Hello Mikma,
Mikma <[email protected]> writes: > Have you tried setting the preferred src address of the route(s) to the > addresses you desire? > > From "man ip": > >> src ADDRESS the source address to prefer when sending to the destinations >> covered by the route prefix. unfortunately this does not solve the problem. The expected behaviour of wireguard is to reply with the same IP address, like nginx and the kernel ICMP handler do, not with a route based outgoing interface IP address. In a BGP based environment the route can vary dynamically and I showed a stripped down version to make it easier to understand. In practices, many of our systems have 4-7 different upstreams and the packet can come in on any interface and should leave the machine on the current correct interface depending on the route import. In no case however, wireguard should change the response address, because this breaks stateful firewalls. As demonstrated in my last email, both the in-kernel ICMP handler as well as user space applications like nginx behave correctly on the same machine. I briefly checked the wireguard source code and I did not right away spot the network handling part that sets the source IP, so I am wondering if this bug is due to wireguard not handling it at all? Best regards, Nico -- Sustainable and modern Infrastructures by ungleich.ch
