Wireguard server can only successfully be used via one WAN interface

eglushenko · December 30, 2020, 5:10pm

Perhaps there is a solution using a script or iptables for a temporary solution. What could it be to work now?

eglushenko · January 6, 2021, 8:32am

How do this with iptables? Anybody help?

eglushenko · January 6, 2021, 8:39am

I search documentation by wireguard routes and find this:
"
WireGuard does something quite interesting. When a WireGuard interface is created (with ip link add wg0 type wireguard), it remembers the namespace in which it was created. "I was created in namespace A." Later, WireGuard can be moved to new namespaces ("I'm moving to namespace B."), but it will still remember that it originated in namespace A.
"

eglushenko · January 7, 2021, 8:13pm

I have temp solutions.
shell script

!/bin/sh
if [ "${ACTION}" = "ifdown" ] && [ "${INTERFACE}" = "wan" ];
 then
    sleep 25
   if [ping -c 1 10.66.66.1 > /dev/null];
   then
    exit 0
   else
    ifdown wan
    sleep 5
    ifup wan
    exit 0
    fi
  fi
if [ "${ACTION}" = "ifup" ] && [ "${INTERFACE}" = "wan" ];
 then
    ifdown wg
    sleep 5
    ifup wg
    exit 0
  fi

wackejohn · November 29, 2021, 8:23am

Hi,
As the wireguard team was answered, it was designed to "outbound packets follow routing table rules to select the "best" interface to send from."

https://lists.zx2c4.com/pipermail/wireguard/2021-January/006243.html

Then how to creat the iptables?

wackejohn · January 2, 2022, 1:38pm

Hi all,
I tried to make a patch for the wireguard:

github.com/openwrt/packages

wireguard can't handshake with mwan3

opened 11:33AM - 22 Jul 19 UTC

wackejohn

Maintainer: @feckert Environment: ``` OpenWrt SNAPSHOT, r10551-d616b2c906 … MWAN3 2.8.0-1 Running on turris omnia with four pppoe wan interface,two wireguard vpn client and one wireguard vpn server. ``` Description: ``` When I using the OpenWRT as a wireguard server with multi pppoe wan interface, the wireguard client failed handshake. And I found that the inbound interface and outbound interface was different. eg: My wireguard client connect the wireguard server from pppoe-wan4, but the handshake data was sent from pppoe-wan1 to the client. ``` The tcpdump output: ``` root@HOME-Router:~# tcpdump -i pppoe-wan4 -vv host 49.94.153.160 tcpdump: listening on pppoe-wan4, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:40:42.419873 IP (tos 0x0, ttl 113, id 5756, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:40:47.635469 IP (tos 0x0, ttl 113, id 5757, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:40:52.534148 IP (tos 0x0, ttl 113, id 5758, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:40:57.697818 IP (tos 0x0, ttl 113, id 5759, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:02.728237 IP (tos 0x0, ttl 113, id 5760, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:07.937823 IP (tos 0x0, ttl 113, id 5761, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:13.142458 IP (tos 0x0, ttl 113, id 5762, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:18.267116 IP (tos 0x0, ttl 113, id 5763, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:23.496362 IP (tos 0x0, ttl 113, id 5764, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:28.698172 IP (tos 0x0, ttl 113, id 5765, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:33.800883 IP (tos 0x0, ttl 113, id 5766, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:38.899820 IP (tos 0x0, ttl 113, id 5767, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:43.998023 IP (tos 0x0, ttl 113, id 5768, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:49.254995 IP (tos 0x0, ttl 113, id 5769, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:54.349569 IP (tos 0x0, ttl 113, id 5770, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:41:59.327974 IP (tos 0x0, ttl 113, id 5771, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:42:04.368634 IP (tos 0x0, ttl 113, id 5772, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 21:42:09.491494 IP (tos 0x0, ttl 113, id 5773, offset 0, flags [none], proto UDP (17), length 176) 49.94.153.160.12572 > 112.3.86.249.5888: [udp sum ok] UDP, length 148 ^C 18 packets captured 18 packets received by filter 0 packets dropped by kernel ``` ``` root@HOME-Router:~# tcpdump -i pppoe-wan1 -vv host 49.94.153.160 tcpdump: listening on pppoe-wan1, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:40:42.421591 IP (tos 0x88, ttl 64, id 1206, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:40:47.637268 IP (tos 0x88, ttl 64, id 1711, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:40:52.535810 IP (tos 0x88, ttl 64, id 1987, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:40:57.699682 IP (tos 0x88, ttl 64, id 2312, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:02.729908 IP (tos 0x88, ttl 64, id 2638, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:07.939552 IP (tos 0x88, ttl 64, id 2713, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:13.144141 IP (tos 0x88, ttl 64, id 3211, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:18.268852 IP (tos 0x88, ttl 64, id 3683, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:23.498018 IP (tos 0x88, ttl 64, id 3996, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:23.533291 IP (tos 0x0, ttl 55, id 7594, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 3996, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:28.699810 IP (tos 0x88, ttl 64, id 4312, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:28.728377 IP (tos 0x0, ttl 55, id 7901, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4312, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:33.802574 IP (tos 0x88, ttl 64, id 4486, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:33.841978 IP (tos 0x0, ttl 55, id 8313, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4486, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:38.901612 IP (tos 0x88, ttl 64, id 4495, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:38.931917 IP (tos 0x0, ttl 55, id 8498, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4495, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:43.999737 IP (tos 0x88, ttl 64, id 4549, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:44.025151 IP (tos 0x0, ttl 55, id 8577, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4549, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:49.256834 IP (tos 0x88, ttl 64, id 4879, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:49.285795 IP (tos 0x0, ttl 55, id 8663, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 4879, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:54.351222 IP (tos 0x88, ttl 64, id 5110, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:54.395633 IP (tos 0x0, ttl 55, id 8927, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5110, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:59.329684 IP (tos 0x88, ttl 64, id 5361, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:41:59.368025 IP (tos 0x0, ttl 55, id 9212, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5361, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:04.370263 IP (tos 0x88, ttl 64, id 5540, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:04.409760 IP (tos 0x0, ttl 55, id 9586, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5540, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:09.493346 IP (tos 0x88, ttl 64, id 5932, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 21:42:09.532424 IP (tos 0x0, ttl 55, id 9895, offset 0, flags [none], proto ICMP (1), length 148) 49.94.153.160 > 114.228.200.208: ICMP 49.94.153.160 udp port 12572 unreachable, length 128 IP (tos 0x0, ttl 55, id 5932, offset 0, flags [none], proto UDP (17), length 120) 114.228.200.208.5888 > 49.94.153.160.12572: [udp sum ok] UDP, length 92 ``` The output showed that my client(49.94.153.160) connect server (112.3.86.249:5888), but the handshake data was sent from (114.228.200.208). Maybe it's because the wireguard can't bind to specific interface?

Tested working!!!