Skip to content

Fix bug of not explicitly binding to socket in send-linux#956

Merged
zakird merged 4 commits into
mainfrom
phillip/955-not-using-wireguard-tunnel
Nov 12, 2025
Merged

Fix bug of not explicitly binding to socket in send-linux#956
zakird merged 4 commits into
mainfrom
phillip/955-not-using-wireguard-tunnel

Conversation

@phillip-stephens
Copy link
Copy Markdown
Contributor

@phillip-stephens phillip-stephens commented Nov 10, 2025
edited
Loading

It seems that since we're using raw IP sockets, we need to explicitly bind to the socket to ensure we use it. I don't claim to fully understand what's happening internally here, but I tested extensively and everything seems to work as expected.

The entry in man socket for SO_BINDTODEVICE here mentions it as the socket option for binding to a IP socket. What it doesn't say and what I couldn't find documented anywhere is why the prior approach of setting the interface index on the socket works with raw sockets and sometimes IP sockets, but not always. In conclusion, not sure why we need to also add this socket option when using IP sockets, but it does seem to fix the problem.

Testing

Each case was run while tcpdump was running to confirm the correct interface was selected

Linux (Ubuntu 24.04)

tcpdump

sudo tcpdump -i any -nn '(tcp and dst port 53 and host 1.1.1.1)' -q

  • Base Case - Wireguard not running - Send TCP 1.1.1.1:53, interface not specified

    • Outcome - Traffic sent out default interface

  • Base Case - Wireguard not running - Send TCP 1.1.1.1:53, interface specified as loopback

    • Outcome - Error without specifying gateway-mac, packet sent on lo after specifying (expected)

  • Base Case - Wireguard not running - Send TCP 1.1.1.1:53, interface not specified, --iplayer

    • Outcome - Packet sent on default interface

  • Base Case - Wireguard not running - Send TCP 1.1.1.1:53, interface specified as loopback, iplayer

    • Outcome - Expected

  • Wireguard running, AllowedIPs 0.0.0.0/0 (all traffic thru Wireguard) - Send TCP 1.1.1.1:53, no interface specified

    • Outcome - Traffic takes the wg0 interface, expected

  • Wireguard running, AllowedIPs 0.0.0.0/0 (all traffic thru Wireguard) - Send TCP 1.1.1.1:53, Specify wg0

    • Outcome - Get error that we can't get the MAC address of the wg0 network, expected. Fixed error msg to inform users of using the --iplayer flag.

  • Wireguard running, AllowedIPs 0.0.0.0/0 (all traffic thru Wireguard) - Send TCP 1.1.1.1:53, no interface specified, --iplayer

    • Outcome - Success, sent out on the wg0 interface

  • Wireguard running, AllowedIPs 1.1.1.0/24 (only that subnet allowed thru Wireguard) - Send TCP 1.1.1.1:53, Specify wg0, --iplayer

    • Outcome - Success, sent on wg0

  • Wireguard running, AllowedIPs ``1.1.1.0/24` (only that subnet allowed thru Wireguard) - Send TCP 1.1.1.1:53, no interface specified

    • Outcome - Received error (expected) get_gateway: Unexpected hardware address length (0). If you are using a VPN, supply the --iplayer flag (and provide an interface via -i)

  • Wireguard running, AllowedIPs 1.1.1.0/24 (only that subnet allowed thru Wireguard) - Send TCP 1.1.1.1:53, Specify wg0

    • Outcome - Received error (expected) advise users to use --iplayer

  • Wireguard running, AllowedIPs 1.1.1.0/24 (only that subnet allowed thru Wireguard) - Send TCP 1.1.1.1:53, no interface specified, --iplayer

    • Outcome - SYN sent on enp0s8 (default interface). We do warn users this is occurring in debug logs and I think it's the best we can do since we're bypassing the kernel's IP routing tables with our raw IP socket.

  • Wireguard running, AllowedIPs 1.1.1.0/24 (only that subnet allowed thru Wireguard) - Send TCP 1.1.1.1:53, Specify wg0, --iplayer

    • Outcome - Traffic sent out on wg0

  • Wireguard running, AllowedIPs 1.1.1.0/24 (only that subnet allowed thru Wireguard) - Send TCP 8.8.8.8:53 (not a wg0 allowed IP), no interface specified, --iplayer

    • Outcome - SYN sent on enp0s8 (default interface). We do warn users this is occurring in debug logs and I think it's the best we can do since we're bypassing the kernel's IP routing tables with our raw IP socket.

  • Wireguard running, AllowedIPs 1.1.1.0/24 (only that subnet allowed thru Wireguard) - Send TCP 8.8.8.8:53 (not a wg0 allowed IP), --interface wg0, --iplayer

    • Outcome - Multiple errors when send was retried. It seems we successfully try to send on wg0 but Wireguard has internal logic to prevent traffic to non-allowed IPs from going out on that interface.

    Related Issues

Resolves #955

@phillip-stephens phillip-stephens marked this pull request as ready for review November 12, 2025 17:55
@phillip-stephens phillip-stephens changed the title WIP - fix bug of not explicitly binding to socket in send-linux Fix bug of not explicitly binding to socket in send-linux Nov 12, 2025
@zakird zakird merged commit 2d4277e into main Nov 12, 2025
12 checks passed
@zakird zakird deleted the phillip/955-not-using-wireguard-tunnel branch November 12, 2025 18:22
@BrewTestBot BrewTestBot mentioned this pull request May 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zakird zakird zakird approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scanning is performed via Ethernet interface, although another interface is specified

2 participants

@phillip-stephens @zakird