Wireguard server can only successfully be used via one WAN interface

dsander · December 26, 2020, 6:14pm

Hi!

I have a a (to me) pretty strange issue that I could not resolve myself. I am using two WAN
interfaces eth1 (cable modem) and pppoe-vdsl (VDSL via FritzBox in bridge mode). After updating from 18.06 to 19.07 via sysupgrade I can only successfully establish a connection to my wireguard server from the eth1 interface. Connection coming from the pppeo-vdsl interface establish a connection from the client side, but the server does not seem to get any data back to the client. The same configuration works without issues on 18.06. TCP traffic (to other systems in the LAN) is still
forwarded without issues through the pppoe-vdsl interface. The only real difference between those two interfaces is that the gateway for pppoe-vdsl is on a different subnet, could that explain the problem?

tl;dr:

Configuration worked on 16.06
wireguard tunnel from one WAN (eth1) interface works
wireguard server from second WAN (pppoe-vdsl) only successfully receives data from the client,
but the client doesn't receive any responses
Connecting from the LAN via both external IP addresses works (makes me assume it's not a port
forwarding but NAT/masquerading issue?)
TCP traffic is forwarded without problems

I compared the output of some of the commands listed below between the router running 18.06 and
19.07 (luckily it has a dual boot feature) and the only change that stood out to me is that the
loopback interface does not have the LAN ip registered anymore (even though I don't know if that
could cause my problem):

@ ip4addr:3 @
 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
     inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
-    inet 192.168.1.1/32 scope global lo
-       valid_lft forever preferred_lft forever

Any help is greatly appreciated!

Broken wg show (via pppoe-vdsl)

interface: wireguard
  public key: publickey
  private key: (hidden)
  listening port: 13377

peer: public-peer-key
  endpoint: 80.xxx.xxx.xxx:31126
  allowed ips: 208.0.0.3/32
  transfer: 148 B received, 92 B sent
  persistent keepalive: every 25 seconds

Working wg show (via eth1)

interface: wireguard
  public key: publickey
  private key: (hidden)
  listening port: 13377

peer: public-peer-key
  endpoint: 80.xxx.xxx.xxx:13024
  allowed ips: 208.0.0.3/32
  latest handshake: 3 seconds ago
  transfer: 6.85 KiB received, 4.65 KiB sent
  persistent keepalive: every 25 seconds

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         185.xxx.xxx.1   0.0.0.0         UG    10     0        0 eth1
0.0.0.0         62.214.63.97    0.0.0.0         UG    20     0        0 pppoe-vdsl
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0.30
62.214.63.97    0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-vdsl
169.254.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.3
172.30.172.1    172.30.172.9    255.255.255.255 UGH   0      0        0 tun0
172.30.172.9    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
185.xxx.xxx.0   0.0.0.0         255.255.255.0   U     10     0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
200.0.0.0       172.30.172.9    255.255.255.0   UG    0      0        0 tun0
208.0.0.0       0.0.0.0         255.255.255.0   U     0      0        0 wireguard
208.0.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 wireguard
208.0.0.3       0.0.0.0         255.255.255.255 UH    0      0        0 wireguard
208.0.0.4       0.0.0.0         255.255.255.255 UH    0      0        0 wireguard

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    inet 185.xxx.xxx.xxx/24 brd 185.251.102.255 scope global eth1
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 169.254.1.2/24 brd 169.254.1.255 scope global eth0.3
       valid_lft forever preferred_lft forever
11: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0.30
       valid_lft forever preferred_lft forever
13: pppoe-vdsl: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 83.xx.xx.xxx peer 62.214.63.97/32 scope global pppoe-vdsl
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 172.30.172.10 peer 172.30.172.9/32 scope global tun0
       valid_lft forever preferred_lft forever
18: wireguard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 208.0.0.1/24 brd 208.0.0.255 scope global wireguard
       valid_lft forever preferred_lft forever

ip -4 ro

default via 185.xxx.xxx.1 dev eth1 proto static src 185.xxx.xxx.xxx metric 10
default via 62.214.63.97 dev pppoe-vdsl proto static metric 20
10.0.0.0/24 dev eth0.30 proto kernel scope link src 10.0.0.1
62.214.63.97 dev pppoe-vdsl proto kernel scope link src 83.xx.xx.xxx
169.254.1.0/24 dev eth0.3 proto kernel scope link src 169.254.1.2
172.30.172.1 via 172.30.172.9 dev tun0
172.30.172.9 dev tun0 proto kernel scope link src 172.30.172.10
185.251.102.0/24 dev eth1 proto static scope link metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
200.0.0.0/24 via 172.30.172.9 dev tun0
208.0.0.0/24 dev wireguard proto kernel scope link src 208.0.0.1
208.0.0.2 dev wireguard proto static scope link
208.0.0.3 dev wireguard proto static scope link
208.0.0.4 dev wireguard proto static scope link

ip -4 ru

0:	from all lookup local
1001:	from all iif eth1 lookup 1
1002:	from all iif pppoe-vdsl lookup 2
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd99:bb69:b4f1::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'
        option metric '10'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '4 6'

config interface 'vpn'
        option proto 'none'
        option _orig_ifname 'tap0'
        option _orig_bridge 'false'
        option ifname 'tun0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '30'
        option ports '2t 5t'

config interface 'cloud'
        option proto 'static'
        option ifname 'eth0.30'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'

config interface 'vdsl'
        option proto 'pppoe'
        option username 'xxxxxxxxx'
        option password 'xxxxxxxx'
        option metric '20'
        option ifname 'eth0.3'
        option ipv6 '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option peerdns '0'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '3'
        option ports '2t 3 5t'

config interface 'ios'
        option proto 'static'
        option ipaddr '10.10.0.1'
        option netmask '255.255.255.0'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxx='
        list addresses '208.0.0.1/24'
        option listen_port '13377'

config wireguard_wireguard
        option public_key 'public-peer-key'
        option persistent_keepalive '25'
        option description 'iPhone'
        list allowed_ips '208.0.0.3/32'
        option route_allowed_ips '1'

config interface 'FRITZWEB'
        option proto 'static'
        option ifname 'eth0.3'
        option netmask '255.255.255.0'
        option ipaddr '169.254.1.2'

/etc/config/firewall

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_port '22'
        option name 'ssh'
        option dest_ip '192.168.1.232'

config redirect
        option target 'DNAT'
        option src 'vdsl'
        option dest 'cloud'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '10.0.0.12'
        option dest_port '22'
        option name 'ssh vdsl'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22000'
        option dest_ip '192.168.1.212'
        option dest_port '22000'
        option name 'syncthing'

config redirect
        option target 'DNAT'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '10.0.0.2'
        option dest_port '80'
        option name 'vdsl proxy http'
        option src 'vdsl'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.0.0.2'
        option dest_port '443'
        option name 'vdsl proxy https'
        option src 'vdsl'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '10.0.0.2'
        option dest_port '80'
        option name 'wan proxy http'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.0.0.2'
        option dest_port '443'
        option name 'wan proxy https'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option dest 'cloud'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.0.0.2'
        option dest_port '443'
        option src 'vdsl'
        option name 'cloud vdsl https'

config redirect
        option target 'DNAT'
        option src 'vdsl'
        option dest 'cloud'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '10.0.0.2'
        option dest_port '80'
        option name 'cloud vdsl http'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'cloud'
        option proto 'tcp'
        option dest_ip '10.0.0.2'
        option name 'cloud wan https'
        option src_dport '443'
        option dest_port '443'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'cloud'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '10.0.0.2'
        option dest_port '80'
        option name 'cloud wan http'

config redirect
        option target 'DNAT'
        option src 'vdsl'
        option proto 'udp'
        option name 'wireguard vdsl'
        option dest_ip '192.168.1.1'
        option dest 'lan'
        option dest_port '13377'
        option src_dport '13377'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'udp'
        option dest_ip '192.168.1.1'
        option name 'wireguard cable'
        option dest 'lan'
        option dest_port '13377'
        option src_dport '13377'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan6 wan'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'flavoursys_vpn'
        option forward 'ACCEPT'
        option name 'vpn'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config zone
        option name 'cloud'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'cloud loopnat'

config zone
        option name 'vdsl'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'vdsl'

config forwarding
        option dest 'wan'
        option src 'cloud'

config forwarding
        option dest 'vdsl'
        option src 'cloud'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'ios'
        option network 'ios'

config forwarding
        option dest 'vdsl'
        option src 'ios'

config forwarding
        option dest 'wan'
        option src 'ios'

config forwarding
        option dest 'cloud'
        option src 'wireguard'

config forwarding
        option dest 'ios'
        option src 'wireguard'

config forwarding
        option dest 'vdsl'
        option src 'wireguard'

config forwarding
        option dest 'vpn'
        option src 'wireguard'

config forwarding
        option dest 'wan'
        option src 'wireguard'

config rule
        option target 'ACCEPT'
        option src 'cloud'
        option name 'dokku to gitlab'
        option src_ip '10.0.0.11'
        option dest 'vpn'
        option dest_ip '200.0.0.42'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest 'lan'
        option name 'access fritzbox'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'wireguard'

config zone
        option name 'fritzweb'
        option output 'ACCEPT'
        option network 'FRITZWEB'
        option masq '1'
        option input 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option dest 'cloud'
        option src 'lan'

config forwarding
        option dest 'fritzweb'
        option src 'lan'

config forwarding
        option dest 'ios'
        option src 'lan'

config forwarding
        option dest 'vdsl'
        option src 'lan'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wireguard'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wireguard'

iptables-save

trendy · December 26, 2020, 7:12pm

First of all the 208.0.0.0/24 is public IP space registered already. You shouldn't be using it in your wireguard tunnel. You can pick for example 192.168.8.0/24

Regarding your problem, I suppose that eth1 is working because it has lower metric in the main routing table.
Other than that, the following output will be also needed uci export mwan3; mwan3 status; ip -4 ro li tab all

dsander · December 26, 2020, 7:47pm

Woups, thanks for pointing that out. No idea why I didn't check if that is a private subnet, I'll change it once I solved the original issue

Interesting theory, what is odd that the metric of the interfaces were the same in 18.06.

uci export mwan3 > uciexportmwan3

package mwan3

config rule 'stuff'
	option src_ip '192.168.1.179'
	option proto 'all'
	option sticky '0'
	option use_policy 'cable_vdsl'

config rule 'outgoingvpnclient'
	option proto 'udp'
	option sticky '0'
	option use_policy 'vdsl_only'
	option dest_port '1337'

config rule 'shield'
	option src_ip '192.168.1.185'
	option proto 'all'
	option sticky '0'
	option use_policy 'vdsl_cable'

config rule 'vpn_upload'
	option proto 'all'
	option sticky '0'
	option use_policy 'vdsl_cable'
	option dest_ip '84.185.101.225'

config rule 'https'
	option sticky '1'
	option dest_port '443'
	option proto 'tcp'
	option src_ip '192.168.1.0/24'
	option timeout '60'
	option use_policy 'cable_vdsl'

config rule 'default_rule'
	option dest_ip '0.0.0.0/0'
	option src_ip '192.168.1.0/24'
	option proto 'all'
	option sticky '0'
	option use_policy 'cable_vdsl'

config rule 'tv'
	option proto 'all'
	option sticky '0'
	option src_ip '192.168.1.144'
	option use_policy 'vdsl_cable'

config rule 'hackintosh'
	option src_ip '192.168.1.235'
	option proto 'all'
	option sticky '0'
	option use_policy 'vdsl_cable'

config rule 'https_cloud'
	option src_ip '10.0.0.0/24'
	option dest_port '443'
	option proto 'tcp'
	option sticky '1'
	option use_policy 'vdsl_cable'

config rule 'default_cloud'
	option src_ip '10.0.0.0/24'
	option proto 'all'
	option sticky '0'
	option use_policy 'vdsl_cable'

config rule 'default'
	option proto 'all'
	option sticky '0'
	option use_policy 'cable_vdsl'

config globals 'globals'
	option mmx_mask '0x3F00'
	option local_source 'lan'

config interface 'wan'
	option enabled '1'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option initial_state 'online'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '1.1.1.1'
	list track_ip '1.0.0.1'
	option track_method 'ping'
	option size '56'
	option recovery_interval '5'
	option interval '1'
	option failure_interval '3'
	option down '2'
	option up '5'
	option check_quality '0'

config member 'cable_m1_w2'
	option interface 'wan'
	option metric '1'
	option weight '2'

config member 'cable_m2_w2'
	option interface 'wan'
	option metric '2'
	option weight '2'

config member 'vdsl_m1_w2'
	option interface 'vdsl'
	option metric '1'
	option weight '2'

config member 'vdsl_m2_w2'
	option interface 'vdsl'
	option metric '2'
	option weight '2'

config policy 'cable_only'
	list use_member 'cable_m1_w2'

config policy 'vdsl_only'
	list use_member 'vdsl_m1_w2'

config policy 'balanced'
	list use_member 'cable_m1_w2'
	list use_member 'vdsl_m1_w2'

config policy 'cable_vdsl'
	list use_member 'cable_m1_w2'
	list use_member 'vdsl_m2_w2'

config policy 'vdsl_cable'
	list use_member 'cable_m2_w2'
	list use_member 'vdsl_m1_w2'

config interface 'vdsl'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	option track_method 'ping'
	option count '1'
	option size '56'
	option check_quality '0'
	option timeout '2'
	option recovery_interval '5'
	option reliability '2'
	list track_ip '8.8.8.8'
	list track_ip '1.1.1.1'
	list track_ip '8.8.4.4'
	list track_ip '1.0.0.1'
	option interval '1'
	option failure_interval '3'
	option down '2'
	option up '5'

mwan3 status > mwan3status

Interface status:
 interface wan is online 26h:59m:08s, uptime 26h:59m:14s and tracking is active
 interface vdsl is online 02h:58m:56s, uptime 02h:58m:57s and tracking is active

Current ipv4 policies:
balanced:
 vdsl (50%)
 wan (50%)
cable_only:
 wan (100%)
cable_vdsl:
 wan (100%)
vdsl_cable:
 vdsl (100%)
vdsl_only:
 vdsl (100%)

Current ipv6 policies:
balanced:
 unreachable
cable_only:
 unreachable
cable_vdsl:
 unreachable
vdsl_cable:
 unreachable
vdsl_only:
 unreachable

Directly connected ipv4 networks:
208.0.0.0/24
10.0.0.0/24
200.0.0.0/24
192.168.1.0/24
172.30.172.10
127.0.0.0/8
83.xxx.xxx.xxx
62.214.63.97
169.254.1.0/24
224.0.0.0/3
172.30.172.9
185.xxx.xxx.0/24
172.30.172.1

Directly connected ipv6 networks:
fe80::/64
fd99:bb69:b4f1::/64

Active ipv4 user rules:
    0     0 - cable_vdsl  all  --  *      *       192.168.1.179        0.0.0.0/0            
    1   172 - vdsl_only  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1337 
 1603  102K - vdsl_cable  all  --  *      *       192.168.1.185        0.0.0.0/0            
    0     0 - vdsl_cable  all  --  *      *       0.0.0.0/0            84.185.101.225       
 1929  123K S https  tcp  --  *      *       192.168.1.0/24       0.0.0.0/0            multiport dports 443 
 1370  548K - cable_vdsl  all  --  *      *       192.168.1.0/24       0.0.0.0/0            
    0     0 - vdsl_cable  all  --  *      *       192.168.1.144        0.0.0.0/0            
    0     0 - vdsl_cable  all  --  *      *       192.168.1.235        0.0.0.0/0            
  107  6889 S https_cloud  tcp  --  *      *       10.0.0.0/24          0.0.0.0/0            multiport dports 443 
  301 20920 - vdsl_cable  all  --  *      *       10.0.0.0/24          0.0.0.0/0            
45455 3747K - cable_vdsl  all  --  *      *       0.0.0.0/0            0.0.0.0/0            

Active ipv6 user rules:
    0     0 - vdsl_only  udp      *      *       ::/0                 ::/0                 multiport dports 1337 
 1931  486K - cable_vdsl  all      *      *       ::/0                 ::/0

ip -4 ro li tab all

default via 185.xxx.xxx.1 dev eth1 table 1 metric 10 
10.0.0.0/24 dev eth0.30 table 1 proto kernel scope link src 10.0.0.1 
62.214.63.97 dev pppoe-vdsl table 1 proto kernel scope link src 83.xxx.xxx.xxx 
169.254.1.0/24 dev eth0.3 table 1 proto kernel scope link src 169.254.1.2 
172.30.172.1 via 172.30.172.9 dev tun0 table 1 
172.30.172.9 dev tun0 table 1 proto kernel scope link src 172.30.172.10 
185.xxx.xxx.0/24 dev eth1 table 1 proto static scope link metric 10 
192.168.1.0/24 dev br-lan table 1 proto kernel scope link src 192.168.1.1 
200.0.0.0/24 via 172.30.172.9 dev tun0 table 1 
208.0.0.0/24 dev wireguard table 1 proto kernel scope link src 208.0.0.1 
208.0.0.2 dev wireguard table 1 proto static scope link 
208.0.0.3 dev wireguard table 1 proto static scope link 
208.0.0.4 dev wireguard table 1 proto static scope link 
default via 62.214.63.97 dev pppoe-vdsl table 2 metric 20 
10.0.0.0/24 dev eth0.30 table 2 proto kernel scope link src 10.0.0.1 
62.214.63.97 dev pppoe-vdsl table 2 proto kernel scope link src 83.xxx.xxx.xxx 
169.254.1.0/24 dev eth0.3 table 2 proto kernel scope link src 169.254.1.2 
172.30.172.1 via 172.30.172.9 dev tun0 table 2 
172.30.172.9 dev tun0 table 2 proto kernel scope link src 172.30.172.10 
185.xxx.xxx.0/24 dev eth1 table 2 proto static scope link metric 10 
192.168.1.0/24 dev br-lan table 2 proto kernel scope link src 192.168.1.1 
200.0.0.0/24 via 172.30.172.9 dev tun0 table 2 
208.0.0.0/24 dev wireguard table 2 proto kernel scope link src 208.0.0.1 
208.0.0.2 dev wireguard table 2 proto static scope link 
208.0.0.3 dev wireguard table 2 proto static scope link 
208.0.0.4 dev wireguard table 2 proto static scope link 
default via 185.xxx.xxx.1 dev eth1 proto static src 185.xxx.xxx.xxx metric 10 
default via 62.214.63.97 dev pppoe-vdsl proto static metric 20 
10.0.0.0/24 dev eth0.30 proto kernel scope link src 10.0.0.1 
62.214.63.97 dev pppoe-vdsl proto kernel scope link src 83.xxx.xxx.xxx 
169.254.1.0/24 dev eth0.3 proto kernel scope link src 169.254.1.2 
172.30.172.1 via 172.30.172.9 dev tun0 
172.30.172.9 dev tun0 proto kernel scope link src 172.30.172.10 
185.xxx.xxx.0/24 dev eth1 proto static scope link metric 10 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
200.0.0.0/24 via 172.30.172.9 dev tun0 
208.0.0.0/24 dev wireguard proto kernel scope link src 208.0.0.1 
208.0.0.2 dev wireguard proto static scope link 
208.0.0.3 dev wireguard proto static scope link 
208.0.0.4 dev wireguard proto static scope link 
broadcast 10.0.0.0 dev eth0.30 table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev eth0.30 table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev eth0.30 table local proto kernel scope link src 10.0.0.1 
local 83.xxx.xxx.xxx dev pppoe-vdsl table local proto kernel scope host src 83.xxx.xxx.xxx 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 169.254.1.0 dev eth0.3 table local proto kernel scope link src 169.254.1.2 
local 169.254.1.2 dev eth0.3 table local proto kernel scope host src 169.254.1.2 
broadcast 169.254.1.255 dev eth0.3 table local proto kernel scope link src 169.254.1.2 
local 172.30.172.10 dev tun0 table local proto kernel scope host src 172.30.172.10 
broadcast 185.xxx.xxx.0 dev eth1 table local proto kernel scope link src 185.xxx.xxx.xxx 
local 185.xxx.xxx.xxx dev eth1 table local proto kernel scope host src 185.xxx.xxx.xxx 
broadcast 185.xxx.xxx.255 dev eth1 table local proto kernel scope link src 185.xxx.xxx.xxx 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 208.0.0.0 dev wireguard table local proto kernel scope link src 208.0.0.1 
local 208.0.0.1 dev wireguard table local proto kernel scope host src 208.0.0.1 
broadcast 208.0.0.255 dev wireguard table local proto kernel scope link src 208.0.0.1

trendy · December 26, 2020, 7:52pm

One more thing I forgot to ask; when you upgraded to 19.07, did you install clean or you kept the settings?

dsander · December 26, 2020, 8:12pm

I kept the settings.

trendy · December 26, 2020, 8:17pm

Okay this is not advised when moving between major versions. I don't see any issue here and it wouldn't surprise me that some configuration is not compatible.
I'd suggest to take a backup and reset the 19.07, then start configuring manually from scratch. Do the most important things first; create the interfaces, setup the wg server, and setup the mwan3.

dsander · December 26, 2020, 8:56pm

Hmm I see, that would be a bit annoying, certainly doable but nothing that I would like to do every year or every two years when a new major release comes out

I followed your hunch and ran a tcpdump on the router listening for all packets coming from my
mobiles IP when it tries to connect to the wireguard server.

80.xxx.xxx.xxx: IP of my mobile
83.xxx.xxx.xxx: External IP of pppoe-vdal
185.xxx.xxx.xxx: External IP of eth1

Here I am connecting to eth1s external IP adress:

root@openwrt:~# tcpdump -i any -vn host 80.xxx.xxx.xxx
21:21:13.729947 IP (tos 0x0, ttl 50, id 1086, offset 0, flags [none], proto UDP (17), length 176)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 148
21:21:13.731457 IP (tos 0x88, ttl 64, id 11563, offset 0, flags [none], proto UDP (17), length 120)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.20703: UDP, length 92
21:21:13.778814 IP (tos 0x0, ttl 50, id 11947, offset 0, flags [none], proto UDP (17), length 60)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 32
21:21:14.339923 IP (tos 0x0, ttl 50, id 40405, offset 0, flags [none], proto UDP (17), length 60)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 32
21:21:14.351903 IP (tos 0x0, ttl 50, id 6373, offset 0, flags [none], proto UDP (17), length 124)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 96
21:21:14.355943 IP (tos 0x0, ttl 50, id 45006, offset 0, flags [none], proto UDP (17), length 124)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 96
21:21:14.358685 IP (tos 0x0, ttl 50, id 39388, offset 0, flags [none], proto UDP (17), length 124)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 96
21:21:14.372334 IP (tos 0x0, ttl 64, id 11566, offset 0, flags [none], proto UDP (17), length 284)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.20703: UDP, length 256
21:21:14.375034 IP (tos 0x0, ttl 64, id 11567, offset 0, flags [none], proto UDP (17), length 140)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.20703: UDP, length 112
21:21:14.378569 IP (tos 0x0, ttl 64, id 11568, offset 0, flags [none], proto UDP (17), length 252)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.20703: UDP, length 224
21:21:15.759176 IP (tos 0x0, ttl 50, id 9490, offset 0, flags [none], proto UDP (17), length 124)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 96
21:21:15.775158 IP (tos 0x0, ttl 50, id 53064, offset 0, flags [none], proto UDP (17), length 124)
    80.xxx.xxx.xxx.20703 > 185.xxx.xxx.xxx.13377: UDP, length 96
21:21:15.775400 IP (tos 0x0, ttl 64, id 11656, offset 0, flags [none], proto UDP (17), length 188)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.20703: UDP, length 160
21:21:15.776774 IP (tos 0x0, ttl 64, id 11657, offset 0, flags [none], proto UDP (17), length 188)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.20703: UDP, length 160

This is connecting to pppoe-vdsl, the responses are still send via eth1, so I think your theory
might be correct.

root@openwrt:~# tcpdump -i any -vn host 80.xxx.xxx.xxx
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:22:19.314777 IP (tos 0x0, ttl 51, id 64203, offset 0, flags [none], proto UDP (17), length 176)
    80.xxx.xxx.xxx.21557 > 83.xxx.xxx.xxx.13377: UDP, length 148
21:22:19.316225 IP (tos 0x88, ttl 64, id 12007, offset 0, flags [none], proto UDP (17), length 120)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.21557: UDP, length 92
21:22:24.598852 IP (tos 0x0, ttl 50, id 25182, offset 0, flags [none], proto UDP (17), length 176)
    80.xxx.xxx.xxx.21557 > 83.xxx.xxx.xxx.13377: UDP, length 148
21:22:24.600243 IP (tos 0x88, ttl 64, id 12129, offset 0, flags [none], proto UDP (17), length 120)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.21557: UDP, length 92
21:22:29.771149 IP (tos 0x0, ttl 50, id 47446, offset 0, flags [none], proto UDP (17), length 176)
    80.xxx.xxx.xxx.21557 > 83.xxx.xxx.xxx.13377: UDP, length 148
21:22:29.772638 IP (tos 0x88, ttl 64, id 12545, offset 0, flags [none], proto UDP (17), length 120)
    185.xxx.xxx.xxx.13377 > 80.xxx.xxx.xxx.21557: UDP, length 92

Knowing more about the cause I was able to find this issue https://github.com/openwrt/packages/issues/9538 which has some pointers, I will try to figure it out tomorrow.

Thank you for your help so far!

trendy · December 26, 2020, 9:08pm

It's weird to say:

For outgoing router traffic the nat prerouting hook is not passed through by the firewall, because it does not exist! Only for forwarded traffic. So a rule for on mwan3 for router traffic make no sense.

The mwan3_hook applies to OUTPUT too. Maybe they added it later.

dsander · December 27, 2020, 7:57pm

Does it? I think it used to, but was changed in this PR https://github.com/openwrt/packages/pull/6515

On 18.06 I am seeing mwan3_ifaces_out and mwan3_iface_out_(wan/vdsl) on 19.07 the output seems to be handled by different routing tables(?) which seem to be ignored by wireguard.

I'll add a reply to the issue I linked and check if the maintainers consider it a bug (because it worked previously) or a feature

trendy · December 27, 2020, 8:46pm

No need, we can ask them here. @aaronjg @feckert

aaronjg · December 27, 2020, 10:57pm

@trendy - thanks for the ping

@dsander - I'm trying to understand your setup a bit more and how you are trying to set up the wireguard peers.

I'm a bit confused with the terminology since you refer to both connecting from the the WAN (eth1) but also from the LAN. If I understand correctly, you are not trying to initiate the wireguard connection from the router, but rather to have a remote wireguard peer initiate the connection to the router. Is that correct?

If that is the case, what should happen is that the packet should come in on one of the WAN interfaces, and it should match one of the rules in mwan3_ifaces_in, then it should get marked, that mark should be saved, and then when the outgoing packet comes from the wireguard server, it should get marked again with the CONMARK restore rule. Something is breaking down along the way. From the github issue, you seem fairly proficient with setting up iptables logging rules. Could you add a few more rules to see if we can identify where this is breaking down?

Meanwhile, if you are able to can you test the mwan3 version from 18.06 on the 19.07 install and see if the problem is resolved. This will help isolate the problem to mwan3, to see if that is in fact the issue. If that fixes it, could you also test the version from snapshot? There have been a few changes that are not backported to 19.07.

Yes, the mwan3_hook applies on the OUTPUT chain. Even at that commit, it still applied:

github.com

ptpt52/openwrt-packages/blob/9e75edcf2c621e459a3e88b9893e5815255dbb9e/net/mwan3/files/lib/mwan3/mwan3.sh#L275


      
          			$IPT -A mwan3_hook -m mark --mark 0x0/$MMX_MASK -j mwan3_rules
          			$IPT -A mwan3_hook -j CONNMARK --save-mark --nfmask $MMX_MASK --ctmask $MMX_MASK
          			$IPT -A mwan3_hook -m mark ! --mark $MMX_DEFAULT/$MMX_MASK -j mwan3_connected
          		fi
          
          		if ! $IPT -S PREROUTING | grep mwan3_hook &> /dev/null; then
          			$IPT -A PREROUTING -j mwan3_hook
          		fi
          
          		if ! $IPT -S OUTPUT | grep mwan3_hook &> /dev/null; then
          			$IPT -A OUTPUT -j mwan3_hook
          		fi
          	done
          }
          
          mwan3_create_iface_iptables()
          {
          	local id family
          
          	config_get family $1 family ipv4
          	mwan3_get_iface_id id $1

Though, that commit was made before I was a maintainer, so I can't comment on the intention or the testing that went into it.

dsander · December 27, 2020, 11:30pm

Yes that is correct. I am trying to connect to a wireguard server. By saying I am able to connect to the WAN IPs of both interfaces via the LAN I was trying to narrow down the issue for you who know more about routing than me. So:

Connecting a client which has connectivity to the LAN via both WAN IPs
Connecting a client which isn't in the LAN works via the WAN IP of eth1
Connecting a client which isn't in the LAN does NOT work via the WAN IP of pppoe-vdsl

Routing isn't my strong suit, but I am more than happy to help debugging the issue, since my router has a dual boot feature I have no issue with potentially bricking one of the EEPROM/BIOSes (sorry I don't know the proper term)

I was trying to do that myself before but were not able to find an older package than this https://downloads.openwrt.org/releases/19.07.0/packages/arm_cortex-a9_vfpv3-d16/packages/mwan3_2.8.15-1_all.ipk for 19.07. Do I just replace the scripts from an older version of the package on the router?

Of course, trying to find the problem sounds better than my current plan of either staying on 18.06 or to switch to multiple router to potentially resolve the issue.

aaronjg · December 28, 2020, 1:17am

I was trying to do that myself before but were not able to find an older package than this

Try these two: the fact that they are for different versions should not present an issue, though you may need to install with --force-depends.

https://downloads.openwrt.org/releases/18.06.9/packages/arm_cortex-a8_vfpv3/packages/mwan3_2.6.18-1-1_all.ipk

https://downloads.openwrt.org/snapshots/packages/arm_cortex-a8_vfpv3/packages/mwan3_2.10.5-1_all.ipk

If you want to try to get even more precise on where things broke down, you could check out the package repo, and do a git bisect and copy over the scripts at each point, but that is a fairly high effort way to go, and we can likely diagnose the issue without doing that.

You had added some log rules in the github issue like:

iptables -t mangle -I mwan3_hook 2 -p udp --sport 13377 -j LOG --log-prefix '...'

Can you add some more rules like that throughout the mwan3 mangles tables to try to home in on where things are going awry? For starters it would be good to have rules before/after the conmark restore, iface_in, and conmark save.

dsander · December 28, 2020, 3:38pm

I was able to find the commit: https://github.com/openwrt/packages/commit/f54c2f3157b71bf21754368d823d7eb28f3c11d6

Before this change the main routing table had this entry which is missing in later versions

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 lo

Some of the comments in https://github.com/openwrt/packages/issues/9538 suggest that wireguard uses the default route for outgoing pckages. My guess is that with the previous default route being the router itself the packages would be properly routed through the source interface by mwan3_hook . Without the route wireguard picks the next interface (eth1 in my case) which is "wrong" because they came in via pppoe-vdsl.

Since the local_source option was removed I am not sure if I can make my current setup work with just one router. Having a second device that handles the wireguard tunnels would probbaly work, but just thinking about the interfaces/vlans/routing and firewall rules already make my head hurt

aaronjg · December 29, 2020, 1:17am

Thanks for locating the commit. The loopback has not been supported in mwan3 for some time now. However, your use case is common enough, that it should be supported, so I'm happy to work to fix it if you are willing to provide more debug logs.

My understanding is that wireguard does not bind to a specific interface, so the kernel routing rules are choosing the outgoing interface. Since the connection is coming in on ppoe-vdsl, it should have a conntrack entry, and mwan3 should know to return the packets out of the interface that the connection was established on.

Obviously, something is not working correctly, since the packets aren't making it back, but I would need to see more debugging logs to figure out what is going wrong and how to fix it.

dsander · December 29, 2020, 11:38am

Glad to hear that!

Here is the output of the debug hooks you asked for in the previous post:

Edit: forgot to mention I am now using mwan3 - 2.10.5-1

iptables -t mangle -L --line-numbers -n

# iptables -t mangle -L --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    mwan3_hook  all  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
2    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone vdsl MTU fixing */ TCPMSS clamp to PMTU
4    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone vdsl MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    mwan3_hook  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain mwan3_connected (2 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected dst MARK or 0x3f00

Chain mwan3_hook (2 references)
num  target     prot opt source               destination
1    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:13377 LOG flags 0 level 4 prefix "D WGh b CONNMARK restore: "
2    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:13377 LOG flags 0 level 4 prefix "S WGh b CONNMARK restore: "
3    CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 CONNMARK restore mask 0x3f00
4    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:13377 LOG flags 0 level 4 prefix "D WGh a CONNMARK restore: "
5    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:13377 LOG flags 0 level 4 prefix "S WGh a CONNMARK restore: "
6    mwan3_ifaces_in  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
7    mwan3_connected  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
8    mwan3_rules  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
9    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:13377 LOG flags 0 level 4 prefix "D WGh b CONNMARK save: "
10   LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:13377 LOG flags 0 level 4 prefix "S WGh b CONNMARK save: "
11   CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0x3f00
12   LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:13377 LOG flags 0 level 4 prefix "D WGh a CONNMARK save: "
13   LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:13377 LOG flags 0 level 4 prefix "S WGh a CONNMARK save: "
14   mwan3_connected  all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00

Chain mwan3_iface_in_vdsl (1 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
2    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* vdsl */ MARK xset 0x200/0x3f00

Chain mwan3_iface_in_wan (1 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
2    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00

Chain mwan3_ifaces_in (1 references)
num  target     prot opt source               destination
1    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:13377 LOG flags 0 level 4 prefix "D WGh b mwan3_ifaces_in: "
2    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:13377 LOG flags 0 level 4 prefix "S WGh b mwan3_ifaces_in: "
3    mwan3_iface_in_wan  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
4    mwan3_iface_in_vdsl  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
5    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:13377 LOG flags 0 level 4 prefix "D WGh a mwan3_ifaces_in: "
6    LOG        udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:13377 LOG flags 0 level 4 prefix "S WGh a mwan3_ifaces_in: "

Chain mwan3_policy_balanced (0 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 statistic mode random probability 0.50000000000 /* vdsl 2 4 */ MARK xset 0x200/0x3f00
2    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 2 2 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_cable_only (0 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 2 2 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_cable_vdsl (4 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 2 2 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_vdsl_cable (6 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* vdsl 2 2 */ MARK xset 0x200/0x3f00

Chain mwan3_policy_vdsl_only (1 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* vdsl 2 2 */ MARK xset 0x200/0x3f00

Chain mwan3_rule_https (1 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 MARK xset 0x100/0x3f00
2    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x100/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff
3    mwan3_policy_cable_vdsl  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
4    SET        all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https src,src
5    SET        all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https src,src

Chain mwan3_rule_https_cloud (1 references)
num  target     prot opt source               destination
1    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 MARK xset 0x200/0x3f00
2    MARK       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x200/0x3f00 ! match-set mwan3_sticky_https_cloud src,src MARK and 0xffffc0ff
3    mwan3_policy_vdsl_cable  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
4    SET        all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https_cloud src,src
5    SET        all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https_cloud src,src

Chain mwan3_rules (1 references)
num  target     prot opt source               destination
1    mwan3_policy_cable_vdsl  all  --  192.168.1.179        0.0.0.0/0            mark match 0x0/0x3f00
2    mwan3_policy_vdsl_only  udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1337 mark match 0x0/0x3f00
3    mwan3_policy_vdsl_cable  all  --  192.168.1.185        0.0.0.0/0            mark match 0x0/0x3f00
4    mwan3_policy_vdsl_cable  all  --  0.0.0.0/0            84.185.101.225       mark match 0x0/0x3f00
5    mwan3_rule_https  tcp  --  192.168.1.0/24       0.0.0.0/0            multiport dports 443 mark match 0x0/0x3f00
6    mwan3_policy_cable_vdsl  all  --  192.168.1.0/24       0.0.0.0/0            mark match 0x0/0x3f00
7    mwan3_policy_vdsl_cable  all  --  192.168.1.144        0.0.0.0/0            mark match 0x0/0x3f00
8    mwan3_policy_vdsl_cable  all  --  192.168.1.235        0.0.0.0/0            mark match 0x0/0x3f00
9    mwan3_rule_https_cloud  tcp  --  10.0.0.0/24          0.0.0.0/0            multiport dports 443 mark match 0x0/0x3f00
10   mwan3_policy_vdsl_cable  all  --  10.0.0.0/24          0.0.0.0/0            mark match 0x0/0x3f00
11   mwan3_policy_cable_vdsl  all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00

Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.827335] D WGh b CONNMARK restore: IN=pppoe-vdsl OUT= MAC= SRC=80.xxx.xxx.xxx DST=87.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=51 ID=3770 PROTO=UDP SPT=7952 DPT=13377 LEN=156
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.843240] D WGh a CONNMARK restore: IN=pppoe-vdsl OUT= MAC= SRC=80.xxx.xxx.xxx DST=87.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=51 ID=3770 PROTO=UDP SPT=7952 DPT=13377 LEN=156
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.859141] D WGh b mwan3_ifaces_in: IN=pppoe-vdsl OUT= MAC= SRC=80.xxx.xxx.xxx DST=87.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=51 ID=3770 PROTO=UDP SPT=7952 DPT=13377 LEN=156
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.874960] D WGh a mwan3_ifaces_in: IN=pppoe-vdsl OUT= MAC= SRC=80.xxx.xxx.xxx DST=87.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=51 ID=3770 PROTO=UDP SPT=7952 DPT=13377 LEN=156 MARK=0x200
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.891731] D WGh b CONNMARK save: IN=pppoe-vdsl OUT= MAC= SRC=80.xxx.xxx.xxx DST=87.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=51 ID=3770 PROTO=UDP SPT=7952 DPT=13377 LEN=156 MARK=0x200
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.908325] D WGh a CONNMARK save: IN=pppoe-vdsl OUT= MAC= SRC=80.xxx.xxx.xxx DST=87.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=51 ID=3770 PROTO=UDP SPT=7952 DPT=13377 LEN=156 MARK=0x200
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.926522] S WGh b CONNMARK restore: IN= OUT=eth1 SRC=185.xxx.xxx.xxx DST=80.xxx.xxx.xxx LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=60608 PROTO=UDP SPT=13377 DPT=7952 LEN=100
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.941651] S WGh a CONNMARK restore: IN= OUT=eth1 SRC=185.xxx.xxx.xxx DST=80.xxx.xxx.xxx LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=60608 PROTO=UDP SPT=13377 DPT=7952 LEN=100
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.956777] S WGh b mwan3_ifaces_in: IN= OUT=eth1 SRC=185.xxx.xxx.xxx DST=80.xxx.xxx.xxx LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=60608 PROTO=UDP SPT=13377 DPT=7952 LEN=100
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.971814] S WGh a mwan3_ifaces_in: IN= OUT=eth1 SRC=185.xxx.xxx.xxx DST=80.xxx.xxx.xxx LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=60608 PROTO=UDP SPT=13377 DPT=7952 LEN=100
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73328.986860] S WGh b CONNMARK save: IN= OUT=eth1 SRC=185.xxx.xxx.xxx DST=80.xxx.xxx.xxx LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=60608 PROTO=UDP SPT=13377 DPT=7952 LEN=100 MARK=0x100
Tue Dec 29 12:26:50 2020 kern.warn kernel: [73329.002674] S WGh a CONNMARK save: IN= OUT=eth1 SRC=185.xxx.xxx.xxx DST=80.xxx.xxx.xxx LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=60608 PROTO=UDP SPT=13377 DPT=7952 LEN=100 MARK=0x100

aaronjg · December 30, 2020, 3:49am

Thanks. That log is super helpful.

It looks like the packet comes in on ppoe-vdsl to 87.xxx.xxx.xxx but then wireguard sends the reply with a src ip of 185.xxx.xxx.xxx, which is why CONMARK is not restoring the 0x200 mark, and why it is sent out of the wrong interface.

If you disable mwan3, NAT, and masquerading, does this work as expected? If not (which would be my guess from the iptables logs), then it is likely a wireguard issue.

On this forum post, Jason confirms that the src ip of the reply should be the same as the IP that received the connection. https://lists.zx2c4.com/pipermail/wireguard/2017-November/002019.html

so at first client 2.2.2.2:51820 connect to server 1.1.1.1:51820
but then server use 172.18.1.254(lan ip address) to reply and 51820
port is nat to 1085 so the communication is broken.

The server should use 1.1.1.1 to reply. If it's not, that's a bug that
I should fix. Can you give me a minimal configuration for reproducing
this setup, so that I can fix whatever issue is occurring?
Thanks,
Jason

It sounded like Jason was interested in fixing the problem, but the other user never produced a minimal example.

eglushenko · December 30, 2020, 8:10am

Hello everyone. I have a similar problem. I have configured a backup LTE internet with mwan3. Everything works fine, but wireguard connects only to wan, although the Internet is on wanb, I have two default getway wan metric 10 and wanb (lte) metric 20. But for some reason wg tries to connect only to wan. I am not good at routing. Perhaps you can add a script in which ifdown will somehow change the priority of defaul getway. And I have Internet access configured through wan and wanb and VPN is used to access the network behind the NAT of the Internet provider.
On wan
WGClient(10.66.66.3)<-->VPS(212.x.x.x 10.66.66.1)<--->wan (172.17.165.64)<--> Openwrt(10.66.66.2 192.168.0.1)<-->LAN(192.168.0.0/24)
or when wan is down
WGClient(10.66.66.3)<-->VPS(212.x.x.x 10.66.66.1)<---><--->wanb (192.168.8.1)<--> Openwrt(10.66.66.2 192.168.0.1)<-->LAN(192.168.0.0/24)

WG Client acess to only lan without Internet throw VPS.
All work fine on wan ! But when wan down and up wanb ping 10.66.66.1 100%lost.
When i disible wan intergace ping 10.66.66.1 ok.

dsander · December 30, 2020, 2:19pm

You are correct, this seems to be a limitation of wireguard. It uses ip_route_output_flow to determine the route, which I believe solely relies on the routing table (something simlar to ip route get <client IP>).

I recreated the problem on a VM (to exclude OpenWRT and mwan3) with two interfaces, the wireguard client is forwarded to the IP with a higher metric, wireguard responds using the route with the lower metric .

# ip route
default via 10.0.0.1 dev eth1 proto dhcp src 10.0.0.171 metric 50
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.246 metric 100
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.171 metric 50
10.0.0.1 dev eth1 proto dhcp scope link src 10.0.0.171 metric 50
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.246 metric 100
192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.246 metric 100

# tcpdump -i any -vn "(host 80.xxx.xxx.xxx or src port 13377 or dst port 13377)"
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
14:13:08.767409 IP (tos 0x0, ttl 50, id 12125, offset 0, flags [none], proto UDP (17), length 176)
    80.xxx.xxx.xxx.17819 > 192.168.1.246.13377: UDP, length 148
14:13:08.768076 IP (tos 0x88, ttl 64, id 180, offset 0, flags [none], proto UDP (17), length 120)
    10.0.0.171.13377 > .xxx.xxx.xxx.17819: UDP, length 92

Since local_source was removed from mwan3 it probably isn't a good idea to add that route manually, right?

The mailing list suggested policy based routing for a similar problem. I might read up on that and try to "bend" the outgoing connections based on the mwan3 status and my preference for the "main" wireguard WAN interface when both WANs are online.

aaronjg · December 30, 2020, 2:42pm

If you are able to reproduce it on the VM, I would highly suggest reaching out to Jason on the wireguard mailing list or tagging him on the github thread with your minimal example. From his earlier mailing list post, it sounds like this is not the expected behavior.

If there is not a good solution within wireguard, we can come up with another iptables way to make this work.