Source IP incorrect on multi homed systems

[Nico Schottelius]

Hello Mikma,

Mikma <mikma.wg at lists.m7n.se> writes:

> Have you tried setting the preferred src address of the route(s) to the addresses you desire?
>
> From "man ip":
>
>> src ADDRESS the source address to prefer when sending to the destinations covered by the route prefix.

unfortunately this does not solve the problem. The expected behaviour of
wireguard is to reply with the same IP address, like nginx and the
kernel ICMP handler do, not with a route based outgoing interface IP address.

In a BGP based environment the route can vary dynamically and I showed a
stripped down version to make it easier to understand. In practices,
many of our systems have 4-7 different upstreams and the packet can come
in on any interface and should leave the machine on the current correct
interface depending on the route import.

In no case however, wireguard should change the response address,
because this breaks stateful firewalls.

As demonstrated in my last email, both the in-kernel ICMP handler as
well as user space applications like nginx behave correctly on the same
machine.

I briefly checked the wireguard source code and I did not right away
spot the network handling part that sets the source IP, so I am
wondering if this bug is due to wireguard not handling it at all?

Best regards,

Nico

--
Sustainable and modern Infrastructures by ungleich.ch