Hi,
I’m running into an issue with my AR750S where enabling a WireGuard client connection to a WireGuard server (configured to send all traffic over the WireGuard connection). When the WireGuard connection is active and I SSH to the WireGuard server’s public x.y.z.140 IP address (i.e., the same IP address the WireGuard client connects to) from a device connected to the AR750S, the connection hangs after a few seconds.
The setup is as follows:
laptop → AR750S WireGuard client → WireGuard server
IP addresses:
- Laptop: LAN 192.168.18.246/24
- AR750S: LAN 192.168.18.1/24, WireGuard client 10.0.25.7, WAN a.b.c.212
- Wireguard server: ens3 x.y.z.140, wg0-vpn 10.0.25.1
A tcpdump on the WireGuard server shows that initially the SSH traffic from the laptop enters the WireGuard server (x.y.z.140, marked in blue) over the wg0-vpn interface with the expected WireGuard client source IP (i.e., 10.0.25.7), but after a while the source IP of the SSH traffic changes to the WAN IP of the AR750S (i.e., a.b.c.212 on ens3, marked in red). It’s as if suddenly the traffic doesn’t come over the WireGuard connection anymore.
Initially I thought it was related to an upgrade to openwrt-ar750s-3.201-0402. So I grabbed my Creta, reverted to a clean version of openwrt-ar750-3.105 and configured the device exactly the same. In this case, everything works fine. The SSH connection from the laptop to the WireGuard server with the WireGuard connection active enters the server over the wg0-vpn interface and has a 10.0.25.7 source IP. No matter how much data is sent across the SSH connection, it remains stable and active. The source IP never changes.
I then reverted the AR750S to openwrt-ar750s-3.105 and the issue was there again. SSH’ing to the WireGuard server (x.y.z.140, marked in blue) with the WireGuard connection active enters the WireGuard server with source IP 10.0.25.7 on wg0-vpn, but after some data is sent across the SSH session the source IP suddently changes to the WAN IP of the AR750S (i.e., a.b.c.212 on ens3, marked in red).
During all of this the port on the client side of the SSH session remained the same at 54955 and you can see the source IP flip from 10.0.25.7 (on wg0-vpn) to a.b.c.212 (on ens3) in the screenshot.
I’ve tested this on the following firmware:
- Slate: openwrt-ar750s-3.105, does not work
- Slate: openwrt-ar750s-3.201-0402, does not work
- Creta: openwrt-ar750-3.105, works
For now I’m using the Creta on openwrt-ar750-3.105, but I would like to resolve this on the Slate as well of course. Any tips that can help resolve this onthe AR750S would be greatly appreciated!