Development discussion of WireGuard
 help / color / mirror / Atom feed
* Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2
@ 2021-03-18 20:31 Ashish
  2021-03-19 15:30 ` Matthew Poletiek
  0 siblings, 1 reply; 6+ messages in thread
From: Ashish @ 2021-03-18 20:31 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 4815 bytes --]


[apologies, in case you receive duplicate messages]

Hi,

I'm running if_wg kernel module (git revision: 5ef4d3efa691e71) on
FreeBSD 13.0-RC2.

With 172.18.10.1 being my local host's wireguard interface's IP address,
I can receive SYN packets, but it does not seem to send any
corresponding SYN/ACK.

=========================
01:26:26.327484 IP 172.18[.10.3.34160 > 172.18.10.1.22: Flags [S], seq
1278197331, win 64860, options [mss 1380,sackOK,TS val 223949166 ecr
0,nop,wscale 7], length 0
01:26:42.708175 IP 172.18.10.3.34160 > 172.18.10.1.22: Flags [S], seq
1278197331, win 64860, options [mss 1380,sackOK,TS val 223965550 ecr
0,nop,wscale 7], length 0
01:27:14.964162 IP 172.18.10.3.34160 > 172.18.10.1.22: Flags [S], seq
1278197331, win 64860, options [mss 1380,sackOK,TS val 223997806 ecr
0,nop,wscale 7], length 0


01:28:34.035384 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
3991744006 ecr 0], length 0
01:28:34.035392 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
3991745042 ecr 0], length 0
01:28:34.036002 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
3991747129 ecr 0], length 0
=========================

ICMP works fine:

=========================
01:53:15.638529 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 0, length 64
01:53:15.638535 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 0, length 64
01:53:16.624443 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 1, length 64
01:53:16.624448 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 1, length 64
01:53:17.672109 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 2, length 64
01:53:17.672115 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 2, length 64
01:53:18.676223 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 3, length 64
01:53:18.676230 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 3, length 64
01:53:19.682131 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 4, length 64
01:53:19.682136 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 4, length 64
=========================

And I can make outbound TCP connections:

=========================
01:50:43.267331 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [S], seq
2119392003, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
1918472905 ecr 0], length 0
01:50:43.415524 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [S.], seq
2602046635, ack 2119392004, win 65535, options [mss 1380,nop,wscale
11,sackOK,TS val 1347987709 ecr 1918472905], length 0
01:50:43.415532 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [.], ack 1,
win 33, options [nop,nop,TS val 1918473053 ecr 1347987709], length 0
01:50:43.415613 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
1:31, ack 1, win 33, options [nop,nop,TS val 1918473053 ecr 1347987709],
length 30
01:50:43.614035 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
1:39, ack 31, win 33, options [nop,nop,TS val 1347987870 ecr
1918473053], length 38
01:50:43.653218 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [.], ack
39, win 33, options [nop,nop,TS val 1918473291 ecr 1347987870], length 0
01:50:43.693420 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
31:1055, ack 39, win 33, options [nop,nop,TS val 1918473331 ecr
1347987870], length 1024
01:50:43.693435 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
1055:1543, ack 39, win 33, options [nop,nop,TS val 1918473331 ecr
1347987870], length 488
01:50:43.818391 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
39:1119, ack 31, win 33, options [nop,nop,TS val 1347988093 ecr
1918473291], length 1080
01:50:43.819870 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
1543:1591, ack 1119, win 33, options [nop,nop,TS val 1918473457 ecr
1347988093], length 48
01:50:43.880995 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [.], ack
1543, win 33, options [nop,nop,TS val 1347988163 ecr 1918473331], length 0
01:50:43.991756 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
1119:1571, ack 1591, win 33, options [nop,nop,TS val 1347988277 ecr
1918473457], length 452
=========================

The tunnel is configured using `wg-quick'. The firewalls are unloaded
for this testing. I have made sure to delete the if_wg.ko shipped with
FreeBSD, and rebooted the host before trying this.

And ofcourse, if I switch to userspace Go implementation, everything
works as expected, keeping rest of the configuration same, and with
firewalls enabled.

Thanks!
-- 
Ashish


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2
  2021-03-18 20:31 Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2 Ashish
@ 2021-03-19 15:30 ` Matthew Poletiek
  0 siblings, 0 replies; 6+ messages in thread
From: Matthew Poletiek @ 2021-03-19 15:30 UTC (permalink / raw)
  To: Ashish; +Cc: wireguard

Random thought,

Have you tried adjusting MTU?

Depending on the client/application, I have better luck with something
around 1300.
-------------------------------------------
Matthew Poletiek
303.810.9082
matthew.poletiek@gmail.com
www.matthewpoletiek.com



On Fri, Mar 19, 2021 at 9:09 AM Ashish <ashish.is@lostca.se> wrote:
>
>
> [apologies, in case you receive duplicate messages]
>
> Hi,
>
> I'm running if_wg kernel module (git revision: 5ef4d3efa691e71) on
> FreeBSD 13.0-RC2.
>
> With 172.18.10.1 being my local host's wireguard interface's IP address,
> I can receive SYN packets, but it does not seem to send any
> corresponding SYN/ACK.
>
> =========================
> 01:26:26.327484 IP 172.18[.10.3.34160 > 172.18.10.1.22: Flags [S], seq
> 1278197331, win 64860, options [mss 1380,sackOK,TS val 223949166 ecr
> 0,nop,wscale 7], length 0
> 01:26:42.708175 IP 172.18.10.3.34160 > 172.18.10.1.22: Flags [S], seq
> 1278197331, win 64860, options [mss 1380,sackOK,TS val 223965550 ecr
> 0,nop,wscale 7], length 0
> 01:27:14.964162 IP 172.18.10.3.34160 > 172.18.10.1.22: Flags [S], seq
> 1278197331, win 64860, options [mss 1380,sackOK,TS val 223997806 ecr
> 0,nop,wscale 7], length 0
>
>
> 01:28:34.035384 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
> 2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
> 3991744006 ecr 0], length 0
> 01:28:34.035392 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
> 2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
> 3991745042 ecr 0], length 0
> 01:28:34.036002 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
> 2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
> 3991747129 ecr 0], length 0
> =========================
>
> ICMP works fine:
>
> =========================
> 01:53:15.638529 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
> 47881, seq 0, length 64
> 01:53:15.638535 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
> seq 0, length 64
> 01:53:16.624443 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
> 47881, seq 1, length 64
> 01:53:16.624448 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
> seq 1, length 64
> 01:53:17.672109 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
> 47881, seq 2, length 64
> 01:53:17.672115 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
> seq 2, length 64
> 01:53:18.676223 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
> 47881, seq 3, length 64
> 01:53:18.676230 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
> seq 3, length 64
> 01:53:19.682131 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
> 47881, seq 4, length 64
> 01:53:19.682136 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
> seq 4, length 64
> =========================
>
> And I can make outbound TCP connections:
>
> =========================
> 01:50:43.267331 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [S], seq
> 2119392003, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
> 1918472905 ecr 0], length 0
> 01:50:43.415524 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [S.], seq
> 2602046635, ack 2119392004, win 65535, options [mss 1380,nop,wscale
> 11,sackOK,TS val 1347987709 ecr 1918472905], length 0
> 01:50:43.415532 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [.], ack 1,
> win 33, options [nop,nop,TS val 1918473053 ecr 1347987709], length 0
> 01:50:43.415613 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
> 1:31, ack 1, win 33, options [nop,nop,TS val 1918473053 ecr 1347987709],
> length 30
> 01:50:43.614035 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
> 1:39, ack 31, win 33, options [nop,nop,TS val 1347987870 ecr
> 1918473053], length 38
> 01:50:43.653218 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [.], ack
> 39, win 33, options [nop,nop,TS val 1918473291 ecr 1347987870], length 0
> 01:50:43.693420 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
> 31:1055, ack 39, win 33, options [nop,nop,TS val 1918473331 ecr
> 1347987870], length 1024
> 01:50:43.693435 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
> 1055:1543, ack 39, win 33, options [nop,nop,TS val 1918473331 ecr
> 1347987870], length 488
> 01:50:43.818391 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
> 39:1119, ack 31, win 33, options [nop,nop,TS val 1347988093 ecr
> 1918473291], length 1080
> 01:50:43.819870 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
> 1543:1591, ack 1119, win 33, options [nop,nop,TS val 1918473457 ecr
> 1347988093], length 48
> 01:50:43.880995 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [.], ack
> 1543, win 33, options [nop,nop,TS val 1347988163 ecr 1918473331], length 0
> 01:50:43.991756 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
> 1119:1571, ack 1591, win 33, options [nop,nop,TS val 1347988277 ecr
> 1918473457], length 452
> =========================
>
> The tunnel is configured using `wg-quick'. The firewalls are unloaded
> for this testing. I have made sure to delete the if_wg.ko shipped with
> FreeBSD, and rebooted the host before trying this.
>
> And ofcourse, if I switch to userspace Go implementation, everything
> works as expected, keeping rest of the configuration same, and with
> firewalls enabled.
>
> Thanks!
> --
> Ashish
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2
  2021-03-19 16:48   ` Jason A. Donenfeld
@ 2021-03-19 20:11     ` Ashish SHUKLA
  0 siblings, 0 replies; 6+ messages in thread
From: Ashish SHUKLA @ 2021-03-19 20:11 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

On 2021-03-19 22:18, Jason A. Donenfeld wrote:
> Hi Ashish,
> 
> Fixed:
> https://git.zx2c4.com/wireguard-freebsd/commit/?id=bb59a61785322a086dfc437c51e7cbcd918a5241
> 
> Thanks for the report.
> 
> Jason

Seems to work as expected now, thank you.

--
Ashish

“There was truth and there was untruth, and if you clung to the truth 
even against the whole world, you were not mad.”
        -- George Orwell, "Nineteen Eighty-Four"

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2
  2021-03-19 16:15 ` Jason A. Donenfeld
@ 2021-03-19 16:48   ` Jason A. Donenfeld
  2021-03-19 20:11     ` Ashish SHUKLA
  0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2021-03-19 16:48 UTC (permalink / raw)
  To: Ashish; +Cc: WireGuard mailing list

Hi Ashish,

Fixed: https://git.zx2c4.com/wireguard-freebsd/commit/?id=bb59a61785322a086dfc437c51e7cbcd918a5241

Thanks for the report.

Jason

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2
  2021-03-18 20:28 Ashish
@ 2021-03-19 16:15 ` Jason A. Donenfeld
  2021-03-19 16:48   ` Jason A. Donenfeld
  0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2021-03-19 16:15 UTC (permalink / raw)
  To: Ashish; +Cc: WireGuard mailing list

Hi Ashish,

On Fri, Mar 19, 2021 at 8:06 AM Ashish <ashish.is@lostca.se> wrote:
> I'm running if_wg kernel module (git revision: 5ef4d3efa691e71) on
> FreeBSD 13.0-RC2.
>
> With 172.18.10.1 being my local host's wireguard interface's IP address,
> I can receive SYN packets, but it does not seem to send any
> corresponding SYN/ACK.

Huh, that's curious. I'll look into it and play around. One
peculiarity I noticed in this thing is that it calls the ip_input
function directly, which other drivers don't seem to do.

Regards,
Jason

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2
@ 2021-03-18 20:28 Ashish
  2021-03-19 16:15 ` Jason A. Donenfeld
  0 siblings, 1 reply; 6+ messages in thread
From: Ashish @ 2021-03-18 20:28 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 4768 bytes --]

Hi,

I'm running if_wg kernel module (git revision: 5ef4d3efa691e71) on
FreeBSD 13.0-RC2.

With 172.18.10.1 being my local host's wireguard interface's IP address,
I can receive SYN packets, but it does not seem to send any
corresponding SYN/ACK.

=========================
01:26:26.327484 IP 172.18[.10.3.34160 > 172.18.10.1.22: Flags [S], seq
1278197331, win 64860, options [mss 1380,sackOK,TS val 223949166 ecr
0,nop,wscale 7], length 0
01:26:42.708175 IP 172.18.10.3.34160 > 172.18.10.1.22: Flags [S], seq
1278197331, win 64860, options [mss 1380,sackOK,TS val 223965550 ecr
0,nop,wscale 7], length 0
01:27:14.964162 IP 172.18.10.3.34160 > 172.18.10.1.22: Flags [S], seq
1278197331, win 64860, options [mss 1380,sackOK,TS val 223997806 ecr
0,nop,wscale 7], length 0


01:28:34.035384 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
3991744006 ecr 0], length 0
01:28:34.035392 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
3991745042 ecr 0], length 0
01:28:34.036002 IP 172.18.10.2.41905 > 172.18.10.1.22: Flags [S], seq
2569759726, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
3991747129 ecr 0], length 0
=========================

ICMP works fine:

=========================
01:53:15.638529 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 0, length 64
01:53:15.638535 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 0, length 64
01:53:16.624443 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 1, length 64
01:53:16.624448 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 1, length 64
01:53:17.672109 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 2, length 64
01:53:17.672115 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 2, length 64
01:53:18.676223 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 3, length 64
01:53:18.676230 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 3, length 64
01:53:19.682131 IP 172.18.10.2 > 172.18.10.1: ICMP echo request, id
47881, seq 4, length 64
01:53:19.682136 IP 172.18.10.1 > 172.18.10.2: ICMP echo reply, id 47881,
seq 4, length 64
=========================

And I can make outbound TCP connections:

=========================
01:50:43.267331 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [S], seq
2119392003, win 65535, options [mss 1380,nop,wscale 11,sackOK,TS val
1918472905 ecr 0], length 0
01:50:43.415524 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [S.], seq
2602046635, ack 2119392004, win 65535, options [mss 1380,nop,wscale
11,sackOK,TS val 1347987709 ecr 1918472905], length 0
01:50:43.415532 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [.], ack 1,
win 33, options [nop,nop,TS val 1918473053 ecr 1347987709], length 0
01:50:43.415613 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
1:31, ack 1, win 33, options [nop,nop,TS val 1918473053 ecr 1347987709],
length 30
01:50:43.614035 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
1:39, ack 31, win 33, options [nop,nop,TS val 1347987870 ecr
1918473053], length 38
01:50:43.653218 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [.], ack
39, win 33, options [nop,nop,TS val 1918473291 ecr 1347987870], length 0
01:50:43.693420 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
31:1055, ack 39, win 33, options [nop,nop,TS val 1918473331 ecr
1347987870], length 1024
01:50:43.693435 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
1055:1543, ack 39, win 33, options [nop,nop,TS val 1918473331 ecr
1347987870], length 488
01:50:43.818391 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
39:1119, ack 31, win 33, options [nop,nop,TS val 1347988093 ecr
1918473291], length 1080
01:50:43.819870 IP 172.18.10.1.55541 > 172.18.10.2.22: Flags [P.], seq
1543:1591, ack 1119, win 33, options [nop,nop,TS val 1918473457 ecr
1347988093], length 48
01:50:43.880995 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [.], ack
1543, win 33, options [nop,nop,TS val 1347988163 ecr 1918473331], length 0
01:50:43.991756 IP 172.18.10.2.22 > 172.18.10.1.55541: Flags [P.], seq
1119:1571, ack 1591, win 33, options [nop,nop,TS val 1347988277 ecr
1918473457], length 452
=========================



The tunnel is configured using `wg-quick'. The firewalls are unloaded
for this testing.
 I have made sure to delete the if_wg.ko shipped with FreeBSD, and
rebooted the host before trying this.



And ofcourse, if I switch to userspace Go implementation, everything
works as expected, keeping rest of the configuration same, and with
firewalls enabled.

Thanks!
-- 
Ashish


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-03-19 20:42 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-18 20:31 Unable to serve TCP connections over wireguard interface on FreeBSD 13.0-RC2 Ashish
2021-03-19 15:30 ` Matthew Poletiek
  -- strict thread matches above, loose matches on Subject: below --
2021-03-18 20:28 Ashish
2021-03-19 16:15 ` Jason A. Donenfeld
2021-03-19 16:48   ` Jason A. Donenfeld
2021-03-19 20:11     ` Ashish SHUKLA

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).