+1 for binding only on specific IP On 11/21/2017 02:21 PM, d tbsky wrote: > Hi: > I tested wireguard and the speed is amazing. but when I try to > deploy it to our real linux firewall, I found it is hard to make it > work. > > our current linux firewall have multiple interface and multiple > routing tables. local program will get lan ip address and nat to > correct wan ip address when goto internet. > > since wireguard can not bind to specific ip address, it sometimes > use wrong ip address to reply and the vpn communication can not be > established. > > for example: > > config for client site: (assume wan ip is 2.2.2.2) > interface: wg0 > public key: **** > private key: (hidden) > listening port: 51820 > peer: **** > endpoint: 1.1.1.1:51820 > allowed ips: 0.0.0.0/0 > > config for server site: (assume wan ip is 1.1.1.1) > interface: wg0 > public key: **** > private key: (hidden) > listening port: 51820 > peer: **** > allowed ips: 0.0.0.0/0 > > when client initial connect to server, at server site I saw flow like below: > "cat /proc/net/nf_conntrack | grep 51820" > > ipv4 2 udp 17 23 src=172.18.1.254 dst=2.2.2.2 sport=51820 > dport=51820 packets=1 bytes=120 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 > sport=51820 dport=1085 packets=0 bytes=0 mark=1 zone=0 use=2 > ipv4 2 udp 17 23 src=2.2.2.2 dst=1.1.1.1 sport=51820 > dport=51820 packets=1 bytes=176 [UNREPLIED] src=1.1.1.1 dst=2.2.2.2 > sport=51820 dport=51820 packets=0 bytes=0 mark=1 zone=0 use=2 > > so at first client 2.2.2.2:51820 connect to server 1.1.1.1:51820 > but then server use 172.18.1.254(lan ip address) to reply and 51820 > port is nat to 1085 so the communication is broken. > > if wireguard can bind to specific ip address then there will be no problem. > or if wireguard can reply with the correct ip address.( eg: if client > connect to wireguard ip 1.1.1.1, then wiregurad should reply via ip > address 1.1.1.1) then maybe there will be no problem. > > Regards, > tbskyd > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard >