Development discussion of WireGuard
 help / color / mirror / Atom feed
* Incorrect Source Addr Selection On Initiate and Asymmetric Routing
       [not found] <6fc9765d-f4ef-84d2-c65a-97bab58e3e4b@bluematt.me>
  2020-08-15 20:00 ` Incorrect Source Addr Selection On Initiate and Asymmetric Routing Matt Corallo
@ 2020-08-18 15:26 ` Matt Corallo
  1 sibling, 0 replies; 2+ messages in thread
From: Matt Corallo @ 2020-08-18 15:26 UTC (permalink / raw)
  To: WireGuard mailing list

[Resending this few-month-old mail because apparently the list bounced it the first time.]


Oops, should have mentioned, this may have always been the case, with only recent addition of asymmetric routing leading
me to identify it, but its at least been the case on 5.6.X and currently is the case on 5.7.6.

Matt

On 6/28/20 3:03 PM, Matt Corallo wrote:
> I run wireguard on some endpoints with anycast IP addresses (which mostly workes seamlessly, which is awesome!), however
> of late it seems the source address selection in Wireguard incorrectly selects the default source address when it most
> recently received packet(s) to a different address.
> 
> Most of the routes on such boxes have an explicit default source that is different from the anycast addresses, as
> otherwise regular connections from such boxes would fail, eg:
> 1.0.0.0/24 via XXX dev XXX src (non-anycast-address) metric 32
> 
> Ive observed wireguard selecting the default source in two cases:
> 
> a) when the server is the one sending the handshake initiation due to the handshake timer, it appears the server selects
> a new source address based on the default. I haen't had practical issues with this, but its worth noting, and probably
> fixing.
> 
> b) when the path outbound to the client is different from the path inbound. In my case, inbound v4 traffic from my phone
> on T-Mobile US (which passes through CG-NAT) comes into my server on one interface, but the path back out to TMO is via
> a different interface. In this case, wireguard selects the default source address and sends a packet which T-Mobile's
> CG-NAT drops as there is no NAT entry for it.
> 
> Matt
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Incorrect Source Addr Selection On Initiate and Asymmetric Routing
       [not found] <6fc9765d-f4ef-84d2-c65a-97bab58e3e4b@bluematt.me>
@ 2020-08-15 20:00 ` Matt Corallo
  2020-08-18 15:26 ` Matt Corallo
  1 sibling, 0 replies; 2+ messages in thread
From: Matt Corallo @ 2020-08-15 20:00 UTC (permalink / raw)
  To: WireGuard mailing list

Oops, should have mentioned, this may have always been the case, with only recent addition of asymmetric routing leading
me to identify it, but its at least been the case on 5.6.X and currently is the case on 5.7.6.

Matt

On 6/28/20 3:03 PM, Matt Corallo wrote:
> I run wireguard on some endpoints with anycast IP addresses (which mostly workes seamlessly, which is awesome!), however
> of late it seems the source address selection in Wireguard incorrectly selects the default source address when it most
> recently received packet(s) to a different address.
> 
> Most of the routes on such boxes have an explicit default source that is different from the anycast addresses, as
> otherwise regular connections from such boxes would fail, eg:
> 1.0.0.0/24 via XXX dev XXX src (non-anycast-address) metric 32
> 
> Ive observed wireguard selecting the default source in two cases:
> 
> a) when the server is the one sending the handshake initiation due to the handshake timer, it appears the server selects
> a new source address based on the default. I haen't had practical issues with this, but its worth noting, and probably
> fixing.
> 
> b) when the path outbound to the client is different from the path inbound. In my case, inbound v4 traffic from my phone
> on T-Mobile US (which passes through CG-NAT) comes into my server on one interface, but the path back out to TMO is via
> a different interface. In this case, wireguard selects the default source address and sends a packet which T-Mobile's
> CG-NAT drops as there is no NAT entry for it.
> 
> Matt
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-08-19 16:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <6fc9765d-f4ef-84d2-c65a-97bab58e3e4b@bluematt.me>
2020-08-15 20:00 ` Incorrect Source Addr Selection On Initiate and Asymmetric Routing Matt Corallo
2020-08-18 15:26 ` Matt Corallo

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git