On 1/29/19 9:22 AM, C. Cook wrote: > Something is wrong with packet routing in WireGuard. My outgoing > channel to AzireVPN works fine (the whole LAN is routed through it) but > the incoming channel can never complete the connexion handshake. > > Incoming is a separate channel with separate interface and port. It's > for remote phone, laptop, etc. > > When I take down the outgoing channel, incoming then works fine! Put > outgoing back up and incoming stops again. > > With outgoing up, I see Shorewall DROPs saying net-outWG with UDP inWG > port. So incoming WG packets to net are getting sent right back out > outWG interface. I figured this must be because of this routing rule: > > 10.2.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > > 10.2.1.0/24 is for the LAN and 10.2.3.0/24 is internal to WG. > > So in snat I changed the rule to: > > MASQUERADE 10.2.1.0/26 outWG-se1 > > ... and changed the phone to 10.2.3.70 so it shouldn't be masqueraded > back out and hopefully will go to the WH interface with this routing rule: > > 10.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 inWG > > > TBH I don't know why the phone would be in 10.2.1.0 since I haven't > assigned it that IP anywhere. All I know for sure is that when I take > down the outgoing channel, incoming then works. Dump sent to Tom. >
As far as I can see, this issue has nothing to do with Shorewall. I suggest that you contact the WG folks. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
