No Wireguard-server access while using mwan3

linuxfan · October 25, 2022, 7:17pm

Hello,
I've the problem, that the wireguard server is'n reachable by the wg-client.

It seems so, that the wg-server is answering on the wrong wan interface.

When I shutdown/disconnect the 2nd wan interface, the wg-server is reachable by the client.

192.168.221.18 is the WAN interface for the wg-server. I've created mwan3 rules to route
the vpn traffic trough the 192.168.221.18 interface, but this has no effect.

The failover routing by MWAN3 works fine.

Software-Version
-------------------------------------------------
OpenWrt - 22.03.2

Output of "ip -4 a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.208.1.1/24 brd 10.208.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
6: eth0.221@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.221.18/24 brd 192.168.221.255 scope global eth0.221
       valid_lft forever preferred_lft forever
10: eth0.222@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.222.18/24 brd 192.168.222.255 scope global eth0.222
       valid_lft forever preferred_lft forever

Output of "ip -4 route show"
-------------------------------------------------
default via 192.168.222.254 dev eth0.222 proto static metric 10 
default via 192.168.221.254 dev eth0.221 proto static metric 20 
10.208.1.0/24 dev br-lan proto kernel scope link src 10.208.1.1 
192.168.221.0/24 dev eth0.221 proto static scope link metric 20 
192.168.222.0/24 dev eth0.222 proto static scope link metric 10 

Output of "ip -4 rule show"
-------------------------------------------------
0:	from all lookup local
1001:	from all iif eth0.221 lookup 1
1002:	from all iif eth0.222 lookup 2
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3002:	from all fwmark 0x200/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default

Output of "ip -4 route list table 1-250"
-------------------------------------------------
Routing table 1:
default via 192.168.221.254 dev eth0.221 proto static metric 20 
10.208.1.0/24 dev br-lan proto kernel scope link src 10.208.1.1 
192.168.221.0/24 dev eth0.221 proto static scope link metric 20 

Routing table 2:
default via 192.168.222.254 dev eth0.222 proto static metric 10 
10.208.1.0/24 dev br-lan proto kernel scope link src 10.208.1.1 
192.168.222.0/24 dev eth0.222 proto static scope link metric 10 

Output of "iptables -t mangle -w -L -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 1816 packets, 282K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1834  286K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 1198 packets, 156K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1279 packets, 543K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1296  550K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 1279 packets, 543K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain mwan3_connected_ipv4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  166 11500 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 dst MARK or 0x3f00

Chain mwan3_custom_ipv4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 dst MARK or 0x3f00

Chain mwan3_dynamic_ipv4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 dst MARK or 0x3f00

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 2716  804K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 CONNMARK restore mask 0x3f00
  746  134K mwan3_ifaces_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  117  7752 mwan3_custom_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  117  7752 mwan3_connected_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
   54  3188 mwan3_dynamic_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
   54  3188 mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
 3130  836K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0x3f00
  185 14564 mwan3_custom_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00
  185 14564 mwan3_connected_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00
   82  7628 mwan3_dynamic_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00

Chain mwan3_iface_in_WAN1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  eth0.221 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
  617  125K MARK       all  --  eth0.221 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth0.221 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    6   872 MARK       all  --  eth0.221 *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* WAN1 */ MARK xset 0x100/0x3f00

Chain mwan3_iface_in_WAN2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  eth0.222 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    6   404 MARK       all  --  eth0.222 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth0.222 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth0.222 *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* WAN2 */ MARK xset 0x200/0x3f00

Chain mwan3_ifaces_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  743  134K mwan3_iface_in_WAN1  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  120  7546 mwan3_iface_in_WAN2  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00

Chain mwan3_policy_MRule1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   51  2578 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* WAN2 1 1 */ MARK xset 0x200/0x3f00

Chain mwan3_policy_MRule2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* WAN1 2 2 */ MARK xset 0x100/0x3f00

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 mwan3_policy_MRule2  udp  --  *      *       192.168.221.18       0.0.0.0/0            multiport sports 54329 mark match 0x0/0x3f00
    0     0 mwan3_policy_MRule2  udp  --  *      *       0.0.0.0/0            192.168.221.18       multiport dports 54329 mark match 0x0/0x3f00
   51  2578 mwan3_policy_MRule1  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00

0:      from all lookup local
1001:   from all iif eth0.221 lookup 1
1002:   from all iif eth0.222 lookup 2
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default



default via 192.168.221.254 dev eth0.221 table 1 proto static metric 20
10.208.1.0/24 dev br-lan table 1 proto kernel scope link src 10.208.1.1
192.168.221.0/24 dev eth0.221 table 1 proto static scope link metric 20
default via 192.168.222.254 dev eth0.222 table 2 proto static metric 10
10.208.1.0/24 dev br-lan table 2 proto kernel scope link src 10.208.1.1
192.168.222.0/24 dev eth0.222 table 2 proto static scope link metric 10
default via 192.168.222.254 dev eth0.222 proto static metric 10
default via 192.168.221.254 dev eth0.221 proto static metric 20
10.208.1.0/24 dev br-lan proto kernel scope link src 10.208.1.1
192.168.221.0/24 dev eth0.221 proto static scope link metric 20
192.168.222.0/24 dev eth0.222 proto static scope link metric 10
broadcast 10.208.1.0 dev br-lan table local proto kernel scope link src 10.208.1.1
local 10.208.1.1 dev br-lan table local proto kernel scope host src 10.208.1.1
broadcast 10.208.1.255 dev br-lan table local proto kernel scope link src 10.208.1.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.221.0 dev eth0.221 table local proto kernel scope link src 192.168.221.18
local 192.168.221.18 dev eth0.221 table local proto kernel scope host src 192.168.221.18
local 192.168.221.18 dev wg0 table local proto kernel scope host src 192.168.221.18
broadcast 192.168.221.255 dev eth0.221 table local proto kernel scope link src 192.168.221.18
broadcast 192.168.222.0 dev eth0.222 table local proto kernel scope link src 192.168.222.18
local 192.168.222.18 dev eth0.222 table local proto kernel scope host src 192.168.222.18
broadcast 192.168.222.255 dev eth0.222 table local proto kernel scope link src 192.168.222.18
unreachable fd2c:c04d:81d0::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
local fe80::3e37:12ff:fe51:2dd dev wlan1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wlan1 table local proto kernel metric 256 pref medium

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd2c:c04d:81d0::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.@device[0].ipv6='0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='10.208.1.1'
network.lan.delegate='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0 4 3 2'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='eth0'
network.@device[1].vid='221'
network.@device[1].name='eth0.221'
network.@device[1].macaddr='26:D7:87:99:8F:D1'
network.@device[1].ipv6='0'
network.@device[2]=device
network.@device[2].type='8021q'
network.@device[2].ifname='eth0'
network.@device[2].vid='222'
network.@device[2].name='eth0.222'
network.@device[2].macaddr='26:D7:87:99:8F:D2'
network.@device[2].ipv6='0'
network.@device[3]=device
network.@device[3].name='eth0'
network.@device[3].ipv6='0'
network.WAN1=interface
network.WAN1.proto='static'
network.WAN1.device='eth0.221'
network.WAN1.ipaddr='192.168.221.18'
network.WAN1.netmask='255.255.255.0'
network.WAN1.gateway='192.168.221.254'
network.WAN1.metric='20'
network.WAN1.delegate='0'
network.WAN1.dns='192.168.221.254'
network.WAN2=interface
network.WAN2.proto='static'
network.WAN2.device='eth0.222'
network.WAN2.ipaddr='192.168.222.18'
network.WAN2.netmask='255.255.255.0'
network.WAN2.gateway='192.168.222.254'
network.WAN2.metric='10'
network.WAN2.delegate='0'
network.WAN2.dns='192.168.222.254'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].vid='221'
network.@switch_vlan[1].ports='0t 1t'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].ports='0t 1t'
network.@switch_vlan[2].vid='222'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxx'
network.wg0.listen_port='54329'
network.wg0.defaultroute='0'
network.wg0.delegate='0'
network.wg0.addresses='192.168.221.18'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='Test1'
network.@wireguard_wg0[0].public_key='xxxxx'
network.@wireguard_wg0[0].allowed_ips='10.208.11.1/24'
network.@wireguard_wg0[0].persistent_keepalive='30'

mwan3.globals=globals
mwan3.globals.mmx_mask='0x3F00'
mwan3.WAN1=interface
mwan3.WAN1.enabled='1'
mwan3.WAN1.initial_state='online'
mwan3.WAN1.family='ipv4'
mwan3.WAN1.track_ip='8.8.8.8'
mwan3.WAN1.track_method='ping'
mwan3.WAN1.reliability='1'
mwan3.WAN1.count='1'
mwan3.WAN1.size='56'
mwan3.WAN1.max_ttl='60'
mwan3.WAN1.timeout='4'
mwan3.WAN1.interval='10'
mwan3.WAN1.failure_interval='5'
mwan3.WAN1.recovery_interval='5'
mwan3.WAN1.down='5'
mwan3.WAN1.up='5'
mwan3.WAN2=interface
mwan3.WAN2.enabled='1'
mwan3.WAN2.initial_state='online'
mwan3.WAN2.family='ipv4'
mwan3.WAN2.track_ip='8.8.8.8'
mwan3.WAN2.track_method='ping'
mwan3.WAN2.reliability='1'
mwan3.WAN2.count='1'
mwan3.WAN2.size='56'
mwan3.WAN2.max_ttl='60'
mwan3.WAN2.timeout='4'
mwan3.WAN2.interval='10'
mwan3.WAN2.failure_interval='5'
mwan3.WAN2.recovery_interval='5'
mwan3.WAN2.down='5'
mwan3.WAN2.up='5'
mwan3.ISP1=member
mwan3.ISP1.interface='WAN1'
mwan3.ISP1.metric='2'
mwan3.ISP1.weight='2'
mwan3.ISP2=member
mwan3.ISP2.interface='WAN2'
mwan3.ISP2.metric='1'
mwan3.ISP2.weight='1'
mwan3.MRule1=policy
mwan3.MRule1.use_member='ISP1' 'ISP2'
mwan3.MRule1.last_resort='unreachable'
mwan3.Rule3=rule
mwan3.Rule3.proto='udp'
mwan3.Rule3.src_ip='192.168.221.18/32'
mwan3.Rule3.src_port='54329'
mwan3.Rule3.sticky='0'
mwan3.Rule3.use_policy='MRule2'
mwan3.Rule3.dest_ip='0.0.0.0/0'
mwan3.Rule2=rule
mwan3.Rule2.family='ipv4'
mwan3.Rule2.proto='udp'
mwan3.Rule2.src_ip='0.0.0.0/0'
mwan3.Rule2.dest_ip='192.168.221.18/32'
mwan3.Rule2.dest_port='54329'
mwan3.Rule2.sticky='0'
mwan3.Rule2.use_policy='MRule2'
mwan3.Rule1=rule
mwan3.Rule1.proto='all'
mwan3.Rule1.dest_ip='0.0.0.0/0'
mwan3.Rule1.sticky='0'
mwan3.Rule1.use_policy='MRule1'
mwan3.Rule1.family='ipv4'
mwan3.MRule2=policy
mwan3.MRule2.use_member='ISP1'
mwan3.MRule2.last_resort='default'

pavelgl · October 26, 2022, 7:45am

Check out the long thread below.
The OP has been investigating the issue for years.

github.com/openwrt/packages

wireguard can't handshake with mwan3

opened 11:33AM - 22 Jul 19 UTC

closed 01:18AM - 21 Feb 22 UTC

wackejohn

Maintainer: @feckert Environment: ``` OpenWrt SNAPSHOT, r10551-d616b2c906 … MWAN3 2.8.0-1 Running on turris omnia with four pppoe wan interface,two wireguard vpn client and one wireguard vpn server. ``` Description: ``` When I using the OpenWRT as a wireguard server with multi pppoe wan interface, the wireguard client failed handshake. And I found that the inbound interface and outbound interface was different. eg: My wireguard client connect the wireguard server from pppoe-wan4, but the handshake data was sent from pppoe-wan1 to the client. ``` The tcpdump output: ``` root@HOME-Router:~# tcpdump -i pppoe-wan4 -vv host 49.94.153.160 tcpdump: listening on pppoe-wan4, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:40:42.419873 IP (tos 0x0, ttl 113, id 5756, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:40:47.635469 IP (tos 0x0, ttl 113, id 5757, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:40:52.534148 IP (tos 0x0, ttl 113, id 5758, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:40:57.697818 IP (tos 0x0, ttl 113, id 5759, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:02.728237 IP (tos 0x0, ttl 113, id 5760, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:07.937823 IP (tos 0x0, ttl 113, id 5761, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:13.142458 IP (tos 0x0, ttl 113, id 5762, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:18.267116 IP (tos 0x0, ttl 113, id 5763, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:23.496362 IP (tos 0x0, ttl 113, id 5764, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:28.698172 IP (tos 0x0, ttl 113, id 5765, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:33.800883 IP (tos 0x0, ttl 113, id 5766, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:38.899820 IP (tos 0x0, ttl 113, id 5767, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:43.998023 IP (tos 0x0, ttl 113, id 5768, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:49.254995 IP (tos 0x0, ttl 113, id 5769, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:54.349569 IP (tos 0x0, ttl 113, id 5770, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:59.327974 IP (tos 0x0, ttl 113, id 5771, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:42:04.368634 IP (tos 0x0, ttl 113, id 5772, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:42:09.491494 IP (tos 0x0, ttl 113, id 5773, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 ^C 18 packets captured 18 packets received by filter 0 packets dropped by kernel ``` ``` root@HOME-Router:~# tcpdump -i pppoe-wan1 -vv host 49.94.153.160 tcpdump: listening on pppoe-wan1, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:40:42.421591 IP (tos 0x88, ttl 64, id 1206, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:40:47.637268 IP (tos 0x88, ttl 64, id 1711, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:40:52.535810 IP (tos 0x88, ttl 64, id 1987, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:40:57.699682 IP (tos 0x88, ttl 64, id 2312, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:02.729908 IP (tos 0x88, ttl 64, id 2638, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:07.939552 IP (tos 0x88, ttl 64, id 2713, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:13.144141 IP (tos 0x88, ttl 64, id 3211, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:18.268852 IP (tos 0x88, ttl 64, id 3683, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:23.498018 IP (tos 0x88, ttl 64, id 3996, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:23.533291 IP (tos 0x0, ttl 55, id 7594, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 3996, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:28.699810 IP (tos 0x88, ttl 64, id 4312, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:28.728377 IP (tos 0x0, ttl 55, id 7901, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4312, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:33.802574 IP (tos 0x88, ttl 64, id 4486, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:33.841978 IP (tos 0x0, ttl 55, id 8313, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4486, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:38.901612 IP (tos 0x88, ttl 64, id 4495, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:38.931917 IP (tos 0x0, ttl 55, id 8498, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4495, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:43.999737 IP (tos 0x88, ttl 64, id 4549, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:44.025151 IP (tos 0x0, ttl 55, id 8577, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4549, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:49.256834 IP (tos 0x88, ttl 64, id 4879, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:49.285795 IP (tos 0x0, ttl 55, id 8663, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4879, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:54.351222 IP (tos 0x88, ttl 64, id 5110, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:54.395633 IP (tos 0x0, ttl 55, id 8927, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5110, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:59.329684 IP (tos 0x88, ttl 64, id 5361, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:59.368025 IP (tos 0x0, ttl 55, id 9212, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5361, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:04.370263 IP (tos 0x88, ttl 64, id 5540, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:04.409760 IP (tos 0x0, ttl 55, id 9586, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5540, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:09.493346 IP (tos 0x88, ttl 64, id 5932, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:09.532424 IP (tos 0x0, ttl 55, id 9895, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5932, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 ``` The output showed that my client(49.94.153.160) connect server (112.3.86.249:5888), but the handshake data was sent from (114.228.200.208). Maybe it's because the wireguard can't bind to specific interface?

In brief.

If it's not a problem, swap the metrics on the two wan interfaces.