From: Yousong Zhou <yszhou4tech@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Flood ping can cause oom when handshake fails
Date: Fri, 22 Sep 2017 20:58:22 +0800 [thread overview]
Message-ID: <CAECwjAgRyK0T3vtBUzR1P-d--vdEDS=Jj-nFWHx1=7ivEd6Zvw@mail.gmail.com> (raw)
Hi, I have encountered a few issues when running WireGuard on VoCore:
a small ramips device with 16MB flash and 32MB ram
(https://wiki.openwrt.org/toh/vocore/vocore).
root@LEDE:/# uname -a
Linux LEDE 4.9.49 #0 Fri Sep 15 05:14:29 2017 mips GNU/Linux
root@LEDE:/# opkg list-installed | grep -i wireguard
kmod-wireguard - 4.9.49+0.0.20170907-1
luci-app-wireguard - git-17.259.19938-f36f198-1
luci-proto-wireguard - git-17.259.19938-f36f198-1
wireguard - 0.0.20170907-1
wireguard-tools - 0.0.20170907-1
root@LEDE:/# wg show
interface: air
public key: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
private key: (hidden)
listening port: 21841
peer: ffffffffffffffffffffffffffffffffffffffffffff
endpoint: iiiiiiiiiiii:ppppp
allowed ips: 0.0.0.0/0
latest handshake: 4 minutes, 35 seconds ago
transfer: 520 B received, 872 B sent
WAN is a wired vlan interface: eth0.1 bearing the default route.
Traffics will be marked by iptable rules and routed through wireguard
interface with simple policy routing rules. The setup works quite
well on another ar71xx-based device (in case it matters, the wan
interface is a regular device eth1).
The first issue is that occasionally wireguard failed to send
handshake initiation packets to the remote. I got to this conclusion
by two observations
- Tearing down then bringing up ("ifup air") the local wireguard
device did not trigger the update of "latest handshake" timestamp on
the remote
- Wireguard packets can be captured on eth0.1 but not on the remote
The second issue is that when handshake fails, flood ping traffic that
was expected to be forwarded through the wireguard interface can cause
oom and hang the device to death. There is a [kworker] process taking
up high cpu usage.
WireGuard is a very nice and convenient solution. If there are any
further steps/info required to debug this, I am all ready ;)
yousong
next reply other threads:[~2017-09-22 12:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-22 12:58 Yousong Zhou [this message]
2017-09-22 13:19 ` Jason A. Donenfeld
2017-09-22 13:38 ` Yousong Zhou
2017-10-23 9:52 ` Yousong Zhou
[not found] ` <59e5680d-da17-a8c4-0c16-08f0b27a4f75@gmail.com>
[not found] ` <CAECwjAgTb1qtiUabMBbg_6cnA+V0YQLd=316o_QU25Ffkxn4ow@mail.gmail.com>
2017-09-22 13:53 ` Fwd: " Yousong Zhou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAECwjAgRyK0T3vtBUzR1P-d--vdEDS=Jj-nFWHx1=7ivEd6Zvw@mail.gmail.com' \
--to=yszhou4tech@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).