Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Christoph Loesch <wireguard-mail@chil.at>
To: <wireguard@lists.zx2c4.com>
Subject: Re: client uses wrong source ip for outgoing connections
Date: Fri, 19 Nov 2021 01:11:47 +0100	[thread overview]
Message-ID: <744d7291-e43b-4e8c-76be-c78c11204e17@chil.at> (raw)
In-Reply-To: <d60ce240-5bb3-eed7-85a0-31d05cb0133e@chil.at>

if relevant, some more details about interface and routes from good and bad example to compare:

root@eng196-router:~# ip a sh wg0
46: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
     link/none
root@eng196-router:~# ip r sh dev wg0
10.5.44.0/24 scope link
172.27.0.0/24 scope link
root@eng196-router:~# ip a sh br1
11: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
     link/ether 44:d9:e7:x:y:z brd ff:ff:ff:ff:ff:ff
     inet 10.29.85.100/24 brd 10.29.85.255 scope global br1
        valid_lft forever preferred_lft forever
     inet6 fe80::7c4c:1dff:fe84:fece/64 scope link
        valid_lft forever preferred_lft forever

root@zi1-router:~# ip a sh wg0
18: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
     link/none
root@zi1-router:~# ip r sh dev wg0
10.5.44.0/24 scope link
172.27.0.0/24 scope link
root@zi1-router:~# ip a sh br1
12: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
     link/ether 74:83:c2:x:y:z brd ff:ff:ff:ff:ff:ff
     inet 10.34.0.100/24 brd 10.34.0.255 scope global br1
        valid_lft forever preferred_lft forever
     inet6 fe80::2c2e:76ff:fedc:d8e/64 scope link
        valid_lft forever preferred_lft forever

Am 19.11.2021 um 00:40 schrieb Christoph Loesch:
> Hi,
>
> I am using wireguard on about 20 EdgeRouters (based on Debian stretch).
> Each router has exact same configuration (apart from router ip addresses and wireguard keys/passphrases).
> Works very well on most of them but on five routers wireguard uses the wrong ip address for outgoing connections over the tunnel.
> All routers use kernel 4.14.54-UBNT and wireguard-tools v1.0.20210914
> Wireguard debian package is from github/WireGuard/wireguard-vyatta-ubnt
>
> On the problematic routers the public ip address is used for the tunnel instead the private ip address.
> Interestingly even in the bad example the wg tunnel is running and the server can reach the routers(=wg clients), but not the other way round.
>
> In the following examples 172.27.0.1 is the wireguard server internal ip address.
> Routers use ip addresses in the 10.0.0.0/8 range for the wg tunnel which are allowed on the server.
> I already even debugged this with tcpdump where I found out it uses the wrong ip.
> But looking at a simple ping you also notice the wrong ip after the word "from".
>
> Good example:
> eng196-router:~$ \ping -I wg0 -c1 172.27.0.1
> ping: Warning: source address might be selected on device other than wg0.
> PING 172.27.0.1 (172.27.0.1) from 10.29.85.100 wg0: 56(84) bytes of data.
> 64 bytes from 172.27.0.1: icmp_seq=1 ttl=64 time=6.82 ms
> --- 172.27.0.1 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> rtt min/avg/max/mdev = 6.826/6.826/6.826/0.000 ms
>
> Bad example:
> zi1-router:~$ \ping -I wg0 -c1 172.27.0.1
> ping: Warning: source address might be selected on device other than wg0.
> PING 172.27.0.1 (172.27.0.1) from 78.41.x.y wg0: 56(84) bytes of data.
> --- 172.27.0.1 ping statistics ---
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>
> Configurations:
> eng196-router:~# wg
> interface: wg0
>   public key: SoV2obcH0qWfCRY3gZbkLNeMa1QRcnhNDCeiI9weszA=
>   private key: (hidden)
>   listening port: 58205
> peer: 1syRMYD1jIVFMUMm5hF/j0MzjMQmuC5mlcT1VVugIkU=
>   preshared key: (hidden)
>   endpoint: 86.59.x.y:1024
>   allowed ips: 172.27.0.0/24, 10.5.44.0/24
>   latest handshake: 53 seconds ago
>   transfer: 24.57 MiB received, 26.48 MiB sent
>   persistent keepalive: every 25 seconds
>
> zi1-router:~# wg
> interface: wg0
>   public key: aYtVhblpR0XSsAb/dXF3zM9Hu+LxlvrR5RWFU2psF3M=
>   private key: (hidden)
>   listening port: 45514
> peer: 1syRMYD1jIVFMUMm5hF/j0MzjMQmuC5mlcT1VVugIkU=
>   preshared key: (hidden)
>   endpoint: 86.59.x.y:51820
>   allowed ips: 172.27.0.0/24, 10.5.44.0/24
>   latest handshake: 13 seconds ago
>   transfer: 1.79 MiB received, 6.26 MiB sent
>   persistent keepalive: every 25 seconds
>
> What could cause the wrong selection?
> Why does that work for most routers but for some not? There must be some difference or something gets confused up by specific ip addresses I guess?
> How could I debug this further to find the difference and/or cause for this problem?
>
> Thanks for any hints and kind regards,
> Christoph
>

  reply	other threads:[~2021-11-19  0:12 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-18 23:40 Christoph Loesch
2021-11-19  0:11 ` Christoph Loesch [this message]
2021-11-23 16:26   ` Christoph Loesch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=744d7291-e43b-4e8c-76be-c78c11204e17@chil.at \
    --to=wireguard-mail@chil.at \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).