Tunneling all traffic through wireguard tunnel

[ray-faizan]

I'm working with one case where I want to tunnel my all traffic through wireguard tunnel but it failing in ip4 lookup. however there is default route to the destination is present in the routing table. and also wireguard tunnel is up. I can able to ping to other end of the wireguard tunnel.

but one interesting fact is when I added specific route to the destination 9.9.9.9/32 then it started to work. I also tried other routes then /32 but it did not worked. here are both failure and success traffic

Failure case

Packet 416

00:33:05:122902: dpdk-input
  eth3 rx queue 0
  buffer 0x1fe44e4: current data 0, length 74, buffer-pool 0, ref-count 1, trace handle 0x100019f
                    ext-hdr-valid 
  PKT MBUF: port 2, nb_segs 1, pkt_len 74
    buf_len 2176, data_len 74, ol_flags 0x180, data_off 128, phys_addr 0x7f913980
    packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_TCP (0x0100) TCP packet
  IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8
  TCP: 192.168.3.100 -> 5.9.87.175
    tos 0x00, ttl 64, length 60, checksum 0x8bba dscp CS0 ecn NON_ECN
    fragment id 0x8e3d, flags DONT_FRAGMENT
  TCP: 46916 -> 443
    seq. 0xa1b825f3 ack 0x00000000
    flags 0x02 SYN, tcp header: 40 bytes
    window 64240, checksum 0x4686
    options:
      mss 1460, window scale 1742269328, timestamp 1742269328, echo/reflected timestamp, sack permitted
00:33:05:122905: ethernet-input
  frame: flags 0x3, hw-if-index 3, sw-if-index 3
  IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8
00:33:05:122907: ip4-input-no-checksum
  TCP: 192.168.3.100 -> 5.9.87.175
    tos 0x00, ttl 64, length 60, checksum 0x8bba dscp CS0 ecn NON_ECN
    fragment id 0x8e3d, flags DONT_FRAGMENT
  TCP: 46916 -> 443
    seq. 0xa1b825f3 ack 0x00000000
    flags 0x02 SYN, tcp header: 40 bytes
    window 64240, checksum 0x4686
    options:
      mss 1460, window scale 1742269328, timestamp 1742269328, echo/reflected timestamp, sack permitted
00:33:05:122908: ip4-sv-reassembly-feature
  [not-fragmented]
00:33:05:122908: nat-pre-in2out
  in2out next_index 2 arc_next_index 10
00:33:05:122909: nat44-ed-in2out
  NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 10, session 255, translation result 'success' via i2of
  i2of match: saddr 192.168.3.100 sport 46916 daddr 5.9.87.175 dport 443 proto TCP fib_idx 0 rewrite: saddr 192.168.100.2 sport 46916 daddr 5.9.87.175 dport 443 txfib 0 
  o2if match: saddr 5.9.87.175 sport 443 daddr 192.168.100.2 dport 46916 proto TCP fib_idx 0 rewrite: saddr 5.9.87.175 daddr 192.168.3.100 dport 46916 txfib 0 
  search key local 192.168.3.100:46916 remote 5.9.87.175:443 proto TCP fib 0 thread-index 0 session-index 0
  TCP state: closed
00:33:05:122910: ip4-lookup
  fib 0 dpo-idx 0 flow hash: 0x00000000
  TCP: 192.168.100.2 -> 5.9.87.175
    tos 0x00, ttl 64, length 60, checksum 0x2b1c dscp CS0 ecn NON_ECN
    fragment id 0x8e3d, flags DONT_FRAGMENT
  TCP: 46916 -> 443
    seq. 0xa1b825f3 ack 0x00000000
    flags 0x02 SYN, tcp header: 40 bytes
    window 64240, checksum 0xe5e7
    options:
      mss 1460, window scale 1742269328, timestamp 1742269328, echo/reflected timestamp, sack permitted
00:33:05:122911: ip4-drop
    fib:0 adj:0 flow:0x00000000
  TCP: 192.168.100.2 -> 5.9.87.175
    tos 0x00, ttl 64, length 60, checksum 0x2b1c dscp CS0 ecn NON_ECN
    fragment id 0x8e3d, flags DONT_FRAGMENT
  TCP: 46916 -> 443
    seq. 0xa1b825f3 ack 0x00000000
    flags 0x02 SYN, tcp header: 40 bytes
    window 64240, checksum 0xe5e7
    options:
      mss 1460, window scale 1742269328, timestamp 1742269328, echo/reflected timestamp, sack permitted
00:33:05:122911: error-drop
  rx:eth3
00:33:05:122911: drop
  dpdk-input: no error

root@vvp-router3:~# vppctl show ip fib 0.0.0.0/0
ipv4-VRF:0, fib_index:0, flow hash:[src dst sport dport proto flowlabel ] epoch:0 flags:none locks:[adjacency:1, default-route:1, lcp-rt:1, nat-low:3, nat-hi:2, session lookup:1, ]
0.0.0.0/0 fib:0 index:0 locks:3
  CLI refs:1 entry-flags:attached, src-flags:added,contributing,active,
    path-list:[55] locks:2 flags:shared, uPRF-list:49 len:1 itfs:[14, ]
      path:[75] pl-index:55 ip4 weight=10 pref=1 attached:  oper-flags:resolved, cfg-flags:glean,
         wg0

  default-route refs:1 entry-flags:drop, src-flags:added,
    path-list:[0] locks:1 flags:drop, uPRF-list:0 len:0 itfs:[]
      path:[0] pl-index:0 ip4 weight=1 pref=0 special:  cfg-flags:drop,
        [@0]: dpo-drop ip4

 forwarding:   unicast-ip4-chain
  [@0]: dpo-load-balance: [proto:ip4 index:1 buckets:1 uRPF:49 to:[8982:663836]]
    [0] [@0]: dpo-drop ip4

Success case with /32 Specific route

Packet 2522

00:40:01:911663: dpdk-input
  eth3 rx queue 0
  buffer 0x1ff68c8: current data 0, length 98, buffer-pool 0, ref-count 1, trace handle 0x10009d9
                    ext-hdr-valid 
  PKT MBUF: port 2, nb_segs 1, pkt_len 98
    buf_len 2176, data_len 98, ol_flags 0x180, data_off 128, phys_addr 0x7fda3280
    packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
  IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8
  ICMP: 192.168.3.100 -> 9.9.9.9
    tos 0x00, ttl 64, length 84, checksum 0xdbcd dscp CS0 ecn NON_ECN
    fragment id 0x88bd, flags DONT_FRAGMENT
  ICMP echo_request checksum 0xf7f2 id 5
00:40:01:911666: ethernet-input
  frame: flags 0x3, hw-if-index 3, sw-if-index 3
  IP4: b4:a9:fc:7b:1f:aa -> 28:b7:7c:e0:f1:d8
00:40:01:911668: ip4-input-no-checksum
  ICMP: 192.168.3.100 -> 9.9.9.9
    tos 0x00, ttl 64, length 84, checksum 0xdbcd dscp CS0 ecn NON_ECN
    fragment id 0x88bd, flags DONT_FRAGMENT
  ICMP echo_request checksum 0xf7f2 id 5
00:40:01:911669: ip4-sv-reassembly-feature
  [not-fragmented]
00:40:01:911670: nat-pre-in2out
  in2out next_index 2 arc_next_index 10
00:40:01:911670: nat44-ed-in2out
  NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 10, session 256, translation result 'success' via i2of
  i2of match: saddr 192.168.3.100 sport 5 daddr 9.9.9.9 dport 5 proto ICMP fib_idx 0 rewrite: saddr 192.168.100.2 daddr 9.9.9.9 icmp-id 59651 txfib 0 
  o2if match: saddr 9.9.9.9 sport 59651 daddr 192.168.100.2 dport 59651 proto ICMP fib_idx 0 rewrite: saddr 9.9.9.9 daddr 192.168.3.100 icmp-id 5 txfib 0 
  search key local 192.168.3.100:5 remote 9.9.9.9:5 proto ICMP fib 0 thread-index 0 session-index 0
00:40:01:911671: ip4-lookup
  fib 0 dpo-idx 28 flow hash: 0x00000000
  ICMP: 192.168.100.2 -> 9.9.9.9
    tos 0x00, ttl 64, length 84, checksum 0x7b2f dscp CS0 ecn NON_ECN
    fragment id 0x88bd, flags DONT_FRAGMENT
  ICMP echo_request checksum 0xef4 id 59651
00:40:01:911672: ip4-midchain
  tx_sw_if_index 14 dpo-idx 28 : ipv4 [features] via 9.9.9.9 wg0: mtu:9000 next:12 flags:[features ] 00000000: 45000000000000004011b8a4c0a8a08fc0a8a068139713970000000000000000
                                                                                                     00000020: 000000000000000000000000
  stacked-on entry:28:
    [@2]: ipv4 via 192.168.160.104 eth1: mtu:1500 next:3 flags:[] 28b77ce0a49428b77ce0f1d60800 flow hash: 0x00000000
  00000000: 45000000000000004011b8a4c0a8a08fc0a8a068139713970000000000000000
  00000020: 0000000000000000000000004500005488bd40003f017c2fc0a86402
00:40:01:911673: wg4-output-tun
  peer: 0
  Encrypted packet: UDP: 192.168.160.143 -> 192.168.160.104
                      tos 0x00, ttl 64, length 144, checksum 0xb814 dscp CS0 ecn NON_ECN
                      fragment id 0x0000
                    UDP: 5015 -> 5015
                      length 124, checksum 0x0000:$U
00:40:01:911676: adj-midchain-tx
  adj-midchain:[28]:ipv4 [features] via 9.9.9.9 wg0: mtu:9000 next:12 flags:[features ] 00000000: 45000000000000004011b8a4c0a8a08fc0a8a068139713970000000000000000
                                                                                        00000020: 000000000000000000000000
  stacked-on entry:28:
    [@2]: ipv4 via 192.168.160.104 eth1: mtu:1500 next:3 flags:[] 28b77ce0a49428b77ce0f1d60800
00:40:01:911677: ip4-rewrite
  tx_sw_if_index 1 dpo-idx 24 : ipv4 via 192.168.160.104 eth1: mtu:1500 next:3 flags:[] 28b77ce0a49428b77ce0f1d60800 flow hash: 0x00000000
  00000000: 28b77ce0a49428b77ce0f1d6080045000090000000003f11b914c0a8a08fc0a8
  00000020: a06813971397007c000004000000f757d61316000000000000007603
00:40:01:911678: eth1-output
  eth1 flags 0x0038000d
  IP4: 28:b7:7c:e0:f1:d6 -> 28:b7:7c:e0:a4:94
  UDP: 192.168.160.143 -> 192.168.160.104
    tos 0x00, ttl 63, length 144, checksum 0xb914 dscp CS0 ecn NON_ECN
    fragment id 0x0000
  UDP: 5015 -> 5015
    length 124, checksum 0x0000
00:40:01:911678: eth1-tx
  eth1 tx queue 1
  buffer 0x1ff68c8: current data -44, length 158, buffer-pool 0, ref-count 1, trace handle 0x10009d9
                    ext-hdr-valid 
                    natted l2-hdr-offset 0 l3-hdr-offset 14 
  PKT MBUF: port 2, nb_segs 1, pkt_len 158
    buf_len 2176, data_len 158, ol_flags 0x180, data_off 84, phys_addr 0x7fda3280
    packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
  IP4: 28:b7:7c:e0:f1:d6 -> 28:b7:7c:e0:a4:94
  UDP: 192.168.160.143 -> 192.168.160.104
    tos 0x00, ttl 63, length 144, checksum 0xb914 dscp CS0 ecn NON_ECN
    fragment id 0x0000
  UDP: 5015 -> 5015
    length 124, checksum 0x0000

Packet 2523

00:40:01:984295: dpdk-input
  eth1 rx queue 0
  buffer 0x1fc780d: current data 0, length 170, buffer-pool 0, ref-count 1, trace handle 0x10009da
                    ext-hdr-valid 
  PKT MBUF: port 0, nb_segs 1, pkt_len 170
    buf_len 2176, data_len 170, ol_flags 0x180, data_off 128, phys_addr 0x7f1e03c0
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 28:b7:7c:e0:a4:94 -> 28:b7:7c:e0:f1:d6
  UDP: 192.168.160.104 -> 192.168.160.143
    tos 0x00, ttl 64, length 156, checksum 0x2a3c dscp CS0 ecn NON_ECN
    fragment id 0x8dcc
  UDP: 5015 -> 5015
    length 136, checksum 0x0dcf
00:40:01:984298: ethernet-input
  frame: flags 0x3, hw-if-index 1, sw-if-index 1
  IP4: 28:b7:7c:e0:a4:94 -> 28:b7:7c:e0:f1:d6
00:40:01:984300: ip4-input-no-checksum
  UDP: 192.168.160.104 -> 192.168.160.143
    tos 0x00, ttl 64, length 156, checksum 0x2a3c dscp CS0 ecn NON_ECN
    fragment id 0x8dcc
  UDP: 5015 -> 5015
    length 136, checksum 0x0dcf
00:40:01:984300: ip4-lookup
  fib 0 dpo-idx 13 flow hash: 0x00000000
  UDP: 192.168.160.104 -> 192.168.160.143
    tos 0x00, ttl 64, length 156, checksum 0x2a3c dscp CS0 ecn NON_ECN
    fragment id 0x8dcc
  UDP: 5015 -> 5015
    length 136, checksum 0x0dcf
00:40:01:984301: ip4-receive
    fib:0 adj:13 flow:0x00000000
  UDP: 192.168.160.104 -> 192.168.160.143
    tos 0x00, ttl 64, length 156, checksum 0x2a3c dscp CS0 ecn NON_ECN
    fragment id 0x8dcc
  UDP: 5015 -> 5015
    length 136, checksum 0x0dcf
00:40:01:984302: ip4-udp-lookup
  UDP: src-port 5015 dst-port 5015
00:40:01:984302: wg4-input
  Wireguard input: 
    Type: Data
    Peer: 0
    Length: 96
    Keepalive: false
00:40:01:984324: ip4-input-no-checksum
  ICMP: 9.9.9.9 -> 192.168.100.2
    tos 0x00, ttl 58, length 84, checksum 0xdfb3 dscp CS0 ecn NON_ECN
    fragment id 0x6a39
  ICMP echo_reply checksum 0x16f4 id 59651
00:40:01:984326: ip4-sv-reassembly-feature
  [not-fragmented]
00:40:01:984326: nat-pre-out2in
  out2in next_index 6 arc_next_index 10
00:40:01:984327: nat44-ed-out2in
  NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 14, next index 10, session 256, translation result 'success' via o2if
  i2of match: saddr 192.168.3.100 sport 5 daddr 9.9.9.9 dport 5 proto ICMP fib_idx 0 rewrite: saddr 192.168.100.2 daddr 9.9.9.9 icmp-id 59651 txfib 0 
  o2if match: saddr 9.9.9.9 sport 59651 daddr 192.168.100.2 dport 59651 proto ICMP fib_idx 0 rewrite: saddr 9.9.9.9 daddr 192.168.3.100 icmp-id 5 txfib 0 
  search key local 9.9.9.9:59651 remote 192.168.100.2:59651 proto ICMP fib 0 thread-index 0 session-index 0
  no reason for slow path
00:40:01:984328: ip4-lookup
  fib 0 dpo-idx 25 flow hash: 0x00000000
  ICMP: 9.9.9.9 -> 192.168.3.100
    tos 0x00, ttl 58, length 84, checksum 0x4052 dscp CS0 ecn NON_ECN
    fragment id 0x6a39
  ICMP echo_reply checksum 0xfff2 id 5
00:40:01:984329: ip4-rewrite
  tx_sw_if_index 3 dpo-idx 25 : ipv4 via 192.168.3.100 eth3: mtu:1500 next:7 flags:[] b4a9fc7b1faa28b77ce0f1d80800 flow hash: 0x00000000
  00000000: b4a9fc7b1faa28b77ce0f1d80800450000546a3900003901415209090909c0a8
  00000020: 03640000fff2000500156cffe56800000000e1b70d00000000001011
00:40:01:984329: eth3-output
  eth3 flags 0xc018000d
  IP4: 28:b7:7c:e0:f1:d8 -> b4:a9:fc:7b:1f:aa
  ICMP: 9.9.9.9 -> 192.168.3.100
    tos 0x00, ttl 57, length 84, checksum 0x4152 dscp CS0 ecn NON_ECN
    fragment id 0x6a39
  ICMP echo_reply checksum 0xfff2 id 5
00:40:01:984331: eth3-tx
  eth3 tx queue 1
  buffer 0x1fc780d: current data 44, length 110, buffer-pool 0, ref-count 1, trace handle 0x10009da
                    ext-hdr-valid 
                    l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 
  PKT MBUF: port 0, nb_segs 1, pkt_len 110
    buf_len 2176, data_len 110, ol_flags 0x180, data_off 172, phys_addr 0x7f1e03c0
    packet_type 0x211 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
      RTE_PTYPE_L4_UDP (0x0200) UDP packet
  IP4: 28:b7:7c:e0:f1:d8 -> b4:a9:fc:7b:1f:aa
  ICMP: 9.9.9.9 -> 192.168.3.100
    tos 0x00, ttl 57, length 84, checksum 0x4152 dscp CS0 ecn NON_ECN
    fragment id 0x6a39
  ICMP echo_reply checksum 0xfff2 id 5

IP routing table for specific route

ipv4-VRF:0, fib_index:0, flow hash:[src dst sport dport proto flowlabel ] epoch:0 flags:none locks:[adjacency:1, default-route:1, lcp-rt:1, nat-low:3, nat-hi:2, session lookup:1, ]
9.9.9.9/32 fib:0 index:32 locks:2
  CLI refs:1 entry-flags:attached, src-flags:added,contributing,active,
    path-list:[44] locks:2 flags:shared, uPRF-list:39 len:1 itfs:[14, ]
      path:[61] pl-index:44 ip4 weight=1 pref=0 attached-nexthop:  oper-flags:resolved, cfg-flags:attached,
        9.9.9.9 wg0
      [@0]: ipv4 [features] via 9.9.9.9 wg0: mtu:9000 next:12 flags:[features ] 00000000: 45000000000000004011b8a4c0a8a08fc0a8a068139713970000000000000000
                                                                                00000020: 000000000000000000000000
             stacked-on entry:28:
               [@2]: ipv4 via 192.168.160.104 eth1: mtu:1500 next:3 flags:[] 28b77ce0a49428b77ce0f1d60800

 forwarding:   unicast-ip4-chain
  [@0]: dpo-load-balance: [proto:ip4 index:34 buckets:1 uRPF:39 to:[1092:91728]]
    [0] [@6]: ipv4 [features] via 9.9.9.9 wg0: mtu:9000 next:12 flags:[features ] 00000000: 45000000000000004011b8a4c0a8a08fc0a8a068139713970000000000000000
                                                                                  00000020: 000000000000000000000000
        stacked-on entry:28:
          [@2]: ipv4 via 192.168.160.104 eth1: mtu:1500 next:3 flags:[] 28b77ce0a49428b77ce0f1d60800