Policy routed packets are dropped by wireguard

Sun Sep 15 01:59:43 CEST 2019

Hello!

I'm looking for technical advice.
Currently I'm trying to pass marked sessions through wireguard VPN network.

Marking is done by cgroups classid matching:
> iptables -A OUTPUT -m cgroup --cgroup 3735928559 -j MARK --set-xmark 0x1c3/0xffffffff

The only route in the `vpn` table is default routing through wg0:
> ip route add default dev wg0 table vpn

Routing rule is pretty simple:
> ip rule add fwmark 451 table vpn

Now I pass some packets on the interface:
> cgexec -g net_cls:vpn ping 10.0.1.1

I see packets reaching interface but dropped in the driver:
> tcpdump -i wg0 host 10.0.1.1
> ...
> 6 packets dropped by interface

Value in 4th column (TX drop) is increasing in the `/proc/net/dev` for wg0.

If I add route to default routing table and do ping without assigning cgroup to the process then all is perfectly fine.
> ip route add 10.0.1.0/24 dev wg0

> ping 10.0.1.1                                                                  
> PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.                                                
> 64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=46.1 ms

Is it some kind of a bug of misconfiguration?

> uname -r                                                                       
> 5.2.1-gentoo

Installed Gentoo package atom.
> =net-vpn/wireguard-0.0.20190913

Thanks for any help!

-- 
Eugene Bright
IT engineer
Tel: + 79257289622

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190915/2f234446/attachment.asc>