On Wed, Jul 8, 2020 at 1:10 AM Florian Westphal <fw@xxxxxxxxx> wrote: > I.e., traffic passes vpn-gw twice? Yes. > If so, that won't work. > > On first pass (wireguard decap), packet x is picked up by > connection tracking and then has NAT applied to it. > As no matching NAT rule exists, the connection gets a 'do nothing' > binding. When packet comes back, it will match the existing > 'do nothing' connection and the nat table is never consulted. > > If thats the case, you will either need to turn off contrack for packets > coming from wireguard (use 'notrack' keyword in raw table) or, if you > need nat for this part as well, place the two rounds the packet takes in > different connection tracking zones, so that the packet coming back > from gw01/vlan252 is seen as a new flow, rather than an old packet > matching a known connection. As the WireGuard interface in question doesn not need NAT, I'll try the "notrack" approach. Thanks for your speedy help! Regards, Thilo
