* Replies to incoming unicast from local network exits wrong interface
@ 2018-09-03 11:23 Gunnar Guðvarðarson
0 siblings, 0 replies; only message in thread
From: Gunnar Guðvarðarson @ 2018-09-03 11:23 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]
Hey,
I've been debugging the problem, that when I ssh from my desktop to my
tunneled laptop's tunnel ip, the laptop receives it but replies to it over
the local broadcast domain, instead of over the tunnel interface.
I eventually tracked it down to this rule added by `wg-quick`:
32764: from all lookup main suppress_prefixlength 0
That rule means, use routing table `main` for all prefixes bigger than 0
bits (default route).
But the local network, is there, bigger than 0 bit mask, and gets
selected...
Even though the source ip is completely wrong!
So while the reply ends up on the connecting computer, it doesn't know it
should use the local broadcast domain to continue the conversation and
sends the next ACK packet to the default gateway, which drops it due to not
having seen a SYN-ACK (asymmetric routing).
Solutions?
Delete that IP-rule?
Add an exception rule if the source ip is the tunnel interface ip?
p.s. when i got ssh working, it works, sometimes, but sometimes i get
multi-second lagspikes. But i haven't debugged that at all yet.
~ Gunnar
[-- Attachment #2: Type: text/html, Size: 2378 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-09-03 11:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-03 11:23 Replies to incoming unicast from local network exits wrong interface Gunnar Guðvarðarson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).