* Invalid handshake initiation after peer reboot: bug?
@ 2020-08-21 20:42 Eicke Herbertz
2020-08-22 19:11 ` Jason A. Donenfeld
0 siblings, 1 reply; 3+ messages in thread
From: Eicke Herbertz @ 2020-08-21 20:42 UTC (permalink / raw)
To: wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1054 bytes --]
Hi,
we are currently rolling out some OpenWrt devices that are clients to a
WireGuard VPN. Everything was normal while they were in-house, but since
they are in the customers network, we got issues.
The first connection succeeds, but after a reboot of the client, the
server logs an Invalid handshake initiation. A restart of the servers
WireGuard interfaces makes a connection possible again.
As we strongly suspected issues in the customers network, we waited
without checking at first – and apparently, it takes two to three hours
of invalid handshakes until some, yet unknown, thing happens that
enables the connection without restarting the interface.
Clients are running:
OpenWrt 19.07.3 (r11063-85e04e9f46)
Kernel 4.14.180
WireGuard 1.0.20200506
Server is running Kernel 5.8.2 with in-tree WireGuard.
I am unable to reproduce this in my home and company networks with
identical devices. Several other devices work fine as well. I am not
sure were to look and what to look for.
Any help is appreciated!
Eicke
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Invalid handshake initiation after peer reboot: bug?
2020-08-21 20:42 Invalid handshake initiation after peer reboot: bug? Eicke Herbertz
@ 2020-08-22 19:11 ` Jason A. Donenfeld
2020-08-24 18:19 ` Eicke Herbertz
0 siblings, 1 reply; 3+ messages in thread
From: Jason A. Donenfeld @ 2020-08-22 19:11 UTC (permalink / raw)
To: Eicke Herbertz; +Cc: WireGuard mailing list
Hi Eicke,
It could be a customer's network is mangling packets or something,
though that seems least likely. More probably, if you're dealing with
tiny devices, might it be that they don't have a real time clock
battery? WireGuard relies on a timestamp counter always moving
forward. It doesn't have to be accurate, but it just can't move
backwards. So you might try syncing your OpenWRT router to some
network time server of sorts before initiating a WireGuard handshake.
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-08-24 18:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-21 20:42 Invalid handshake initiation after peer reboot: bug? Eicke Herbertz
2020-08-22 19:11 ` Jason A. Donenfeld
2020-08-24 18:19 ` Eicke Herbertz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).