[macOS] possible bug

Development discussion of WireGuard
 help / color / mirror / Atom feed

* [macOS] possible bug
@ 2022-01-17 19:49 Richard Werner
  2022-01-25 16:47 ` Perry The Cynic
  0 siblings, 1 reply; 2+ messages in thread
From: Richard Werner @ 2022-01-17 19:49 UTC (permalink / raw)
  To: wireguard

Hi everyone.
We found a strange issue regarding macOS client and hope this is a proper way to start (and get some help debugging) a possible bug.
I’ve not been able to capture the actual error message shown to the user, but I have the a log file.

What seem to happen is something like this:
1. Have a working configuration.
2. Some unknown event happens (still investigating).
3. An error message is shown (something along the lines of "unable to read config”).
4. Orphaned configs are removed, but there seems to be more going on which we can’t identify.
5. No WG VPN's will work regardless of removing configs, keychains, etc.

Even if all tunnels are removed and added again, no traffic leaves the client. It effectively enters a state of not being able to use any wireguards vpns on the client.


Some entries from the log that shows going from working to not functioning will follow.
More complete log at https://pastebin.com/m2MqHhPF

-Working:
2022-01-17 17:55:59.292781: [NET] peer(ZY6x…1ZBc) - Sending handshake initiation
2022-01-17 17:55:59.337042: [NET] peer(ZY6x…1ZBc) - Received handshake response
2022-01-17 17:59:22.007634: [NET] peer(ZY6x…1ZBc) - Receiving keepalive packet

-Error message is shown:
2022-01-17 18:35:29.081737: [APP] App version: 1.0.15 (26)
2022-01-17 18:36:22.662281: [APP] startActivation: Entering (tunnel: VPN X)
2022-01-17 18:36:23.490825: [APP] Unable to open config from keychain: -25300
2022-01-17 18:36:23.491058: [APP] startActivation: Starting tunnel
2022-01-17 18:36:23.491288: [APP] startActivation: Success
2022-01-17 18:36:23.497349: [APP] Tunnel 'VPN X' connection status changed to 'connecting'
2022-01-17 18:36:23.582298: [APP] Unable to open config from keychain: -25300
2022-01-17 18:36:28.491285: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connecting'.
2022-01-17 18:36:29.517132: [APP] Unable to open config from keychain: -25300

-Tunnel config is removed:
2022-01-17 18:38:47.127836: [APP] App version: 1.0.15 (26)
2022-01-17 18:38:47.337355: [APP] Removing orphaned tunnel with non-verifying keychain entry: VPN X

-Tunnel now fails with same config (imported or manually entered)
2022-01-17 18:39:51.924221: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connected'.
2022-01-17 18:39:52.248987: [NET] peer(ZY6x…1ZBc) - Sending handshake initiation
2022-01-17 18:39:57.410547: [NET] peer(ZY6x…1ZBc) - Handshake did not complete after 5 seconds, retrying (try 2)
2022-01-17 18:39:57.410877: [NET] peer(ZY6x…1ZBc) - Sending handshake initiation
2022-01-17 18:39:57.411226: [NET] peer(ZY6x…1ZBc) - Failed to send handshake initiation: write udp4 0.0.0.0:52982-><server ip>:443: sendto: broken pipe
[…]
2022-01-17 18:40:00.396146: [APP] Tunnel 'VPN X' connection status changed to 'disconnected'
2022-01-17 18:41:27.735004: [APP] Tunnel 'VPN X' connection status changed to ‘invalid'


—Richard


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [macOS] possible bug
  2022-01-17 19:49 [macOS] possible bug Richard Werner
@ 2022-01-25 16:47 ` Perry The Cynic
  0 siblings, 0 replies; 2+ messages in thread
From: Perry The Cynic @ 2022-01-25 16:47 UTC (permalink / raw)
  To: Richard Werner; +Cc: wireguard

FWIW, -25300 is errSecItemNotFound (keychain item not found). The MacOS keychain environment is much more complex than on iOS (in fact, there’s an iOS port inside it). Check whether the affected environments have multiple keychains (which can confuse the “exists” issue), and look (with Keychain Access.app) for broken items that keep the code from recreating good items with a particular primary key. The "Removing orphaned tunnel with non-verifying keychain entry” message points that way.

See if you can reproduce with a fresh user account (which comes with a fresh keychain configuration); if resetting the keychain environment cures the problem, you’re very likely looking at a broken item and/or broken cleanup code.

Cheers
  — perry


> On Jan 17, 2022, at 11:49 AM, Richard Werner <richard@netcore.se> wrote:
> 
> Hi everyone.
> We found a strange issue regarding macOS client and hope this is a proper way to start (and get some help debugging) a possible bug.
> I’ve not been able to capture the actual error message shown to the user, but I have the a log file.
> 
> What seem to happen is something like this:
> 1. Have a working configuration.
> 2. Some unknown event happens (still investigating).
> 3. An error message is shown (something along the lines of "unable to read config”).
> 4. Orphaned configs are removed, but there seems to be more going on which we can’t identify.
> 5. No WG VPN's will work regardless of removing configs, keychains, etc.
> 
> Even if all tunnels are removed and added again, no traffic leaves the client. It effectively enters a state of not being able to use any wireguards vpns on the client.
> 
> 
> Some entries from the log that shows going from working to not functioning will follow.
> More complete log at https://pastebin.com/m2MqHhPF
> 
> -Working:
> 2022-01-17 17:55:59.292781: [NET] peer(ZY6x…1ZBc) - Sending handshake initiation
> 2022-01-17 17:55:59.337042: [NET] peer(ZY6x…1ZBc) - Received handshake response
> 2022-01-17 17:59:22.007634: [NET] peer(ZY6x…1ZBc) - Receiving keepalive packet
> 
> -Error message is shown:
> 2022-01-17 18:35:29.081737: [APP] App version: 1.0.15 (26)
> 2022-01-17 18:36:22.662281: [APP] startActivation: Entering (tunnel: VPN X)
> 2022-01-17 18:36:23.490825: [APP] Unable to open config from keychain: -25300
> 2022-01-17 18:36:23.491058: [APP] startActivation: Starting tunnel
> 2022-01-17 18:36:23.491288: [APP] startActivation: Success
> 2022-01-17 18:36:23.497349: [APP] Tunnel 'VPN X' connection status changed to 'connecting'
> 2022-01-17 18:36:23.582298: [APP] Unable to open config from keychain: -25300
> 2022-01-17 18:36:28.491285: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connecting'.
> 2022-01-17 18:36:29.517132: [APP] Unable to open config from keychain: -25300
> 
> -Tunnel config is removed:
> 2022-01-17 18:38:47.127836: [APP] App version: 1.0.15 (26)
> 2022-01-17 18:38:47.337355: [APP] Removing orphaned tunnel with non-verifying keychain entry: VPN X
> 
> -Tunnel now fails with same config (imported or manually entered)
> 2022-01-17 18:39:51.924221: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connected'.
> 2022-01-17 18:39:52.248987: [NET] peer(ZY6x…1ZBc) - Sending handshake initiation
> 2022-01-17 18:39:57.410547: [NET] peer(ZY6x…1ZBc) - Handshake did not complete after 5 seconds, retrying (try 2)
> 2022-01-17 18:39:57.410877: [NET] peer(ZY6x…1ZBc) - Sending handshake initiation
> 2022-01-17 18:39:57.411226: [NET] peer(ZY6x…1ZBc) - Failed to send handshake initiation: write udp4 0.0.0.0:52982-><server ip>:443: sendto: broken pipe
> […]
> 2022-01-17 18:40:00.396146: [APP] Tunnel 'VPN X' connection status changed to 'disconnected'
> 2022-01-17 18:41:27.735004: [APP] Tunnel 'VPN X' connection status changed to ‘invalid'
> 
> 
> —Richard
> 


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-02-14 13:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-17 19:49 [macOS] possible bug Richard Werner
2022-01-25 16:47 ` Perry The Cynic

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).