From: Wang Jian <larkwang@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Multihomed server issue
Date: Fri, 28 Jul 2017 08:51:35 +0800 [thread overview]
Message-ID: <CAF75rJBdfeD-7MpDGfFBV=bLbm0-H--mFin30QL9jDmpd4z1jw@mail.gmail.com> (raw)
Hi,
I have met multihome server issue with an unusual network setup.
The server is multihomed, all public addresses are configured on
dummyN interfaces,
and routes are established by bird routing daemon, via address pairs
(172.16.xx.xx/30) on public network interface.
And, the default route is via private gateway on private interface
(10.x.x.x), which actually will be NATed by dedicated NAT gateway.
(The server has two network interface, one for private network, one
for public network)
The configuration is the simplest form: server has [Interface]
ListenPort, while client has [Peer] Endpoint but no [Interface]
ListenPort.
The problem is
1. when wg0 on both side is brought up at the same time, ping server
from client doesn't get response; but then ping client from server
will make tunnel alive. The tunnel will keep alive any longer.
>From 'wg' command output on client, it's clear that peer Endpoint is
NAT gateway pool address, not the one specified in config file
2. After 1, down and up client wg0, the tunnel stops work; even ping
client from server doesn't help
3. After some time, ping client from server will make tunnel alive again.
====
IMHO, the reason behind that is
1. when client contacts server, the server remembers the client's
endpoint, but handshake will fail because server responses using
10.x.x.x (which then NATed). But when ping client from server, server
will use remembered client endpoint, and client can finish handshake.
Beware that I can do nothing to help server choosing the correct
public address. Server will use best route to deduce UDP source
address, in my case, 10.x.x.x or 172.16.xx.xx/30, which doesn't help
the situation.
2. when client wg0 down and up again, the server will not do handshake
3. after some time, server will do handshake, and things work again
====
The solution can be one of:
1. server can RTS (response to source), or can bind to arbitary
address for outgoing
2. improve handshake
next reply other threads:[~2017-07-28 0:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-28 0:51 Wang Jian [this message]
2017-07-31 15:34 ` Jason A. Donenfeld
2017-08-01 2:01 ` Wang Jian
2017-08-01 3:06 ` Jason A. Donenfeld
2017-08-01 11:28 ` Wang Jian
2017-08-03 3:00 ` Wang Jian
2017-08-03 12:59 ` Jason A. Donenfeld
2017-08-03 18:38 ` Wang Jian
2017-08-10 14:29 ` Jason A. Donenfeld
2017-08-10 18:43 ` Jason A. Donenfeld
2017-08-10 21:17 ` Jan De Landtsheer
2017-08-10 22:16 ` Baptiste Jonglez
2017-08-10 23:50 ` Jason A. Donenfeld
2017-08-12 1:55 ` Jason A. Donenfeld
2017-08-12 16:08 ` Wang Jian
2017-09-07 21:28 ` Jason A. Donenfeld
2017-09-09 8:26 ` Wang Jian
2017-09-20 13:15 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAF75rJBdfeD-7MpDGfFBV=bLbm0-H--mFin30QL9jDmpd4z1jw@mail.gmail.com' \
--to=larkwang@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).