Source IP incorrect on multi homed systems
Nico Schottelius
nico.schottelius at ungleich.ch
Sun Feb 19 12:13:58 UTC 2023
Hey Sebastian,
Sebastian Hyrwall <sh at keff.org> writes:
> It is kinda. It's been mentioned multiple times over the years but no one seems to want to fix it. Atleast you should be able to specify bind/src ip in the
> config. I gave up WG because of it. Wasn't accepted by my projects security policy since src ip could not be configured.
>
> There is an unofficial patch however,
>
> https://github.com/torvalds/linux/commit/5fa98082093344c86345f9f63305cae9d5f9f281
the binding is somewhat related to this issue and I was looking for that
feature some time ago, too. While it is correlated and I would really
appreciate binding support, I am not sure whether the linked patch does
actually fix the problem I am seeing in multi homed devices.
As long as wireguard does not reply with the same IP address it was
contacted with, packets will get dropped on stateful firewalls, because
the returning packet does not match the state session database.
Best regards,
Nico
--
Sustainable and modern Infrastructures by ungleich.ch
More information about the WireGuard
mailing list