Development discussion of WireGuard
 help / color / mirror / Atom feed
* Multiple Clients behind NAT
@ 2021-01-13 20:14 Posegga, Joachim
  2021-01-14 10:53 ` Roman Mamedov
  2021-01-14 17:09 ` Riccardo Paolo Bestetti
  0 siblings, 2 replies; 6+ messages in thread
From: Posegga, Joachim @ 2021-01-13 20:14 UTC (permalink / raw)
  To: wireguard

Dear all,

I am trying to connect multiple wireguard clients behind the same NAT-Gateway to a Mikrotik  server with a public IP. I am not yet sure where exactly the problem is, but it seems that only one client at a time can establish a tunnel. 

Is this a known problem due to the UDP transport, or should multiple clients behind a NAT work in principle? 

I understand from the documentation that the server looks at the public key of the incoming packet and identifies the client. The response sent back from the server then arrives at the NAT gateway, and it should map the target port to the correct client and forward it. However, I am not very familiar with UDP over NAT, so I am wondering if this usually works without problems. If this is the case, I would know that the problem is most likely on the side of the Mikrotik server.

Thanks,
	Joachim.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Multiple Clients behind NAT
  2021-01-13 20:14 Multiple Clients behind NAT Posegga, Joachim
@ 2021-01-14 10:53 ` Roman Mamedov
  2021-01-14 17:09 ` Riccardo Paolo Bestetti
  1 sibling, 0 replies; 6+ messages in thread
From: Roman Mamedov @ 2021-01-14 10:53 UTC (permalink / raw)
  To: Posegga, Joachim; +Cc: wireguard

On Wed, 13 Jan 2021 20:14:46 +0000
"Posegga, Joachim" <jp@sec.uni-passau.de> wrote:

> Dear all,
> 
> I am trying to connect multiple wireguard clients behind the same NAT-Gateway to a Mikrotik  server with a public IP. I am not yet sure where exactly the problem is, but it seems that only one client at a time can establish a tunnel. 
> 
> Is this a known problem due to the UDP transport, or should multiple clients behind a NAT work in principle? 
> 
> I understand from the documentation that the server looks at the public key of the incoming packet and identifies the client. The response sent back from the server then arrives at the NAT gateway, and it should map the target port to the correct client and forward it. However, I am not very familiar with UDP over NAT, so I am wondering if this usually works without problems. If this is the case, I would know that the problem is most likely on the side of the Mikrotik server.

The NAT router will rewrite outgoing UDP port of your clients' packets when
they try to connect to other peers; for two clients on the LAN-side trying to
send from the same port, it should change that to two separate UDP ports.
Therefore remote peers will see your two clients as being on the same global
IP, but using two different ports -- and that should work normally.

Check with tcpdump on your NAT's WAN interface what actual UDP packets it
sends out. The ports also might be very different from what you specified in
WG's config, so account for that in firewalling or routing rules on remote
sides.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Multiple Clients behind NAT
  2021-01-13 20:14 Multiple Clients behind NAT Posegga, Joachim
  2021-01-14 10:53 ` Roman Mamedov
@ 2021-01-14 17:09 ` Riccardo Paolo Bestetti
  2021-01-15 14:21   ` Maarten de Vries
  1 sibling, 1 reply; 6+ messages in thread
From: Riccardo Paolo Bestetti @ 2021-01-14 17:09 UTC (permalink / raw)
  To: Posegga, Joachim, wireguard

On Wed Jan 13, 2021 at 9:14 PM CET, Posegga, Joachim wrote:
> I am trying to connect multiple wireguard clients behind the same
> NAT-Gateway to a Mikrotik server with a public IP. I am not yet sure
> where exactly the problem is, but it seems that only one client at a
> time can establish a tunnel.

I don't know much about Mikrotik, but my guess is that it's not
randomizing source ports for packets egressing the NAT.

If that's the case, since WireGuard uses the same port for both source
and destination, and since your clients are all connecting to the same
server (and thus port), then your NAT can't demux incoming packets, and
it just sends them all to the same client. (It probably picks the first
one that sends egress packets, until it hits some inactivity time-out).

You should look into your Mikrotik configuration, looking for a flag to
enable source address randomization in NAT (it's sometimes called
"masquerading").

Riccardo


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Multiple Clients behind NAT
  2021-01-14 17:09 ` Riccardo Paolo Bestetti
@ 2021-01-15 14:21   ` Maarten de Vries
  2021-01-15 15:22     ` Riccardo Paolo Bestetti
  0 siblings, 1 reply; 6+ messages in thread
From: Maarten de Vries @ 2021-01-15 14:21 UTC (permalink / raw)
  To: Riccardo Paolo Bestetti, Posegga, Joachim, wireguard


On 14-01-2021 18:09, Riccardo Paolo Bestetti wrote:
> On Wed Jan 13, 2021 at 9:14 PM CET, Posegga, Joachim wrote:
>> I am trying to connect multiple wireguard clients behind the same
>> NAT-Gateway to a Mikrotik server with a public IP. I am not yet sure
>> where exactly the problem is, but it seems that only one client at a
>> time can establish a tunnel.
> I don't know much about Mikrotik, but my guess is that it's not
> randomizing source ports for packets egressing the NAT.
>
> If that's the case, since WireGuard uses the same port for both source
> and destination, and since your clients are all connecting to the same
> server (and thus port), then your NAT can't demux incoming packets, and
> it just sends them all to the same client. (It probably picks the first
> one that sends egress packets, until it hits some inactivity time-out).

WireGuard doesn't have to use the same local port for all clients. In 
fact, if you don't give a ListenPort explicitly, an ephemeral port is 
assigned. This could theoretically still conflict between clients on 
different machines, but it is unlikely to happen in practice.

If NAT is broken, it should be fixed anyway, but letting WireGuard use 
ephemeral ports would also likely solve the problem in practice.


Kind regards,

Maarten


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Multiple Clients behind NAT
  2021-01-15 14:21   ` Maarten de Vries
@ 2021-01-15 15:22     ` Riccardo Paolo Bestetti
  2021-01-15 19:49       ` Posegga, Joachim
  0 siblings, 1 reply; 6+ messages in thread
From: Riccardo Paolo Bestetti @ 2021-01-15 15:22 UTC (permalink / raw)
  To: Maarten de Vries, Posegga, Joachim, wireguard

On Fri Jan 15, 2021 at 3:21 PM CET, Maarten de Vries wrote:
> WireGuard doesn't have to use the same local port for all clients. In
> fact, if you don't give a ListenPort explicitly, an ephemeral port is
> assigned. This could theoretically still conflict between clients on
This is correct. I mistakenly thought that, by default, WireGuard used
the target port as a source port as well (when available). Ephemeral
makes more sense & is also what really happens.

So yes, Joachim should both fix the NAT and drop ListenPort from his
clients.

Riccardo


^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Multiple Clients behind NAT
  2021-01-15 15:22     ` Riccardo Paolo Bestetti
@ 2021-01-15 19:49       ` Posegga, Joachim
  0 siblings, 0 replies; 6+ messages in thread
From: Posegga, Joachim @ 2021-01-15 19:49 UTC (permalink / raw)
  To: Riccardo Paolo Bestetti, Maarten de Vries, wireguard

Thanks for all who responded. The setup is hard to debug, since the clients behind NAT are on the other side of the globe and I am configuring and debugging via Layer 8 ;-).

Meanwhile I created the client configurations and configured the Mikrotik server from scratch again, it now provides a seperate wireguard interface for each client; each client now uses a different target port on the server. I have some doubts if this really addresses the source of the problem, and it is certainly not very elegant, but it does the trick for now. The Mikrotik implementation is still a beta, so you cannot expect a stable server.

Best,
	Joachim.

-----Original Message-----
From: Riccardo Paolo Bestetti [mailto:pbl@bestov.io] 
Sent: Friday, 15 January, 2021 16:22
To: Maarten de Vries; Posegga, Joachim; wireguard@lists.zx2c4.com
Subject: Re: Multiple Clients behind NAT

On Fri Jan 15, 2021 at 3:21 PM CET, Maarten de Vries wrote:
> WireGuard doesn't have to use the same local port for all clients. In
> fact, if you don't give a ListenPort explicitly, an ephemeral port is
> assigned. This could theoretically still conflict between clients on
This is correct. I mistakenly thought that, by default, WireGuard used
the target port as a source port as well (when available). Ephemeral
makes more sense & is also what really happens.

So yes, Joachim should both fix the NAT and drop ListenPort from his
clients.

Riccardo


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-01-21 13:40 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13 20:14 Multiple Clients behind NAT Posegga, Joachim
2021-01-14 10:53 ` Roman Mamedov
2021-01-14 17:09 ` Riccardo Paolo Bestetti
2021-01-15 14:21   ` Maarten de Vries
2021-01-15 15:22     ` Riccardo Paolo Bestetti
2021-01-15 19:49       ` Posegga, Joachim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).