Well, it was my claim originally, so the onus is on me to defend it.
The dst-nat to wan1ip has the problem that if wan1ip is lost (e.g. the wan1 interface goes down), then the packets are still dst-natted to wan1ip. The router does not have wan1ip as a a local address any more, so its not considered input, is never received by wireguard, and is in fact forwarded through the default. (If the firewall permits it.)
A packet capture for this scenario:
# TIME DIRECTION INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE
0 3.736 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 190
1 3.742 tx eoip-wan2 192.168.112.10:13231 192.168.33.1:13231 udp 134
2 3.743 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 74
3 13.853 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 74
4 24.093 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 74
5 34.333 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 74
6 34.333 tx eoip-wan2 192.168.33.1:13231 192.168.111.10:13231 udp 74
7 44.573 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 74
8 44.573 tx eoip-wan2 192.168.33.1:13231 192.168.111.10:13231 udp 74
9 54.813 rx eoip-wan2 192.168.33.1:13231 192.168.112.10:13231 udp 74
10 54.813 tx eoip-wan2 192.168.33.1:13231 192.168.111.10:13231 udp 74
The test setup is as per the initial setup in http://forum.mikrotik.com/t/routeros-blatantly-ignores-pref-src-can-this-really-be-a-bug/180360/72
Explanation:
0: incoming handshake req
1: outgoing handshake resp
2-4: incoming keepalives
*** here wan1 is brought down administratively
5: incoming keepalive
6: keepalive is routed back through wan2, with dst-address changed to wan1ip, never received by wg
(and the connection doesn’t recover)
@anav: In the other thread you made some interesting points. I’m going to respond, but that requires a bit more time to write it out 