Ubuntu
linux package

WireGuard does not use right return address

Bug #2073220 reported by Justin Lamp
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hey there,

we found that in noble on kernel 6.8.0-38.38 the WireGuard module sometimes does not use the correct source address for returning packets. Our router has two IPs attached, one internal and one external. Since this is a HA router the external address moves between our two routers. But when clients connect they of course connect to the external IP and the packets therefore need to be returned with the same external IP. This does not happen in many cases. Sometimes it does work and the connection gets tracked correctly, but more times than not it uses it's internal IP, resulting in broken handshakes.

```
root@net-router2:~# ip r l | grep default -A2
default nhid 12 proto bgp metric 20
 nexthop via inet6 fe80::920a:84ff:fe6e:eed4 dev enp1s0f1np1 weight 1
 nexthop via inet6 fe80::920a:84ff:fe6e:f054 dev enp1s0f0np0 weight 1
root@net-router2:~# ip r get 1.1.1.1
1.1.1.1 via inet6 fe80::920a:84ff:fe6e:f054 dev enp1s0f0np0 src 10.77.2.109 uid 0
    cache
```

Tags: wireguard
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.