Issue with WireGuard and routing domains on OBSD 7.0

[Reeshar]

TL;DR: WireGuard acting as a client under fully-patched OBSD 7.0 on an RPi4 works perfectly when using a single routing domain, but then fails when the external interface is put into a separate routing domain - rdomain 1. tshark shows handshake initiation packets leaving the external interface but no response being received from the server. Has anyone successfully implemented a WireGuard client with the latest release of OBSD and split routing domains?
__________________


I've been running WireGuard for some time now on a server connected to the Internet, initially using wireguard-go and more recently using hostname.wg0 under OBSD 7.0. The sole purpose of the server is to turn traffic around and send it back out to the Internet when I'm abroad and make the traffic appear to be coming from the UK. Standard stuff to be able to access UK streaming services.

It all works perfectly with a variety of clients: WireGuard on Android, Windows, Linux and various appliances. It's also a lot faster than using OpenVPN which I also have running on the server as a backup, although I'll probably decommission that soon.

I've recently been playing with a WireGuard client gateway using OBSD 7.0 on a Raspberry Pi 4. In its basic form using a single default routing domain, WireGuard works fine. I use different priority routes for direct traffic to the VPN router and all other traffic intended to pass through the wg0 tunnel. tshark shows WireGuard handshakes and encrypted traffic passing through the external interface bse0 exactly as expected.

Next step...

To introduce greater separation between the direct and tunneled routes to the server I have then made two modifications: I've added an rdomain 1 line to the start of the hostname.bse0 external interface file and wgrtable 1 to the wgpeer line in the hostname.wg0 file. (In addition I've modified sshd_config to listen to addresses from rdomains 0 and 1, although that's not pertinent to WireGuard behaviour. I've also not bothered with DNS mods at this stage as I'm testing using pings with IP addresses and dig with a specified external DNS.)

On reboot, I've made wg0 the default interface for rdomain 0 traffic. With that, WireGuard has stopped working on the RPi4. tshark shows outbound handshake requests going out to the server but no response from the server. If I switch back to single-domain operation everything works OK again. This seems to suggest that the handshake request has become corrupted such that the server doesn't recognise it, but I would love someone else to find some other explanation!

Has anyone any experience of WireGuard on OBSD 7.0 running with split routing domains? Or is anyone willing to have a go themselves at replicating the situation? It doesn't need to be an RPi: any host system would do!

___________________


Here's a copy of the tshark output monitoring the external interface for traffic to/from the WireGuard server.

With a single default routing domain:

Code:

-bash-5.1$ doas tshark -f 'host x.x.x.x' -i bse0
Capturing on 'bse0'
    1   0.000000 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0xFBFAD38C
    2   0.004860 x.x.x.x ? 192.168.1.125 WireGuard 134 Handshake Response, sender=0x47722CB5, receiver=0xFBFAD38C
    3   0.006097 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=0, datalen=96
    4   0.006649 x.x.x.x ? 192.168.1.125 WireGuard 74 Keepalive, receiver=0xFBFAD38C, counter=0
    5   0.023525 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=1, datalen=96
    6   1.005879 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=1, datalen=96
    7   1.024303 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=2, datalen=96
    8   2.005833 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=2, datalen=96
    9   2.020512 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=3, datalen=96
   10   3.005815 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=3, datalen=96
   11   3.022067 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=4, datalen=96
   12   4.005796 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=4, datalen=96
   13   4.020740 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=5, datalen=96
   14   5.005779 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=5, datalen=96
   15   5.020599 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=6, datalen=96
   16   6.005758 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=6, datalen=96
   17   6.020418 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=7, datalen=96
   18   7.005756 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=7, datalen=96
   19   7.020781 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=8, datalen=96
   20   8.005738 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=8, datalen=96
   21   8.020502 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=9, datalen=96
   22   9.005714 192.168.1.125 ? x.x.x.x WireGuard 170 Transport Data, receiver=0x47722CB5, counter=9, datalen=96
   23   9.027533 x.x.x.x ? 192.168.1.125 WireGuard 170 Transport Data, receiver=0xFBFAD38C, counter=10, datalen=96
   24  19.025513 192.168.1.125 ? x.x.x.x WireGuard 74 Keepalive, receiver=0x47722CB5, counter=10
^C24 packets captured

With the external interface in rdomain 1 and access to the wg0 tunnel from rdomain 0:

Code:

-bash-5.1$ doas tshark -f 'host x.x.x.x' -i bse0
Capturing on 'bse0'
    1   0.000000 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0xF8014803
    2   5.219900 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0x65088075
    3  10.419816 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0x9A42E713
    4  15.599741 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0xDD48EACC
    5  20.689660 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0xAB5DDADD
    6  25.819580 192.168.1.125 ? x.x.x.x WireGuard 190 Handshake Initiation, sender=0x0226D5DE
^C6 packets captured

Here's the ifconfig output for wg0:

Code:

wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
        description: WireGuard interface
        index 6 priority 0 llprio 3
        wgport 36559
        wgrtable 1
        wgpubkey <client pubkey>
        wgpeer <server pubkey>
                wgendpoint x.x.x.x 51820
                tx: 0, rx: 0
                wgaip 0.0.0.0/0
        groups: wg
        inet 10.0.0.11 netmask 0xffffff00 broadcast 10.0.0.255