I am trying to set up the Wireguard server on my OpenWrt router. When the client connects I get no RX traffic, so I checked the tcpdump and the traffic is trying to return via wrong WAN interface.
This is my setup:
config interface 'wan' option proto 'dhcp' // IP: 10.76.227.120 option device 'eth0.2' config interface 'wanp' option proto 'dhcp' // IP: 10.76.227.115 option peerdns '0' option defaultroute '0' option device 'veth0'
wan interface doesn't have public IP and is used for normal traffic from LAN (so that my normal traffic goes to the internet with non public shared IP address from the ISP). This interface is the default route.
wanp interface has public IP which is routed to my router, all incoming traffic from the internet goes to this interface, either directly to the router or is port forwarded to lan.
My problem is that according to TCP dump I receive the Winguard traffic on the
wanp interface but it is trying to respond on the
01:05:56.812078 IP <client_ip>.17333 > 10.76.227.115.51820: UDP, length 148 01:05:56.812078 IP <client_ip>.17333 > 10.76.227.115.51820: UDP, length 148 01:05:56.815154 IP 10.76.227.120.51820 > <client_ip>.17333: UDP, length 92
How can I tell Wireguard to respond on the
wanp interface (or use the one on which the original packet was received). I guess this is not specifically problem of Wireguard, more like IPtables or routing.
What I tried:
iptables -t nat -A POSTROUTING -p udp --sport 51820 -j SNAT --to-source 10.76.227.115
after this I don't see any response in the tcpdump and it still doesn't work.
Setting up different routing table, this also didn't work:
echo "1 wanp" >> /etc/iproute2/rt_tables ip route add default via 10.76.227.65 dev veth0 src 10.76.227.115 table wanp iptables -t mangle -A OUTPUT -p udp --sport 51820 -j MARK --set-mark 1 ip rule add from all fwmark 1 table wanp
For completeness this is my WireGuard config:
config interface 'wg0' option proto 'wireguard' option private_key '<private_key>' option listen_port '51820' list addresses '10.20.1.1/24' config wireguard_wg0 option description 'phone' option public_key '<public_key>' list allowed_ips '10.20.1.2/32' config rule 'wg' option name 'Allow-WireGuard' option src 'wan' option proto 'udp' option target 'ACCEPT' option dest_port '51820'
default via 10.76.227.65 dev eth0.2 src 10.76.227.120 10.10.1.0/24 dev br-lan scope link src 10.10.1.1 10.10.2.0/24 dev br-lan_iot scope link src 10.10.2.1 10.10.3.0/24 dev eth1.30 scope link src 10.10.3.1 10.20.1.0/24 dev wg0 scope link src 10.20.1.1 10.76.227.64/26 dev veth0 scope link src 10.76.227.115 10.76.227.64/26 dev eth0.2 scope link src 10.76.227.120
Is there any other way how to tell OpenWrt to respond on the same wan interface it received the traffic on?