Development discussion of WireGuard
 help / color / mirror / Atom feed
* wireguard-windows: client forgets after restart that there was a activated tunnel before and won't activate said tunnel anymore
@ 2021-07-06  6:18 Denis Brodbeck
  2021-08-08 23:08 ` Jason A. Donenfeld
  0 siblings, 1 reply; 2+ messages in thread
From: Denis Brodbeck @ 2021-07-06  6:18 UTC (permalink / raw)
  To: wireguard

Dear WireGuard-Community,

TL;DR: wireguard forgets after restart that there was a activated tunnel before and won't activate said tunnel anymore unless an admin intervenes

I've deployed wireguard-windows on 50 domain-joined Windows 10 (20H1 x64) notebooks (WireGuard versions range from v0.3.14 - v.03.16) and need your assistance resolving some mysterious behavior.

Some of my users are experiencing random connectivity loses (this example here is the only time I witnessed said behaviour myself):
- admin setups and activates '20_EPNBLE-04' tunnel config
- service 'WireGuardManager' runs
- service 'WireGuardTunnel$20_EPNBLE-04' runs
- everything is fine for days/weeks -- users reboot usually daily
- user reboots / comes back from weekend
- service 'WireGuardManager' runs
- service 'WireGuardTunnel$20_EPNBLE-04' does not exist
- config '20_EPNBLE-04.conf.dpapi' under 'C:\Program Files\WireGuard\Data\Configurations' still exists, it's just not active any more
- config '20_EPNBLE-04.conf.dpapi' *stays* inactive (multiple reboots), unless an admin re-activates it via WireGuard UI

My 99% windows environment:
- users have no admin privileges
- 'LimitedOperatorUI' is disabled, so users have no privileges to mess with network or wireguard config or tunnel state
- all clients have the 'Windows Baseline Security' applied
- each notebook has a unique config file (above example: 20_EPNBLE-04)
- that config has been enabled via wireguard UI (before deployment by an administrative account) and works
- that tunnel works 99%, but sometimes, just sometimes, the tunnel service is gone after reboot
- I can't spot a pattern to which or when a client looses connectivity
- Most clients have no issues whatsoever, but maybe 20% of those clients had the previously described vpn tunnel loss, but until now no client had this issue twice
- WireGuard log doesn't show anything interesting, because that config file is obviously inactive, and after I click 'Activate' the tunnel works instantly

I read (parts of) the source code and tried to understand how 'WireGuardManager' keeps tabs on which of the available vpn config needs to be reestablished after reboot, but I didn't grasp the business logic yet (I'm a longtime Go developer myself, so reading is usually not the issue - but maybe I need another coffee :/).

Hope you have some pointers on how to resolve this.

Cheers
D. Brodbeck

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: wireguard-windows: client forgets after restart that there was a activated tunnel before and won't activate said tunnel anymore
  2021-07-06  6:18 wireguard-windows: client forgets after restart that there was a activated tunnel before and won't activate said tunnel anymore Denis Brodbeck
@ 2021-08-08 23:08 ` Jason A. Donenfeld
  0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2021-08-08 23:08 UTC (permalink / raw)
  To: Denis Brodbeck; +Cc: wireguard

Hi Denis,

That's a weird issue. Generally the WireGuardTunnel service should
stay installed unless explicitly uninstalled. The UninstallTunnel()
function is called from three places:

1) if you execute wireguard.exe /uninstalltunnelservice [name].
2) If the user presses "deactivate".
3) If the manager quits with "stoponquit", which happens only when the
user right clicks on the tray and presses "exit".

Are you sure that (3) isn't being hit unexpectedly?

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-08-08 23:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-06  6:18 wireguard-windows: client forgets after restart that there was a activated tunnel before and won't activate said tunnel anymore Denis Brodbeck
2021-08-08 23:08 ` Jason A. Donenfeld

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git