Development discussion of WireGuard
 help / color / mirror / Atom feed
* Invalid handshake initiation after peer reboot: bug?
@ 2020-08-21 20:42 Eicke Herbertz
  2020-08-22 19:11 ` Jason A. Donenfeld
  0 siblings, 1 reply; 3+ messages in thread
From: Eicke Herbertz @ 2020-08-21 20:42 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 1054 bytes --]

Hi,

we are currently rolling out some OpenWrt devices that are clients to a
WireGuard VPN. Everything was normal while they were in-house, but since
they are in the customers network, we got issues.

The first connection succeeds, but after a reboot of the client, the
server logs an Invalid handshake initiation. A restart of the servers
WireGuard interfaces makes a connection possible again.

As we strongly suspected issues in the customers network, we waited
without checking at first – and apparently, it takes two to three hours
of invalid handshakes until some, yet unknown, thing happens that
enables the connection without restarting the interface.

Clients are running:
OpenWrt 19.07.3 (r11063-85e04e9f46)
Kernel 4.14.180
WireGuard 1.0.20200506

Server is running Kernel 5.8.2 with in-tree WireGuard.

I am unable to reproduce this in my home and company networks with
identical devices. Several other devices work fine as well. I am not
sure were to look and what to look for.

Any help is appreciated!
Eicke


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Invalid handshake initiation after peer reboot: bug?
  2020-08-21 20:42 Invalid handshake initiation after peer reboot: bug? Eicke Herbertz
@ 2020-08-22 19:11 ` Jason A. Donenfeld
  2020-08-24 18:19   ` Eicke Herbertz
  0 siblings, 1 reply; 3+ messages in thread
From: Jason A. Donenfeld @ 2020-08-22 19:11 UTC (permalink / raw)
  To: Eicke Herbertz; +Cc: WireGuard mailing list

Hi Eicke,

It could be a customer's network is mangling packets or something,
though that seems least likely. More probably, if you're dealing with
tiny devices, might it be that they don't have a real time clock
battery? WireGuard relies on a timestamp counter always moving
forward. It doesn't have to be accurate, but it just can't move
backwards. So you might try syncing your OpenWRT router to some
network time server of sorts before initiating a WireGuard handshake.

Jason

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Invalid handshake initiation after peer reboot: bug?
  2020-08-22 19:11 ` Jason A. Donenfeld
@ 2020-08-24 18:19   ` Eicke Herbertz
  0 siblings, 0 replies; 3+ messages in thread
From: Eicke Herbertz @ 2020-08-24 18:19 UTC (permalink / raw)
  To: jason; +Cc: wireguard, wolletd


[-- Attachment #1.1: Type: text/plain, Size: 742 bytes --]

Hi Jason,

thanks for your help, you were correct!
It dawned on me the moment I read "real time clock": While OpenWRT
enables network time synchronization by default, our customer blocks all
internet access other than to our VPN server for the devices. That's why
it wasn't reproducible in the office.
After pointing NTP to our server as well, WireGuard is back to it's
instantaneous beauty.

Would it be feasible to distinguish some cases of "Invalid handshake" in
the debug log? Simply reading "replay" somewhere would've helped
probably. I'm using WireGuard for about two years now and this was the
first time I actually had to enable debug logging to understand my
issue, but the debug logging didn't help much.

Eicke


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-08-24 18:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-21 20:42 Invalid handshake initiation after peer reboot: bug? Eicke Herbertz
2020-08-22 19:11 ` Jason A. Donenfeld
2020-08-24 18:19   ` Eicke Herbertz

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git