[prev in list] [next in list] [prev in thread] [next in thread]
List: wireguard
Subject: Trouble understanding the role of persistent keep-alive
From: Bogdan Bivolaru <bogdan.bivolaru () gmail ! com>
Date: 2018-01-21 11:49:07
Message-ID: CAEz1aPotZTHHa6HmEMC_ajMWF+RnQ1aZSGyRCoMcdgZzR2WjGQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
Thank you for your dedication to improving security.
I am writing to you because I do not understand the behavior of Wireguard
in my home lab.
In SUMMARY: Without KEEPALIVE on, after an 1-2 hours my WG endpoints tend
to lose the ability to answer each other ping signals. Usually this is
restored by sending pings on both ends. Sometimes though (see my config)
the list of ALLOWED-IPs is lost altogether and I have to re-add the peer
manually. AFAIK this is not a firewall issue on either Ubuntu nor OpenWrt
side. What am I missing?
In DETAILS, with more context:
I have 2 devices:
* laptop (172.21.15.118, Linux Mint 18.2 based on Ubuntu Xenial 16.04)
with WG version 0.0.20180118-wg1~xenial (from PPA);
* router (172.21.15.224 => WAN port, OpenWrt 15.05 platform mvebu) with WG
version 0.0.20171017-1.
No special firewall rules for Wireguard are setup either on either router
or on laptop.
*Laptop* Wireguard config:
# wg
interface: wg0
public key: XvuUjjO/iw5gNKFe5496u0sK75isEcguB1U8Srk5RCo private key: (hidden)
listening port: 51820
peer: I4PoxPUWykmlgCJqD7mjKKWIcF2zJif+mfQtdlG+xxg endpoint: 172.21.15.224:51820
allowed ips: 172.31.1.0/24, 172.21.0.0/16, 172.21.43.0/24
latest handshake: 2 minutes, 17 seconds ago
transfer: 51.72 KiB received, 85.04 KiB sent
persistent keepalive: every 50 seconds
peer: UQzm7fFBBTnJY9BJRk7y1lJtzryFAR/1vDZGyL9Nv2I endpoint: 172.21.15.224:45154
allowed ips: (none)
*Router* Wireguard config:
interface: wg0
public key: I4PoxPUWykmlgCJqD7mjKKWIcF2zJif+mfQtdlG+xxg private key: (hidden)
listening port: 51820
peer: XvuUjjO/iw5gNKFe5496u0sK75isEcguB1U8Srk5RCo endpoint: 172.21.15.118:51820
allowed ips: 172.31.1.0/24, 172.21.0.0/16, 172.21.43.0/24
latest handshake: 2 minutes, 20 seconds ago
transfer: 12.74 KiB received, 33.67 KiB sent
persistent keepalive: every 50 seconds
peer: +Qs4tOrg2YqwCgmA10ZBGdvOgekkVry0ymYQcX09kns endpoint: 172.21.15.118:51820
allowed ips: (none)
latest handshake: 31 minutes ago
transfer: 36.13 KiB received, 86.55 KiB sent
persistent keepalive: every 50 seconds
Now, with persistent-keepalive the connection appears to be holding and
latency seems constant at 0.5 ms. Without keepalive I have observed some
behavior I do not understand:
LAPTOP ~ # ping -I wg0 172.31.1.1
PING 172.31.1.1 (172.31.1.1) from 172.31.1.12 wg0: 56(84) bytes of data.
64 bytes from 172.31.1.1: icmp_seq=1 ttld time(348 ms
64 bytes from 172.31.1.1: icmp_seq=2 ttld time'347 ms
64 bytes from 172.31.1.1: icmp_seq� ttld time�203 ms
64 bytes from 172.31.1.1: icmp_seq� ttld time�179 ms
64 bytes from 172.31.1.1: icmp_seq ttld time23 ms
64 bytes from 172.31.1.1: icmp_seq! ttld time03 ms
64 bytes from 172.31.1.1: icmp_seq' ttld time�13 ms
64 bytes from 172.31.1.1: icmp_seq( ttld time9 ms
64 bytes from 172.31.1.1: icmp_seq) ttld time=0.439 ms
ROUTER ~ # ping -I wg0 172.31.1.12
PING 172.31.1.12 (172.31.1.12): 56 data bytes
64 bytes from 172.31.1.12: seq=0 ttld time=8.298 ms
64 bytes from 172.31.1.12: seq=1 ttld time=0.530 ms
64 bytes from 172.31.1.12: seq=2 ttld time=0.483 ms
64 bytes from 172.31.1.12: seq# ttld time=0.639 ms
So until I send ping signals from both ends, neither end of the wg link
does not "see" the other.
The laptop waited 28 seconds for a response which is roughly just after I
have given ping command from the router to the laptop. This is not just
some latency problem: unless I send ping from both during the timeout
period, pinging from either side results in 100% package loss.
Also after a few hours of inactivity on WG, both ends lose the configured
allowed-ips and can be reconnected after a manual resetup.
So I guess the question is: is the keepalive required to maintain the
connection and it would degrade if not set? OR is it only for avoiding
firewall filtering? Also, should this be a firewall issue how can I narrow
it down to which firewall is to blame?
And thank you in advance for your attention and support,
Bogdan BIV
"The best way to predict the future is to invent it.", 1971, Alan Kay:
http://www.smalltalk.org/alankay.html
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Hello,<br></div><div><br></div><div>Thank you for your \
dedication to improving security.</div><br></div><div>I am writing to you because I \
do not understand the behavior of Wireguard in my home \
lab.<br></div><div><br></div><div>In SUMMARY: Without KEEPALIVE on, after an 1-2 \
hours my WG endpoints tend to lose the ability to answer each other ping signals. \
Usually this is restored by sending pings on both ends. Sometimes though (see my \
config) the list of ALLOWED-IPs is lost altogether and I have to re-add the peer \
manually. AFAIK this is not a firewall issue on either Ubuntu nor OpenWrt side. What \
am I missing?</div><div><br></div><div><br></div><div>In DETAILS, with more \
context:<br></div>I have 2 devices: <br> * laptop (172.21.15.118, Linux Mint 18.2 \
based on Ubuntu Xenial 16.04) with WG version 0.0.20180118-wg1~xenial (from PPA);<br> \
* router (172.21.15.224 => WAN port, OpenWrt 15.05 platform mvebu) with WG version \
0.0.20171017-1.<br><div><div><br></div><div>No special firewall rules for Wireguard \
are setup either on either router or on laptop.<br></div><div><br></div><div>*Laptop* \
Wireguard config:</div><div># wg<br>interface: wg0<br> public key: \
XvuUjjO/iw5gNKFe5496u0sK75isEcguB1U8Srk5RCo=<br> private key: (hidden)<br> \
listening port: 51820<br><br>peer: I4PoxPUWykmlgCJqD7mjKKWIcF2zJif+mfQtdlG+xxg=<br> \
endpoint: <a href="http://172.21.15.224:51820">172.21.15.224:51820</a><br> allowed \
ips: <a href="http://172.31.1.0/24">172.31.1.0/24</a>, <a \
href="http://172.21.0.0/16">172.21.0.0/16</a>, <a \
href="http://172.21.43.0/24">172.21.43.0/24</a><br> latest handshake: 2 minutes, 17 \
seconds ago<br> transfer: 51.72 KiB received, 85.04 KiB sent<br> persistent \
keepalive: every 50 seconds<br><br>peer: \
UQzm7fFBBTnJY9BJRk7y1lJtzryFAR/1vDZGyL9Nv2I=<br> endpoint: <a \
href="http://172.21.15.224:45154">172.21.15.224:45154</a><br> allowed ips: \
(none)</div><div><br></div><div><br></div><div>*Router* Wireguard \
config:</div><div>interface: wg0<br> public key: \
I4PoxPUWykmlgCJqD7mjKKWIcF2zJif+mfQtdlG+xxg=<br> private key: (hidden)<br> \
listening port: 51820<br><br>peer: XvuUjjO/iw5gNKFe5496u0sK75isEcguB1U8Srk5RCo=<br> \
endpoint: <a href="http://172.21.15.118:51820">172.21.15.118:51820</a><br> allowed \
ips: <a href="http://172.31.1.0/24">172.31.1.0/24</a>, <a \
href="http://172.21.0.0/16">172.21.0.0/16</a>, <a \
href="http://172.21.43.0/24">172.21.43.0/24</a><br> latest handshake: 2 minutes, 20 \
seconds ago<br> transfer: 12.74 KiB received, 33.67 KiB sent<br> persistent \
keepalive: every 50 seconds<br><br>peer: \
+Qs4tOrg2YqwCgmA10ZBGdvOgekkVry0ymYQcX09kns=<br> endpoint: <a \
href="http://172.21.15.118:51820">172.21.15.118:51820</a><br> allowed ips: \
(none)<br> latest handshake: 31 minutes ago<br> transfer: 36.13 KiB received, \
86.55 KiB sent<br> persistent keepalive: every 50 \
seconds</div><div><br></div><div><br></div><div>Now, with persistent-keepalive the \
connection appears to be holding and latency seems constant at 0.5 ms. Without \
keepalive I have observed some behavior I do not \
understand:</div><div><br></div><div>LAPTOP ~ # ping -I wg0 172.31.1.1 \
<br>PING 172.31.1.1 (172.31.1.1) from 172.31.1.12 wg0: 56(84) bytes of data.<br>64 \
bytes from <a href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=1 ttl=64 time=28348 \
ms<br>64 bytes from <a href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=2 ttl=64 \
time=27347 ms<br><br>64 bytes from <a href="http://172.31.1.1">172.31.1.1</a>: \
icmp_seq=10 ttl=64 time=19203 ms<br>64 bytes from <a \
href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=11 ttl=64 time=18179 ms<br><br>64 \
bytes from <a href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=20 ttl=64 time=9023 \
ms<br>64 bytes from <a href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=21 ttl=64 \
time=8003 ms<br></div><div><br></div><div>64 bytes from <a \
href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=27 ttl=64 time=1913 ms<br>64 bytes \
from <a href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=28 ttl=64 time=899 ms<br>64 \
bytes from <a href="http://172.31.1.1">172.31.1.1</a>: icmp_seq=29 ttl=64 time=0.439 \
ms<br><br></div><div>ROUTER ~ # ping -I wg0 172.31.1.12<br>PING 172.31.1.12 \
(172.31.1.12): 56 data bytes<br>64 bytes from <a \
href="http://172.31.1.12">172.31.1.12</a>: seq=0 ttl=64 time=8.298 ms<br>64 bytes \
from <a href="http://172.31.1.12">172.31.1.12</a>: seq=1 ttl=64 time=0.530 ms<br>64 \
bytes from <a href="http://172.31.1.12">172.31.1.12</a>: seq=2 ttl=64 time=0.483 \
ms<br><br>64 bytes from <a href="http://172.31.1.12">172.31.1.12</a>: seq=23 ttl=64 \
time=0.639 ms</div><div><br></div><div><br></div><div>So until I send ping signals \
from both ends, neither end of the wg link does not "see" the \
other.</div><div>The laptop waited 28 seconds for a response which is roughly just \
after I have given ping command from the router to the laptop. This is not just some \
latency problem: unless I send ping from both during the timeout period, pinging from \
either side results in 100% package loss.</div><div><br></div><div>Also after a few \
hours of inactivity on WG, both ends lose the configured allowed-ips and can be \
reconnected after a manual resetup.</div><div><br></div><div>So I guess the question \
is: is the keepalive required to maintain the connection and it would degrade if not \
set? OR is it only for avoiding firewall filtering? Also, should this be a firewall \
issue how can I narrow it down to which firewall is to \
blame?<br></div><div><br></div></div><div><br></div><div><br></div><div>And thank you \
in advance for your attention and support,</div><div>Bogdan \
BIV</div><div><br></div><div><br clear="all"></div><div><div><div><div><div \
class="gmail_signature">"The best way to predict the future is to invent \
it.", 1971, Alan Kay: <a href="http://www.smalltalk.org/alankay.html" \
target="_blank">http://www.smalltalk.org/alankay.html</a></div></div> \
</div></div></div></div>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic