Replies to incoming unicast from local network exits wrong interface

Gunnar Guðvarðarson gunnar at
Mon Sep 3 13:23:33 CEST 2018


I've been debugging the problem, that when I ssh from my desktop to my
tunneled laptop's tunnel ip, the laptop receives it but replies to it over
the local broadcast domain, instead of over the tunnel interface.

I eventually tracked it down to this rule added by `wg-quick`:

    32764:  from all lookup main suppress_prefixlength 0

That rule means, use routing table `main` for all prefixes bigger than 0
bits (default route).

But the local network, is there, bigger than 0 bit mask, and gets

Even though the source ip is completely wrong!
So while the reply ends up on the connecting computer, it doesn't know it
should use the local broadcast domain to continue the conversation and
sends the next ACK packet to the default gateway, which drops it due to not
having seen a SYN-ACK (asymmetric routing).


Delete that IP-rule?
Add an exception rule if the source ip is the tunnel interface ip?

p.s. when i got ssh working, it works, sometimes, but sometimes i get
multi-second lagspikes. But i haven't debugged that at all yet.

~ Gunnar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list