WireGuard does not use right return address
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hey there,
we found that in noble on kernel 6.8.0-38.38 the WireGuard module sometimes does not use the correct source address for returning packets. Our router has two IPs attached, one internal and one external. Since this is a HA router the external address moves between our two routers. But when clients connect they of course connect to the external IP and the packets therefore need to be returned with the same external IP. This does not happen in many cases. Sometimes it does work and the connection gets tracked correctly, but more times than not it uses it's internal IP, resulting in broken handshakes.
```
root@net-router2:~# ip r l | grep default -A2
default nhid 12 proto bgp metric 20
nexthop via inet6 fe80::920a:
nexthop via inet6 fe80::920a:
root@net-router2:~# ip r get 1.1.1.1
1.1.1.1 via inet6 fe80::920a:
cache
```