So I tried to come up with a simple setup to showcase the issue and then I
realized:
"How should wireguard know which IP is the correct source IP address?"
In the simple setup wireguard even selected an IP from an interface which link
is down which is kind of strange.
After removing the IP from the linkdown interface, wireguard took the IP as
source from the next available interface.
Adding the IP back to the linkdown interface and wireguard prefered that IP
again.
I digged into the source code but couldn't find the part where the source-IP is
selected for outgoing connections (like a simple ping).
I am not a developer but would like to try to understand it. Could someone give
me a pointer?
Nevertheless thinking about the question how to select the IP, I wondered if it
would be possible to set the IP in wireguard settings, so I do not have to
update the routes with the src parameter.
Then I saw the address setting and setting the IP there just fixed my "issue".
I don't know why I overlooked that setting.. sorry for that
Thank you and kind regards
Am 20.10.2022 um 00:56 schrieb Christoph Loesch:
Now I've read enough (rather old and also pretty recent) posts about that topic
and I want to help finally fix this issue.
Not just because it bugs our network too after we optimized/simplified our
router-setup but also because it seems over the years many users seem to
beaffected. Until now every thread I've read ends with an open question rather
than a solution.
In Jason's post here from 2017 I found his script that should reproduce
theissue, I tried it and could not reproduce the issue with that script..
https://lists.zx2c4.com/pipermail/wireguard/2017-November/002092.html
To be honest I do not fully understand it to modify it to reproduce the issue
in my environment.
Here I posted one example and the (temporary) solution by deleting the route
that wireguard had set and re-creating the same route but defining the
(correct) IP as src.
https://lists.zx2c4.com/pipermail/wireguard/2021-November/007324.html
How could I help to fix this issue?
If it helps, I could give full access to a test-router which has the same setup
as all other routers in our network.
Kind regards
Am 23.11.2021 um 14:52 schrieb Christoph Loesch:
Hi,
Is this related to my issue with using wrong source ip on outgoing connections?
(https://lists.zx2c4.com/pipermail/wireguard/2021-November/007307.html)
Which bug would that be? Would be interesting in more detail to understand the
issue.
I'm having a hard time to reproduce (or somehow "fix") the issue I am facing,
since this issue is on only 5 devices from over 20 devices where all are configured same.
The configuration or better all routes do not even have any metric defined so I
am unsure what to add/remove to change the behaviour.
Also in my configuration there are multiple interfaces
(br0,br1,eth0,eth1,etc..) as it is a router but there are no multiple default
routes.
Comparing perfectly fine working devices to one of those five devices which
have this issue I am not able to find a difference in IP-config or routes.
Even kernel and firmware versions are all same.
The only difference I see is while looking at tcpdump where a simple pingto the
wireguard server's internal IP (172.27.0.1/24 in my case) originates with the
public IP of the device.
If it is a known bug, it would be nice to know what (and if) I could try to fix
and possibly confirm the bug. Or even better beeing able to reproduce the issue.
Thanks and kind regards,
Christoph
Am 19.11.2021 um 14:10 schrieb 曹煜:
Hi,
As Jason said in mailing list
(https://lists.zx2c4.com/pipermail/wireguard/2017-November/002018.html)
years ago, if wireguard reply the client with wrong src ip, then it is
a bug. And now I'm trying to set up a minimal configuration.
Server info:
Ubuntu 20.04 in VMware with two Host-only network adapters:
wacke@Ubuntu:/etc$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
wacke@Ubuntu:/etc$ uname -a
Linux Ubuntu 5.14.8-051408-generic #202109280455 SMP Tue Sep 28
04:57:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
wacke@Ubuntu:/etc$ sudo ip route show
169.254.0.0/16 dev ens33 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.187.0/24 dev ens33 proto kernel scope link src 192.168.187.129
metric 100
192.168.187.0/24 dev ens35 proto kernel scope link src 192.168.187.128
metric 101
192.168.199.0/24 dev wg0 proto kernel scope link src 192.168.199.1
wacke@Ubuntu:/etc$ sudo cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = oLLeTlvwWsfGoyQpDwZo0k7AsMf0LkkfycGPwFjamEA=
ListenPort = 5999
[Peer]
PublicKey = JYvK2/FBbbSrDbkH29ejWejkBJS3ch/SFtyZwNf5O1c=
AllowedIPs = 192.168.199.2/32
PersistentKeepalive = 25
[Peer]
PublicKey = keIPXZFgvB79biV74kGc5R9vAHpzyVyQHci8KBSDIUw=
AllowedIPs = 192.168.199.3/32
PersistentKeepalive = 25
wacke@Ubuntu:/etc$ sudo wg
