Wg source address is too sticky for multihomed systems aka multiple endpoints redux

Nico Schottelius nico.schottelius at ungleich.ch
Fri Jul 21 07:31:33 UTC 2023

Good morning,

Daniel Gröber <dxld at darkboxed.org> writes:
> [...]
> I have a multihomed router [...]

following up the thread from February, we migrated away from wireguard
to openvpn on systems that have are multi homed.

The main reason for that is the following type of connection to a high
probability fails to work:

1) device -> [NAT/FIREWALL] -> multi homed server [IP A]
2) multi homed server [IP B] -- blocked by firewall as it does not match
table entry

This always happens when the server has as an asymmetric route back to
the originating device, which really depends on the routing tables
or routing policy present on the multi homed server.

I'm a big fan of simplicity, but without an equivalent of openvpn's
"local" statement, wireguard is deemed to be unusable in many network

Best regards,


Sustainable and modern Infrastructures by ungleich.ch

More information about the WireGuard mailing list