Bug #14200


WireGuard reply-to without NAT

Added by Carrnell Tech 2 months ago.

Very Low
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


I have discovered that the WireGuard package requires the interface to have the gateway set for the reply-to rules to function as expected. However, this also creates an undesired auto NAT rules that need to be manually disabled in order to use the reply-to rules effectively.

I have posted all the detail and the road for my discovery on the forums and a great amount of detail along with it:

My hope is that one of the following fix ideas could be implemented:
  • Could add verbiage on the interface or package GUI to indicate that these steps are required for true reply-to packets to function.
  • Add some sort of check box to prevent the auto added NAT rules for WireGuard interfaces, or, a check box that adds reply-to rules without the need for gateway to be filled.
  • Or, if possible, change the WireGuard package in such a way that it treats the WireGuard interface with reply-to rules with or without the gateway being set in the interface.

To give you more of an idea of why I had more trouble with this particular part than anything previous is that I was migrating away from OpenVPN to WireGuard. Where OpenVPN functioned as desired without the gateway being set, I did not think to read the interface documentation mostly because the verbiage only mentions the need for it being set for internet access type scenarios, of which, I overlooked thinking it was unnecessary. On my testing environment, it was not until I started changing what I thought were unnecessary checkbox and dropdowns that I discovered the gateway was needed, I then started to read the documentation for it, which lead me to my final conclusion.

Appreciate your time!
Thank you!

No data to display


Also available in: Atom PDF