Re: Unexpected experience of site-to-site wireguard tunneling‏‏

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: "حامد صابر" <hsaber@gmail.com>
To: John Lauro <johnalauro@gmail.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Unexpected experience of site-to-site wireguard tunneling‏‏
Date: Thu, 2 Sep 2021 08:47:25 +0430	[thread overview]
Message-ID: <CAECraRpLYEkAm+g1dg6X9RJLEDx=nOs=gPQvT_CjxwjXSbhDOw@mail.gmail.com> (raw)
In-Reply-To: <CADGd2Dp0S5_=bPQDnRsamvraJZ5BeVV1eWh98js3wATXodfQcQ@mail.gmail.com>

-Thanks for reply.
For test reasons, I turned the firewall off on my middle-node server.
But I can't understand how this issue may be related to firewall,
because most of the time it works (and to me it means firewall is Ok),
but sometime for some unknown reason it stops working, which when I
restart the wg1 interface with this command everything comes back to
life:
wg-quick down wg1 && wg-quick up wg1

BTW here it is the firewall status of middle-node:
==================
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
-----------------------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
-----------------------------------

And the firewall status of exit-node:
====================
Unit firewalld.service could not be found.
---------------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:50842
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
---------------------
Regards

‫‪John Lauro‬‏ <‪johnalauro@gmail.com‬‏> در تاریخ چهارشنبه ۱ سپتامبر
۲۰۲۱ ساعت ۲۱:۵۱ نوشت:‬
>
> Just a guess, but I would be suspicious about connection tracking causing the issue.  What are your firewall rules?
>
> ‪On Wed, Sep 1, 2021 at 9:51 AM ‫حامد صابر‬‎ <hsaber@gmail.com> wrote:‬
>>
>> Dear friends,
>> I have configured 3 wireguard interfaces on 2 servers to act as a
>> chained VPN for me (to bypass the internet censorship in my country),
>> with this schema:
>>
>> client -- wg0 on middle-node -- wg1 on middle node -- wg2 on exit node
>> (to free internet)
>>
>> Everything works fine, but after a while, the connection between wg1
>> and wg2 drops and I can't find the reason. The connection comes back
>> to action by simply switching the wg1 down and up again using
>> wg-quick. And the amazing behaviour is that sometimes the connection
>> comes back to work automatically  after some random time passes,
>> without any actions from my side (sometimes after a few tens of
>> minutes, sometimes after a few hours).
>> When the wg1-wg2 connection is not working, anything else between 2
>> servers (middle-node and exit-node) works fine. I mean I can ping the
>> public IP of each server from another part, but the local wireguard ip
>> of none of them are accessible.
>>
>> I tried to monitor the situation and read the logs but couldn't find
>> what is happening here, so please help!
>>
>> The configuration:
>> ======================
>>
>> client (my mobile phone):
>> -------------------------------------------
>> [Interface]
>> Address = 10.10.20.2/32
>> PrivateKey =  <private key of client>
>> DNS = 10.10.10.1
>>
>> ### Middle Node
>> [Peer]
>> PublicKey =  <public key of wg0>
>> PresharedKey =  <preshared key>
>> AllowedIPs = 0.0.0.0/0
>> Endpoint = middle-node:50842
>> ======================
>>
>> wg0 (in middle-node server):
>> -------------------------------------------
>> [Interface]
>> Address = 10.10.20.1/24
>> ListenPort = 50842
>> PrivateKey =  <private key of wg0>
>>
>> ### Client
>> [Peer]
>> PublicKey =  <public key of client>
>> PresharedKey =  <preshared key>
>> AllowedIPs = 10.10.20.2/32
>> ======================
>>
>> wg1 (again in middle-node server):
>> -------------------------------------------
>> [Interface]
>> Address = 10.10.10.2/32
>> PrivateKey =  <private key of wg1>
>>
>> PostUp = ip route add default dev wg1 table middle
>> PostUp = ip rule add iif wg0 lookup middle
>> PostUp = wg set wg1 peer <publickey of wg2 (in exit-node)> allowed-ips 0.0.0.0/0
>>
>> PreDown = ip route del default dev wg1 table middle
>> PreDown = ip rule del iif wg0 lookup middle
>>
>> ### Exit Node
>> [Peer]
>> PublicKey =  <publickey of wg2 (in exit-node)>
>> PresharedKey =  <preshared key>
>> AllowedIPs = 10.10.10.1/32
>> Endpoint = exit-node:50842
>> PersistentKeepalive = 25
>> ======================
>>
>> wg2 (in exit-node server):
>> -------------------------------------------
>> [Interface]
>> Address = 10.10.10.1/24
>> ListenPort = 50842
>> PrivateKey =  <private key of wg2>
>>
>> PostUp   = iptables -A FORWARD -i eth0 -o wg2 -j ACCEPT
>> PostUp   = iptables -A FORWARD -i wg2 -j ACCEPT
>> PostUp   = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>> PostDown = iptables -D FORWARD -i eth0 -o wg2 -j ACCEPT
>> PostDown = iptables -D FORWARD -i wg2 -j ACCEPT
>> PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>
>> ### Middle Node
>> [Peer]
>> PublicKey =  <publickey of wg1 (in middle-node)>
>> PresharedKey =  <preshared key>
>> AllowedIPs = 10.0.0.0/8
>> ======================
>> ======================
>> ======================
>>
>> Sample log of dmesg when the wg1-wg2 connection is not working:
>> -------------------------------------------
>> [Wed Sep  1 11:19:32 2021] wireguard: wg1: Sending keepalive packet to
>> peer 12 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:19:44 2021] wireguard: wg0: Sending keepalive packet to
>> peer 8 (~client-ip~:65323)
>> [Wed Sep  1 11:19:44 2021] wireguard: wg1: Receiving keepalive packet
>> from peer 12 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:20:09 2021] wireguard: wg0: Receiving handshake
>> initiation from peer 8 (~client-ip~:65323)
>> [Wed Sep  1 11:20:09 2021] wireguard: wg0: Sending handshake response
>> to peer 8 (~client-ip~:65323)
>> [Wed Sep  1 11:20:09 2021] wireguard: wg0: Keypair 2867 destroyed for peer 8
>> [Wed Sep  1 11:20:09 2021] wireguard: wg0: Keypair 2871 created for peer 8
>> [Wed Sep  1 11:20:09 2021] wireguard: wg0: Receiving keepalive packet
>> from peer 8 (~client-ip~:65323)
>> [Wed Sep  1 11:21:19 2021] wireguard: wg0: Sending keepalive packet to
>> peer 8 (~client-ip~:65323)
>> [Wed Sep  1 11:21:24 2021] wireguard: wg1: Retrying handshake with
>> peer 12 (~exit-node-ip~:50842) because we stopped hearing back after
>> 15 seconds
>> [Wed Sep  1 11:21:24 2021] wireguard: wg1: Sending handshake
>> initiation to peer 12 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:21:30 2021] wireguard: wg1: Handshake for peer 12
>> (~exit-node-ip~:50842) did not complete after 5 seconds, retrying (try
>> 2)
>> ======================
>>
>> Sample log of dmesg when the wg1-wg2 connection is coming back using
>> manual restart:
>> -------------------------------------------
>> [Wed Sep  1 11:45:52 2021] wireguard: wg1: Sending handshake
>> initiation to peer 12 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:45:52 2021] wireguard: wg0: Sending keepalive packet to
>> peer 8 (~client-ip~:2335)
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Handshake for peer 12
>> (~exit-node-ip~:50842) did not complete after 5 seconds, retrying (try
>> 3)
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Sending handshake
>> initiation to peer 12 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Keypair 2878 destroyed for peer 12
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Peer 12
>> (~exit-node-ip~:50842) destroyed
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Interface destroyed
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Interface created
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Peer 13 created
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Sending keepalive packet to
>> peer 13 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Sending handshake
>> initiation to peer 13 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Receiving handshake
>> response from peer 13 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:45:58 2021] wireguard: wg1: Keypair 2881 created for peer 13
>> [Wed Sep  1 11:46:12 2021] wireguard: wg0: Receiving keepalive packet
>> from peer 8 (~client-ip~:2335)
>> [Wed Sep  1 11:46:14 2021] wireguard: wg1: Receiving keepalive packet
>> from peer 13 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:46:27 2021] wireguard: wg0: Sending keepalive packet to
>> peer 8 (~client-ip~:2335)
>> [Wed Sep  1 11:46:28 2021] wireguard: wg1: Receiving keepalive packet
>> from peer 13 (~exit-node-ip~:50842)
>> [Wed Sep  1 11:46:52 2021] wireguard: wg1: Receiving keepalive packet
>> from peer 13 (~exit-node-ip~:50842)
>>
>>
>> Thanks in advance for your kind help

next prev parent reply	other threads:[~2021-09-02  4:20 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAECraRrhiAZQfZjSc0Auhby0Z+G0jSfNeapgDnfQ6=NT8p7q5Q@mail.gmail.com>
2021-09-01  9:03 ` حامد صابر
     [not found]   ` <CADGd2Dp0S5_=bPQDnRsamvraJZ5BeVV1eWh98js3wATXodfQcQ@mail.gmail.com>
2021-09-02  4:17     ` حامد صابر [this message]
2021-09-03  4:09       ` حامد صابر
2021-09-04 16:55         ` حامد صابر
2021-09-21  4:26           ` حامد صابر

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAECraRpLYEkAm+g1dg6X9RJLEDx=nOs=gPQvT_CjxwjXSbhDOw@mail.gmail.com' \
    --to=hsaber@gmail.com \
    --cc=johnalauro@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).