From: d tbsky <tbskyd@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: multi-home difficulty
Date: Tue, 21 Nov 2017 21:21:49 +0800 [thread overview]
Message-ID: <CAC6SzH+Q-1SRVXOoScGhXWraOLdp9_Rud6cMbQ95a51r=eRWTw@mail.gmail.com> (raw)
Hi:
I tested wireguard and the speed is amazing. but when I try to
deploy it to our real linux firewall, I found it is hard to make it
work.
our current linux firewall have multiple interface and multiple
routing tables. local program will get lan ip address and nat to
correct wan ip address when goto internet.
since wireguard can not bind to specific ip address, it sometimes
use wrong ip address to reply and the vpn communication can not be
established.
for example:
config for client site: (assume wan ip is 2.2.2.2)
interface: wg0
public key: ****
private key: (hidden)
listening port: 51820
peer: ****
endpoint: 1.1.1.1:51820
allowed ips: 0.0.0.0/0
config for server site: (assume wan ip is 1.1.1.1)
interface: wg0
public key: ****
private key: (hidden)
listening port: 51820
peer: ****
allowed ips: 0.0.0.0/0
when client initial connect to server, at server site I saw flow like below:
"cat /proc/net/nf_conntrack | grep 51820"
ipv4 2 udp 17 23 src=172.18.1.254 dst=2.2.2.2 sport=51820
dport=51820 packets=1 bytes=120 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1
sport=51820 dport=1085 packets=0 bytes=0 mark=1 zone=0 use=2
ipv4 2 udp 17 23 src=2.2.2.2 dst=1.1.1.1 sport=51820
dport=51820 packets=1 bytes=176 [UNREPLIED] src=1.1.1.1 dst=2.2.2.2
sport=51820 dport=51820 packets=0 bytes=0 mark=1 zone=0 use=2
so at first client 2.2.2.2:51820 connect to server 1.1.1.1:51820
but then server use 172.18.1.254(lan ip address) to reply and 51820
port is nat to 1085 so the communication is broken.
if wireguard can bind to specific ip address then there will be no problem.
or if wireguard can reply with the correct ip address.( eg: if client
connect to wireguard ip 1.1.1.1, then wiregurad should reply via ip
address 1.1.1.1) then maybe there will be no problem.
Regards,
tbskyd
next reply other threads:[~2017-11-21 13:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-21 13:21 d tbsky [this message]
2017-11-21 13:32 ` multi-home difficulty Tomas Herceg
2017-11-21 14:15 ` Jason A. Donenfeld
2017-11-21 14:35 ` d tbsky
2017-11-22 23:35 ` Jason A. Donenfeld
2017-11-23 17:06 ` d tbsky
2017-11-29 11:05 ` d tbsky
2017-11-29 13:13 ` Jason A. Donenfeld
2017-11-29 13:51 ` Jason A. Donenfeld
2017-11-29 14:08 ` d tbsky
2017-11-29 14:10 ` Jason A. Donenfeld
2017-11-29 14:16 ` d tbsky
2017-11-29 14:49 ` Jason A. Donenfeld
2017-11-30 6:15 ` d tbsky
2017-11-30 6:22 ` d tbsky
2017-11-30 6:30 ` d tbsky
2017-12-01 7:44 ` d tbsky
2017-12-03 17:45 ` d tbsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC6SzH+Q-1SRVXOoScGhXWraOLdp9_Rud6cMbQ95a51r=eRWTw@mail.gmail.com' \
--to=tbskyd@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.