From: Diyaa Alkanakre <diyaa@diyaa.ca>
To: Nico Schottelius <nico.schottelius@ungleich.ch>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Wireguard uses incorrect interface - routing issue
Date: Fri, 21 Jun 2024 16:42:02 +0200 (CEST) [thread overview]
Message-ID: <O-vEobT--3-9@diyaa.ca> (raw)
In-Reply-To: <878qyyim5k.fsf@ungleich.ch>
The better approach would be to exclude the IPs from your WireGuard AllowedIPs. I always exclude IPs if I can before doing policy based routing.
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/
Jun 21, 2024, 5:15 AM by nico.schottelius@ungleich.ch:
>
> Hello again,
>
> I'm sorry to flood the mailing list with wireguard bugs, but it seems
> there is yet another routing bug in wireguard - happy to be wrong, but
> here are my findings:
>
> a) system has source based routing on via ip rule:
>
> [11:07] server141.place10:~# ip rule ls
> 0: from all lookup local
> 32765: from 192.168.1.0/24 lookup 42
> 32766: from all lookup main
> 32767: from all lookup default
> [11:07] server141.place10:~# ip route sh table 42
> 194.5.220.0/24 via 192.168.1.254 dev eth1 proto bird metric 32
> 194.187.90.23 via 192.168.1.254 dev eth1 proto bird metric 32
> 212.103.65.231 via 192.168.1.254 dev eth1 proto bird metric 32
> [11:08] server141.place10:~#
>
> This should ensure that packets towards 194.187.90.23 travel via eth1.
>
> b) tcpdump for verification
>
> Using "tcpdump -ni any port 4000" I observe:
>
> 11:10:22.445638 eth0 Out IP 192.168.1.149.58591 > 194.187.90.23.4000: UDP, length 148
> 11:10:27.447026 eth0 Out IP 192.168.1.149.58591 > 194.187.90.23.4000: UDP, length 148
> 11:10:32.448329 eth0 Out IP 192.168.1.149.58591 > 194.187.90.23.4000: UDP, length 148
> 11:10:37.449719 eth0 Out IP 192.168.1.149.58591 > 194.187.90.23.4000: UDP, length 148
>
> c) Route in main table
>
> There is indeed a route in the main routing table that matches, too:
>
> [11:08] server141.place10:~# ip r get 194.187.90.23
> 194.187.90.23 via 10.5.2.123 dev eth0 src 192.168.1.149 uid 0
> cache
>
> d) ip rule not working (?)
>
> So from what I can observe it is that ip rule does not work together
> with wireguard / wireguard routing takes the route from main fib instead
> of from the separate table.
>
> I am not sure if this is related at all to the IP address binding bug,
> but it appears in a similar context from our tests.
>
> BR,
>
> Nico
>
> --
> Sustainable and modern Infrastructures by ungleich.ch
>
next prev parent reply other threads:[~2024-06-21 14:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-21 11:13 Wireguard uses incorrect interface - routing issue Nico Schottelius
2024-06-21 11:24 ` Nico Schottelius
2024-06-21 12:29 ` Daniel Gröber
2024-06-21 13:54 ` Stephan von Krawczynski
2024-06-22 9:22 ` Nico Schottelius
2024-06-21 14:42 ` Diyaa Alkanakre [this message]
2024-06-21 15:18 ` Daniel Gröber
2024-06-21 15:38 ` Nico Schottelius
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=O-vEobT--3-9@diyaa.ca \
--to=diyaa@diyaa.ca \
--cc=nico.schottelius@ungleich.ch \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.