Responses send by wireguard always use the default route

Dominik Sander mail at
Wed Dec 30 18:41:56 CET 2020


I would like to confirm if the behavior I am seeing is intended or if my
use case should be supported without additional configuration.

When wireguard is configured on a server that has multiple network
interfaces the response is always send through the route with the lowest
metric, even when the connection was initiated via a different interface.

The Wireguard server is exposed via my router, port 13377 is forwarded
to, the peer is connecting via an external IP:

# ip route
default via dev eth1 proto dhcp src metric 50
default via dev eth0 proto dhcp src metric 100 dev eth1 proto kernel scope link src metric 50 dev eth1 proto dhcp scope link src metric 50 dev eth0 proto kernel scope link src metric 100 dev eth0 proto dhcp scope link src metric 100

# tcpdump -i any -vn "(host or src port 13377 or dst port 13377)"
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:13:08.767409 IP (tos 0x0, ttl 50, id 12125, offset 0, flags [none], proto UDP (17), length 176) > UDP, length 148
14:13:08.768076 IP (tos 0x88, ttl 64, id 180, offset 0, flags [none], proto UDP (17), length 120) > UDP, length 92

Because the response is send from the "wrong" IP address the router does not know
how to forward it and the client never is properly connected.

I was wondering if the IP/interface of the request could also be used for the response,
to remove the need for policy based routing or iptable rules.

The actual use case is wireguard on a OpenWRT router which has multiple WAN interfaces.
The WAN with the lowest metric is not the interface that should be used for wireguard
because it has better download speed, the wireguard WAN has better upload speed.

Fore reference a thread discussing the problem on GitHub [1] and on the OpenWRT Forum [2].

Thanks for creating/working on wireguard!

Kind regards,



More information about the WireGuard mailing list