WireGuard service traffic routing/force unique gateway

[mokaz]

Hi all,

I'll try to summarize my setup:

- wg0 instance reachable through the WAN interface + peers + config + unbound DNS etc etc (all working super duper fine)
- ovpnc1 interface where I'm routing wg clients 0.0.0.0/0 type of traffic (working super duper)

My only current concern is that this setup as somewhat of an asymmetrical routing issue, as either WAN or ovpnc1 could reach 0.0.0.0/0 -- I sometimes have witnessed some UDP:51820 source port bound packets to fly out over the overlay/ovpnc1 interface, which is unwanted. I did countermeasure that through the firewall but I'd been hunting for a cleaner solution.

Would it be possible to bound a specific and unique gateway to the WireGuard service itself? Hence always receiving and sending WireGuard tunnel service traffic over the exact same interface/gw combo at the opnsense level.

Let me know,
Regards,
m.

[mokaz]

Hi again all,

So after troubleshooting a notch more, it turns out that:

- source port UDP:51820 packets flying out over the overlay only occurs upon peer "disconnection" (when turning WG tunnel OFF on the client device).
- the time frame while this is occuring is always around 900 seconds, I suspect CLOSE_WAIT and TIME_WAIT sessions perhaps.

Thanks for any possible advice here.

Cheers,
m.