FR: interface ListenAddress (Aka:Multihomed server issue)

Jan De Landtsheer jan at delandtsheer.eu
Thu Aug 10 18:57:05 CEST 2017 

no, very simple …
I have (for the sake of brevity) 2 interfaces:

one is eth0 with ip 123.45.67.1/30 and I have on the box 123.45.67.2 as
default gateway.
on that link I bgp peer with 123.45.67.2 and announce my own /24, let’s say
134.56.78.0/24

another eth interface (eth1) hosts several ip addresses and one of these is
134.56.78.5/24

for that interface I allow port 443 to accept packets for

[Interface]
ListenPort = 443

but I do not allow packets to connect to 123.45.67.1/30 on port 443 (as
this iface is just my Provider’s /30

when a client connects to 134.56.78.5/24, the wg server tells the client
that it’s destination is 123.45.67.1/30 for this link , and that gets of
course firewalled.
So reluctantly I opened up port 443 on the uplink interface to accomodate
this, erm, inconvenience.

on client side I have a config :

[Peer]
PublicKey = (hidden)
EndPoint = 134.56.78.5:443
AllowedIPs =  0.0.0.0/0

but when connection is established
wg show says :

peer: (hidden)
  endpoint: 123.34.56.1:443
  allowed ips: 10.0.0.0/8
  latest handshake: 36 seconds ago
  transfer: 468.40 MiB received, 17.88 MiB sent

but now of course, when the third interface eth2 will arrive, with another
subnet to another provider, my announced IP 134.56.78.5/24 may not be
altered by the path taken, otherwise the clients need to reconnect…

but I don’t know for sure… it seems to be a regression somewhere as I don’t
recall to have that problem before… I had to add this accept rule last
week, suddenly, as some peers could connect, but not transfer packets any
more.

Now I understand that wg finds it’s IP by following the shortest path, but
that is, in my case, counterproductive.
It should reply with the IP it was spoken to (here 134.56.78.5)

I think ;-)

Jan

On Thu, Aug 10, 2017 at 5:51 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:

Hey Jan,
>
> > When wireguard clients connect, their config shows their peer
> > to be the Uplink IP address instead of the IP on the Public
> > interface that was specifically assigned for wireguard (wgsrv)
>
> Do you mean to say that the _endpoint_ IP address of the WireGuard
> peer is an IP associated with Uplink instead of with Public? If this
> is the case, it might be some odd DNAT situation causing this to
> happen for you? The peer's endpoint IP address is simply the src IP of
> the most recently authenticated packet from the peer. It sounds like
> there's something odd in place causing the src IP to be wrong? But I
> can't think of how this would be WireGuard related. Unless I've
> misunderstood something?
>
> Jason
>
​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20170810/34f5157b/attachment-0001.html>

More information about the WireGuard mailing list