Hi!
I'm trying to do some simple policy-based routing over a WireGuard VPN. Basically, I want only traffic from a particular IP address to use the VPN. I've been following various instructions and guides, including these:
https://openwrt.org/docs/guide-user/network/routing
https://openwrt.org/docs/guide-user/network/ip_rules
https://openwrt.org/docs/guide-user/network/ucicheatsheet
Anyway, things seem to be working well, except for one oddity that I discovered today. It seems that if I turn off the host that uses the VPN, ICMP "destination unreachable" packets are sent on the eth0
(wan) interface, not on the wg0
(vpn) interface as I would expect.
Here's a snippet from a tcpdump of eth0
:
No Time Source Destination Protocol Length Info
123 12:00:00.000000 10.x.y.z a.b.c.d ICMP 102 Destination unreachable (Host unreachable)
Note the 10.x.y.z
source address, which is the address of my wg0
interface:
# ifconfig wg0
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.x.y.z P-t-P:10.x.y.z Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
...
It seems odd to me not only that the packet is on the eth0
interface but that no NAT has taken place and translated 10.x.y.z
to the address of the eth0
interface.
The routes/rules in my /etc/config/network
:
config route
option interface 'wg0'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway '0.0.0.0'
option table 'vpn'
config route
option interface 'lan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway '0.0.0.0'
option table 'vpn'
option metric '100'
option type 'unreachable'
config rule
option src '192.168.1.x/32'
option lookup 'vpn'
192.168.1.x is
the address of the host using the VPN.
The generated routes/rules:
# ip rule
0: from all lookup local
...
10: from 192.168.1.x lookup vpn
32766: from all lookup main
32767: from all lookup default
# ip route show table vpn
default dev wg0 proto static scope link
unreachable default proto static metric 100
I tried adding another rule, but it seemed to have no effect:
# ip rule
0: from all lookup local
...
9: from 10.x.y.z lookup vpn
10: from 192.168.1.x lookup vpn
32766: from all lookup main
32767: from all lookup default
Any idea what's going on? How can I make sure that ICMP "destination unreachable" packets are sent on the right interface?