Unsolicited UDP backscatter towards Wireguard client fills firewall logs

Started by OmnomBánhmì, May 02, 2025, 11:53:46 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 02, 2025, 11:53:46 AM
My question is about what I see in logs of my OPNsense home router, relating to UDP traffic from other routers that is rejected. The "Default deny / state violation rule" catches these.

I do connect to those same endpoints with Wireguard occasionally so its all well-known IP addresses. The Wireguard endpoints the traffic is now unexpectedly coming from are remote locations I maintain. All routers run OPNsense.

My logins to remote sites are in roadwarrior mode, i.e. my home router establishes no site to site connection with the targets. I may happen that my local clients leave their tunnels up 24/7, but more often I shut them down as clients go "powersave"-off after work. I see these log entries for days after my last connection. My impression, it seems to not matter at all if my clients are connected that moment or not, or how long ago the last tunnel went up or down.

So somewhat surprisingly, protocol, address and source port number match my client setups. The destination port seems random. The scale is roughly 4:1 on my home router, i.e. source IPv4 of the remote sites in questions addresses make for 4x the amount of any other, as seen in Firewall Log Files - Overview - Source IPs.

General setups follow the OPNsense documentation, vanilla works for me. NAT reflection for port forwards and automatic outbound NAT for Reflection is off on the targets, and enabled on my home router.

Some of this is plausible, because any of these remote origins can know this router's public IPv4 and client Wireguard port number. The logs though suggest something is trying to contact back as if a connection that way was configured. It isn't, no remote clients are set up for establishing a tunnel towards my home location. Source seems to be the remote router itself in any case, but since I have not configured anything in the remote networks to connect "back home" to me I wonder. Is it all backscatter and really not noteworthy? Sure it is all noisy in the logs.

What mechanic is that traffic coming from?

May 07, 2025, 02:42:41 PM #1
WireGuard is essentially stateless and there are no "clients" and "servers", just peers. As long as you don't explicitly disable the WG instances at the remote sites, they're always up. Any traffic directed towards the allowed IPs configured at the remote WG instances will be sent through the tunnels. It doesn't matter whether a WG client on your local site is running or not.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions