Development discussion of WireGuard
 help / color / mirror / Atom feed
* wireguard-freebsd handshaking issue upon underlying WAN
@ 2021-10-25 17:17 Ryan Roosa
  2021-10-26  9:29 ` Jason A. Donenfeld
  0 siblings, 1 reply; 5+ messages in thread
From: Ryan Roosa @ 2021-10-25 17:17 UTC (permalink / raw)
  To: wireguard

Hello,
First off, I want to say thank you for the FreeBSD kernel module work
as it is greatly appreciated by myself and many others running *sense
firewalls :)

Generally wireguard-freebsd (wireguard-kmod 0.0.20210606_1) is running
quite well in my experience however, there is one issue which I have
been able to reproduce consistently: when the underlying WAN
connection that a tunnel is using is disrupted for the span of time
amounting to two missed handshake attempts (~4-5 minutes giving the ~2
minute average of handshake attempts), the tunnel will never handshake
again upon subsequent WAN restoration. This is the case even if one
resets the tunnel with 'wg-quick down ; wg-quick up' or restarts the
underlying OS (tried with both the latest stable versions of pfSense
and OPNSense community). For reference I am using a keep alive value
of 30 seconds in this scenario.

The only thing I've been able to do to get an existing tunnel
configuration handshaking with a peer endpoint again after its
Internet connection has been disrupted (outside of a complete removal
and rebuild) is to arbitrarily change the configured tunnel's
listening port (ex. 51820 to 51821 etc.). Upon saving and application
of the port change, the tunnel then handshakes with the peer endpoint
again immediately.

Given the symptom, it seems there may be some issue surrounding tunnel
handshaking resiliency when the underlying WAN drops out unexpectedly
for an extended period. If there is any way to look into this to
improve upon it so that after a 5+ minute internet outage a tunnel
could resume handshaking on its own without manual intervention, this
would be greatly appreciated.

I've got a 'bandaid' script running every 5 minutes currently which
checks the peer's handshake age and then changes the tunnel listen
port arbitrarily to restore connectivity then changes it back after 5
minutes of successful handshaking but obviously this is less than
ideal. As an additional data point I found if I switched the port and
tried to switch it back before another 5 minutes had passed, it would
stop handshaking again so there seems to be something special around
the 5 minute number regarding handshakes. Not sure if this is helpful
or not but thought I would include it.

Thank you in advance for looking into this and if there is any
additional information I can provide which may be of assistance I
would be happy to provide it.

Cheers,
Ryan Roosa

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: wireguard-freebsd handshaking issue upon underlying WAN
  2021-10-25 17:17 wireguard-freebsd handshaking issue upon underlying WAN Ryan Roosa
@ 2021-10-26  9:29 ` Jason A. Donenfeld
  2021-10-27 23:45   ` Ryan Roosa
  0 siblings, 1 reply; 5+ messages in thread
From: Jason A. Donenfeld @ 2021-10-26  9:29 UTC (permalink / raw)
  To: Ryan Roosa; +Cc: WireGuard mailing list, Kyle Evans

Hi Ryan,

Thanks for the report. Kyle saw your reddit post earlier and tracked
this down, I think/hope, to a bug in the state machine cranking. I
committed the fix here -- https://w-g.pw/l/yQTw -- which will be part
of the next snapshot. Hopefully that will fix the issue, but if it
doesn't, please do update this thread so we can keep searching.

Regards,
Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: wireguard-freebsd handshaking issue upon underlying WAN
  2021-10-26  9:29 ` Jason A. Donenfeld
@ 2021-10-27 23:45   ` Ryan Roosa
  2021-11-09 17:19     ` Ryan Roosa
  0 siblings, 1 reply; 5+ messages in thread
From: Ryan Roosa @ 2021-10-27 23:45 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list, Kyle Evans

Hi Jason,
Thank you very much for this! I received word from the OPNSense team
that the referenced snapshot should be made available in OPNSense
21.7.5. I will test and provide feedback just as soon as I can get on
the aforementioned OPNSense release which includes the fix.

Cheers,
-Ryan

On Tue, Oct 26, 2021 at 5:29 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Ryan,
>
> Thanks for the report. Kyle saw your reddit post earlier and tracked
> this down, I think/hope, to a bug in the state machine cranking. I
> committed the fix here -- https://w-g.pw/l/yQTw -- which will be part
> of the next snapshot. Hopefully that will fix the issue, but if it
> doesn't, please do update this thread so we can keep searching.
>
> Regards,
> Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: wireguard-freebsd handshaking issue upon underlying WAN
  2021-10-27 23:45   ` Ryan Roosa
@ 2021-11-09 17:19     ` Ryan Roosa
  2021-11-10  6:36       ` Kyle Evans
  0 siblings, 1 reply; 5+ messages in thread
From: Ryan Roosa @ 2021-11-09 17:19 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list, Kyle Evans

Just wanted to provide some feedback that pfSense development
snapshots of 2.6.0 running WireGuard package v0.1.5_2 include the fix
and there I have validated that removing WAN connectivity at various
intervals up to 10 minutes no longer impacts subsequent handshaking
once the connection is restored. I have not yet tested on OPNSense but
I imagine the results will match once I do (if not I will reach out).
Thanks to everyone for their efforts on resolving this one, I really
appreciate it.

-Ryan

On Wed, Oct 27, 2021 at 7:45 PM Ryan Roosa <ryanroosa@gmail.com> wrote:
>
> Hi Jason,
> Thank you very much for this! I received word from the OPNSense team
> that the referenced snapshot should be made available in OPNSense
> 21.7.5. I will test and provide feedback just as soon as I can get on
> the aforementioned OPNSense release which includes the fix.
>
> Cheers,
> -Ryan
>
> On Tue, Oct 26, 2021 at 5:29 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > Hi Ryan,
> >
> > Thanks for the report. Kyle saw your reddit post earlier and tracked
> > this down, I think/hope, to a bug in the state machine cranking. I
> > committed the fix here -- https://w-g.pw/l/yQTw -- which will be part
> > of the next snapshot. Hopefully that will fix the issue, but if it
> > doesn't, please do update this thread so we can keep searching.
> >
> > Regards,
> > Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: wireguard-freebsd handshaking issue upon underlying WAN
  2021-11-09 17:19     ` Ryan Roosa
@ 2021-11-10  6:36       ` Kyle Evans
  0 siblings, 0 replies; 5+ messages in thread
From: Kyle Evans @ 2021-11-10  6:36 UTC (permalink / raw)
  To: Ryan Roosa; +Cc: Jason A. Donenfeld, WireGuard mailing list

On Tue, Nov 9, 2021 at 11:19 AM Ryan Roosa <ryanroosa@gmail.com> wrote:
>
> On Wed, Oct 27, 2021 at 7:45 PM Ryan Roosa <ryanroosa@gmail.com> wrote:
> >
> > On Tue, Oct 26, 2021 at 5:29 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > >
> > > Hi Ryan,
> > >
> > > Thanks for the report. Kyle saw your reddit post earlier and tracked
> > > this down, I think/hope, to a bug in the state machine cranking. I
> > > committed the fix here -- https://w-g.pw/l/yQTw -- which will be part
> > > of the next snapshot. Hopefully that will fix the issue, but if it
> > > doesn't, please do update this thread so we can keep searching.
> > >
> > > Regards,
> > > Jason
> >
> > Hi Jason,
> > Thank you very much for this! I received word from the OPNSense team
> > that the referenced snapshot should be made available in OPNSense
> > 21.7.5. I will test and provide feedback just as soon as I can get on
> > the aforementioned OPNSense release which includes the fix.
> >
> > Cheers,
> > -Ryan
> >
>
> Just wanted to provide some feedback that pfSense development
> snapshots of 2.6.0 running WireGuard package v0.1.5_2 include the fix
> and there I have validated that removing WAN connectivity at various
> intervals up to 10 minutes no longer impacts subsequent handshaking
> once the connection is restored. I have not yet tested on OPNSense but
> I imagine the results will match once I do (if not I will reach out).
> Thanks to everyone for their efforts on resolving this one, I really
> appreciate it.
>
> -Ryan
>

That's good to hear, thanks for following up! :-)

Kyle Evans

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-11-10  6:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-25 17:17 wireguard-freebsd handshaking issue upon underlying WAN Ryan Roosa
2021-10-26  9:29 ` Jason A. Donenfeld
2021-10-27 23:45   ` Ryan Roosa
2021-11-09 17:19     ` Ryan Roosa
2021-11-10  6:36       ` Kyle Evans

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).