WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Replies to incoming unicast from local network exits wrong interface
@ 2018-09-03 11:23 Gunnar Guðvarðarson
  0 siblings, 0 replies; only message in thread
From: Gunnar Guðvarðarson @ 2018-09-03 11:23 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]

Hey,

I've been debugging the problem, that when I ssh from my desktop to my
tunneled laptop's tunnel ip, the laptop receives it but replies to it over
the local broadcast domain, instead of over the tunnel interface.

I eventually tracked it down to this rule added by `wg-quick`:

    32764:  from all lookup main suppress_prefixlength 0

That rule means, use routing table `main` for all prefixes bigger than 0
bits (default route).

But the local network, is there, bigger than 0 bit mask, and gets
selected...

Even though the source ip is completely wrong!
So while the reply ends up on the connecting computer, it doesn't know it
should use the local broadcast domain to continue the conversation and
sends the next ACK packet to the default gateway, which drops it due to not
having seen a SYN-ACK (asymmetric routing).

Solutions?

Delete that IP-rule?
Add an exception rule if the source ip is the tunnel interface ip?

p.s. when i got ssh working, it works, sometimes, but sometimes i get
multi-second lagspikes. But i haven't debugged that at all yet.

~ Gunnar

[-- Attachment #2: Type: text/html, Size: 2378 bytes --]

<div dir="ltr"><span style="color:rgb(33,33,33);font-size:13px">Hey,</span><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">I&#39;ve been debugging the problem, that when I ssh from my desktop to my tunneled laptop&#39;s tunnel ip, the laptop receives it but replies to it over the local broadcast domain, instead of over the tunnel interface.</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">I eventually tracked it down to this rule added by `wg-quick`:</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">    32764:  from all lookup main suppress_prefixlength 0</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">That rule means, use routing table `main` for all prefixes bigger than 0 bits (default route).</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">But the local network, is there, bigger than 0 bit mask, and gets selected...</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">Even though the source ip is completely wrong!</div><div style="color:rgb(33,33,33);font-size:13px">So while the reply ends up on the connecting computer, it doesn&#39;t know it should use the local broadcast domain to continue the conversation and sends the next ACK packet to the default gateway, which drops it due to not having seen a SYN-ACK (asymmetric routing).</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">Solutions?</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">Delete that IP-rule?</div><div style="color:rgb(33,33,33);font-size:13px">Add an exception rule if the source ip is the tunnel interface ip?</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">p.s. when i got ssh working, it works, sometimes, but sometimes i get multi-second lagspikes. But i haven&#39;t debugged that at all yet.</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><div style="color:rgb(33,33,33);font-size:13px">~ Gunnar</div></div>

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-03 11:23 Replies to incoming unicast from local network exits wrong interface Gunnar Guðvarðarson

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox