From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: gunnar@meh.is Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 3396949b for ; Mon, 3 Sep 2018 11:09:20 +0000 (UTC) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e955f668 for ; Mon, 3 Sep 2018 11:09:20 +0000 (UTC) Received: by mail-io0-x22f.google.com with SMTP id e12-v6so137016iok.12 for ; Mon, 03 Sep 2018 04:23:45 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?R3VubmFyIEd1w7B2YXLDsGFyc29u?= Date: Mon, 3 Sep 2018 11:23:33 +0000 Message-ID: Subject: Replies to incoming unicast from local network exits wrong interface To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="0000000000003374b90574f5c63e" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --0000000000003374b90574f5c63e Content-Type: text/plain; charset="UTF-8" Hey, I've been debugging the problem, that when I ssh from my desktop to my tunneled laptop's tunnel ip, the laptop receives it but replies to it over the local broadcast domain, instead of over the tunnel interface. I eventually tracked it down to this rule added by `wg-quick`: 32764: from all lookup main suppress_prefixlength 0 That rule means, use routing table `main` for all prefixes bigger than 0 bits (default route). But the local network, is there, bigger than 0 bit mask, and gets selected... Even though the source ip is completely wrong! So while the reply ends up on the connecting computer, it doesn't know it should use the local broadcast domain to continue the conversation and sends the next ACK packet to the default gateway, which drops it due to not having seen a SYN-ACK (asymmetric routing). Solutions? Delete that IP-rule? Add an exception rule if the source ip is the tunnel interface ip? p.s. when i got ssh working, it works, sometimes, but sometimes i get multi-second lagspikes. But i haven't debugged that at all yet. ~ Gunnar --0000000000003374b90574f5c63e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hey,

I've been debugging the problem= , that when I ssh from my desktop to my tunneled laptop's tunnel ip, th= e laptop receives it but replies to it over the local broadcast domain, ins= tead of over the tunnel interface.

= I eventually tracked it down to this rule added by `wg-quick`:

=C2=A0 =C2=A0=C2=A032764:=C2=A0 from all lookup= main suppress_prefixlength 0

That = rule means, use routing table `main` for all prefixes bigger than 0 bits (d= efault route).

<= /div>

But the local networ= k, is there, bigger than 0 bit mask, and gets selected...

Even though the source ip is completely wrong!

So while the reply ends= up on the connecting computer, it doesn't know it should use the local= broadcast domain to continue the conversation and sends the next ACK packe= t to the default gateway, which drops it due to not having seen a SYN-ACK (= asymmetric routing).

Solutions?

Delete that IP-rule?

Add an exception rule if the source= ip is the tunnel interface ip?

p.s= . when i got ssh working, it works, sometimes, but sometimes i get multi-se= cond lagspikes. But i haven't debugged that at all yet.

~ Gunnar

--0000000000003374b90574f5c63e--