2017-11-21 22:15 GMT+08:00 Jason A. Donenfeld <ja...@zx2c4.com>: > On Tue, Nov 21, 2017 at 2:21 PM, d tbsky <tbs...@gmail.com> wrote: >> so at first client 2.2.2.2:51820 connect to server 1.1.1.1:51820 >> but then server use 172.18.1.254(lan ip address) to reply and 51820 >> port is nat to 1085 so the communication is broken. > > The server should use 1.1.1.1 to reply. If it's not, that's a bug that > I should fix. Can you give me a minimal configuration for reproducing > this setup, so that I can fix whatever issue is occurring? > > Thanks, > Jason
thanks for the quick reply. my wireguard configuration is in the previous mail, so I think the linux firewall part is what you want. there is only one thing special in our firewall config. normally when you use "ip route get 8.8.8.8", you will get a wan ip address through main routing table(eg 1.1.1.1 in above example) . but since we have multiple routing tables and there is little entries in main routing table, "ip route get 8.8.8.8" will get 172.18.1.254 (lan ip address) in our firewall. I don't know how wireguard decide its replying ip address, but it seems wrong under the situation. maybe it decide it through main routing table? our linux firewall environment is RHEL 7.4 and wireguard version is 0.0.20171111 from official repository. thanks a lot for help! Regards, tbskyd _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard