021-01-02 19:54 ` David Kerr
[not found] ` <67cc2ffb-cf1c-1321-ac68-d0116512847b@wim.email.be>
2021-01-02 20:47 ` David Kerr
2021-01-02 20:51 ` David Kerr
2021-01-07 21:33 ` Dominik Sander [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=09551513-c315-20ab-9f2c-93a6d8814920@dsander.de \
--to=mail@dsander.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).