Responses send by wireguard always use the default route

Dominik Sander mail at dsander.de
Wed Dec 30 18:41:56 CET 2020 

Hi!

I would like to confirm if the behavior I am seeing is intended or if my
use case should be supported without additional configuration.

When wireguard is configured on a server that has multiple network
interfaces the response is always send through the route with the lowest
metric, even when the connection was initiated via a different interface.

The Wireguard server is exposed via my router, port 13377 is forwarded
to 192.168.1.246, the peer is connecting via an external IP:

# ip route
default via 10.0.0.1 dev eth1 proto dhcp src 10.0.0.171 metric 50
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.246 metric 100
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.171 metric 50
10.0.0.1 dev eth1 proto dhcp scope link src 10.0.0.171 metric 50
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.246 metric 100
192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.246 metric 100

# tcpdump -i any -vn "(host 80.xxx.xxx.xxx or src port 13377 or dst port 13377)"
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:13:08.767409 IP (tos 0x0, ttl 50, id 12125, offset 0, flags [none], proto UDP (17), length 176)
    80.xxx.xxx.xxx.17819 > 192.168.1.246.13377: UDP, length 148
14:13:08.768076 IP (tos 0x88, ttl 64, id 180, offset 0, flags [none], proto UDP (17), length 120)
    10.0.0.171.13377 > .xxx.xxx.xxx.17819: UDP, length 92

Because the response is send from the "wrong" IP address the router does not know
how to forward it and the client never is properly connected.

I was wondering if the IP/interface of the request could also be used for the response,
to remove the need for policy based routing or iptable rules.

The actual use case is wireguard on a OpenWRT router which has multiple WAN interfaces.
The WAN with the lowest metric is not the interface that should be used for wireguard
because it has better download speed, the wireguard WAN has better upload speed.

Fore reference a thread discussing the problem on GitHub [1] and on the OpenWRT Forum [2].

Thanks for creating/working on wireguard!

Kind regards,

Dominik

[1] https://github.com/openwrt/packages/issues/9538
[2] https://forum.openwrt.org/t/wireguard-server-can-only-successfully-be-used-via-one-wan-interface/83374

More information about the WireGuard mailing list