Hello,
I am trying to set up the Wireguard server on my OpenWrt router. When the client connects I get no RX traffic, so I checked the tcpdump and the traffic is trying to return via wrong WAN interface.
This is my setup:
config interface 'wan'
option proto 'dhcp' // IP: 10.76.227.120
option device 'eth0.2'
config interface 'wanp'
option proto 'dhcp' // IP: 10.76.227.115
option peerdns '0'
option defaultroute '0'
option device 'veth0'
The wan
interface doesn't have public IP and is used for normal traffic from LAN (so that my normal traffic goes to the internet with non public shared IP address from the ISP). This interface is the default route.
The wanp
interface has public IP which is routed to my router, all incoming traffic from the internet goes to this interface, either directly to the router or is port forwarded to lan.
My problem is that according to TCP dump I receive the Winguard traffic on the wanp
interface but it is trying to respond on the wan
interface:
01:05:56.812078 IP <client_ip>.17333 > 10.76.227.115.51820: UDP, length 148
01:05:56.812078 IP <client_ip>.17333 > 10.76.227.115.51820: UDP, length 148
01:05:56.815154 IP 10.76.227.120.51820 > <client_ip>.17333: UDP, length 92
How can I tell Wireguard to respond on the wanp
interface (or use the one on which the original packet was received). I guess this is not specifically problem of Wireguard, more like IPtables or routing.
What I tried:
Using SNAT:
iptables -t nat -A POSTROUTING -p udp --sport 51820 -j SNAT --to-source 10.76.227.115
after this I don't see any response in the tcpdump and it still doesn't work.
Setting up different routing table, this also didn't work:
echo "1 wanp" >> /etc/iproute2/rt_tables
ip route add default via 10.76.227.65 dev veth0 src 10.76.227.115 table wanp
iptables -t mangle -A OUTPUT -p udp --sport 51820 -j MARK --set-mark 1
ip rule add from all fwmark 1 table wanp
For completeness this is my WireGuard config:
config interface 'wg0'
option proto 'wireguard'
option private_key '<private_key>'
option listen_port '51820'
list addresses '10.20.1.1/24'
config wireguard_wg0
option description 'phone'
option public_key '<public_key>'
list allowed_ips '10.20.1.2/32'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port '51820'
Route list:
default via 10.76.227.65 dev eth0.2 src 10.76.227.120
10.10.1.0/24 dev br-lan scope link src 10.10.1.1
10.10.2.0/24 dev br-lan_iot scope link src 10.10.2.1
10.10.3.0/24 dev eth1.30 scope link src 10.10.3.1
10.20.1.0/24 dev wg0 scope link src 10.20.1.1
10.76.227.64/26 dev veth0 scope link src 10.76.227.115
10.76.227.64/26 dev eth0.2 scope link src 10.76.227.120
Is there any other way how to tell OpenWrt to respond on the same wan interface it received the traffic on?
Thank you