On Tue, Jul 16, 2024 at 3:23 PM Stuart Henderson <s...@spacehopper.org> wrote: > Your route-to should specify the IP to send packets to, not an interface > (which would expand to the _local_ address on that interface)
Even then the problem exists. Tried today with an rdomain and the same issue. I'm thinking it might be something in the way the wireguard is configured. My other wireguard are all site-to-site and work fine. But in this case the remote side is not under my control and it's probably a peer-to-peer type configuration (is there a difference?). The configuration works fine on a single peer imported as a tunnel into the standard wireguard app. Trying to use it on a gateway may not work. The wg interface using an rdomain: ================================== rdomain 4 inet 10.2.0.2/32 wgkey <redacted> wgpeer <redacted> wgaip 0.0.0.0/1 wgaip 128.0.0.0/1 wgendpoint <redacted> 51868 !route -T4 -n add default 10.2.0.2 ================================== When I ping from one of the client addresses in question the reply comes back to the 10.2.0.2 address and goes no further. When I ping to a host on the other side of one of my site-to-site wireguard interfaces the packet returns to the client, not the gateway. Same issue as with route-to instead of rdomain. tcpdump of a wg interface of a ping to a host on the other side of a site-to-site 11:22:26.784561 192.168.77.182 > 172.24.42.1: icmp: echo request (DF) 11:22:26.803307 172.24.42.1 > 192.168.77.182: icmp: echo reply (DF) 11:22:27.784768 192.168.77.182 > 172.24.42.1: icmp: echo request (DF) 11:22:27.805880 172.24.42.1 > 192.168.77.182: icmp: echo reply (DF) tcpdump of a wg interface of a ping to a host on the other side of the problem interface 11:40:47.526857 192.168.77.182 > 98.137.11.164: icmp: echo request (DF) 11:40:47.619352 98.137.11.164 > 10.2.0.2: icmp: echo reply (DF) 11:40:48.526989 192.168.77.182 > 98.137.11.164: icmp: echo request (DF) 11:40:48.618770 98.137.11.164 > 10.2.0.2: icmp: echo reply (DF) So it may be that the issue is with the wireguard peer that I have no control over. Or I'm still missing some proper configuration on my end.
