WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Wireguard using wrong source IP and confusing NAT devices
@ 2019-10-01 14:53 Martin Wagner
  0 siblings, 0 replies; only message in thread
From: Martin Wagner @ 2019-10-01 14:53 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1068 bytes --]

One of my servers has two IPv4 addresses. When I try to connect to the
one that isn't configured as default route wireguard is still responding
on the other IP which is causing my NAT to drop the response. If I
change the Endpoint= in the client config to the default ip of the
server everything works fine.

Is this the expected behavior?

Traffic captured on the server:

    1 0.000000000 client_ip → server_ip_1  WireGuard 190 Handshake
Initiation, sender=0xF493E197
    2 0.000693930  server_ip_2 → client_ip WireGuard 134 Handshake
Response, sender=0x5A3B09B6, receiver=0xF493E197
    3 5.119191567 client_ip → server_ip_1  WireGuard 190 Handshake
Initiation, sender=0x4064907A
    4 5.119838133  server_ip_2 → client_ip WireGuard 134 Handshake
Response, sender=0xCAB5E13D, receiver=0x4064907A

Traffic captured on the client:

    1 0.000000000   nat_ip → server_ip_1  WireGuard 176 Handshake
Initiation, sender=0xBC6FCC0F
    2 5.116674624   nat_ip → server_ip_1  WireGuard 176 Handshake
Initiation, sender=0x87E999EA



[-- Attachment #1.2: Type: text/html, Size: 1388 bytes --]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>
    </p>
    <div class="moz-text-plain" wrap="true" style="font-family:
      -moz-fixed; font-size: 12px;" lang="x-unicode">
      <pre class="moz-quote-pre" wrap="">One of my servers has two IPv4 addresses. When I try to connect to the
one that isn't configured as default route wireguard is still responding
on the other IP which is causing my NAT to drop the response. If I
change the Endpoint= in the client config to the default ip of the
server everything works fine.

Is this the expected behavior?

Traffic captured on the server:

    1 0.000000000 client_ip → server_ip_1  WireGuard 190 Handshake
Initiation, sender=0xF493E197
    2 0.000693930  server_ip_2 → client_ip WireGuard 134 Handshake
Response, sender=0x5A3B09B6, receiver=0xF493E197
    3 5.119191567 client_ip → server_ip_1  WireGuard 190 Handshake
Initiation, sender=0x4064907A
    4 5.119838133  server_ip_2 → client_ip WireGuard 134 Handshake
Response, sender=0xCAB5E13D, receiver=0x4064907A

Traffic captured on the client:

    1 0.000000000   nat_ip → server_ip_1  WireGuard 176 Handshake
Initiation, sender=0xBC6FCC0F
    2 5.116674624   nat_ip → server_ip_1  WireGuard 176 Handshake
Initiation, sender=0x87E999EA


</pre>
    </div>
  </body>
</html>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-01 14:53 Wireguard using wrong source IP and confusing NAT devices Martin Wagner

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git