How to properly address asymmetric routing?

jfoxwu Posts: 4

I have an UnRaid server which also provides wireguard VPN service. I added the static route where the wireguard peer IP's next hop is set to the server IP and eabled "allow asymmetric routing" in USG40. If I don't allow the asymmetric routing, then I can only access the UnRaid server and none of the other LAN devices.

Please correct me if I am wrong here. My understanding is that when my wireguard client is trying to connect back home the route goes like this:

forward path: wireguard client -> internet -> gateway -> UnRaid server -> Win10 Machine on LAN

replying path: Win10 machine on LAN -> gateway -> internet -> wireguard client

Therefore the packet got dropped by the firewall due to the asymmetric nature.

Things are actually working just as I expected for now. However, according to Zyxel's manual, this approach might not be the most secure thing to do for home network. How can I tackle this problem by adding additional firewall/static route/NAT rules for the LAN device?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,136  Zyxel Employee

    Hi @jfoxwu

    Here should be your topology

    Wireguard client -> internet -> gateway -> UnRaid server -> Win10 Machine on LAN 

    Can you list all of IP address into your topology? It could easier to know routing path.

    And also explain these questions:

    What’s the service port is working on Wireguard VPN? Did you created port forwarding rule on gateway ?

    After building the tunnel, how did you connect to Win10? by RDP? ICMP? HTTP…etc?

  • jfoxwu
    jfoxwu Posts: 4
    TL;DR I have identified the problem, and the solution is to use VLAN for my windows machine.

    I have been reading 30+ pages of wireguard support thread on UnRaid's user forum for the past few days. I finally noticed my glaring omission of my windows machine being a VM living inside the UnRaid server. Due to this, when the wireguard client's packet leaves the tunnel on my UnRaid server, it got directly routed to the VM within the server itself since the server and the Windows VM are on the same subnet and that being the shortest path.

    After configuring the Windows VM to use VLAN, the wireguard's packet leaves the tunnel, go to the gateway, and then finally back to the VM. No more asymmetric routing, and I can disable that options now.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,136  Zyxel Employee
    Hi @jfoxwu

    It's good to know you found the reason on it. :+1:

Security Highlight