Development discussion of WireGuard
 help / color / mirror / Atom feed
* DNS resolution retries and EAI_NONAME
@ 2020-11-03  8:57 Zack Elan
  2020-11-10  1:48 ` Lonnie Abelbeck
  0 siblings, 1 reply; 2+ messages in thread
From: Zack Elan @ 2020-11-03  8:57 UTC (permalink / raw)
  To: wireguard

Short version: if I set WG_ENDPOINT_RESOLUTION_RETRIES=infinity, I would like wg(8) to actually retry infinitely, rather than exiting the first time it gets what it assumes to be a permanent failure.

Long version:

When WG_ENDPOINT_RESOLUTION_RETRIES is set, wg will retry endpoint resolution failures...but it special-cases 2 or 3 error response codes [0] - EAI_NONAME, EAI_FAIL and (if defined) EAI_NODATA because it considers them "permanent" failures that are not worth retrying.

I have several Wireguard tunnels that are set to start at boot on a NixOS box I host. NixOS sets this variable to infinite for me [1]. Despite this, when I reboot that host, I consistently have the tunnels fail on startup. They're failing with a error that wg(8) considers permanent:

Oct 29 19:08:48 mord kernel: wireguard: WireGuard 1.0.20200908 loaded. See www.wireguard.com for information.
Oct 29 19:08:48 mord wireguard-wg0-peer-eG9xbERdnkQrnrpnRrteQQ4zKn-Bi2WA2V2Y2X0UCl0--x3d-start[1046]: Name or service not known: `4184f12df2343796c155.freemyip.com:12345'
Oct 29 19:08:48 mord systemd[1]: wireguard-wg0-peer-eG9xbERdnkQrnrpnRrteQQ4zKn-Bi2WA2V2Y2X0UCl0\x3d.service: Main process exited, code=exited, status=1/FAILURE
Oct 29 19:08:48 mord wireguard-wg0-peer-CBdpnmSVnwIvgtj4M1g3LlCLm-wooeo--x2bs5AARyoPjxU--x3d-start[1048]: Name or service not known: `d67930b08f5396e21ae1.freemyip.com:12345'
Oct 29 19:08:48 mord systemd[1]: wireguard-wg0-peer-CBdpnmSVnwIvgtj4M1g3LlCLm-wooeo\x2bs5AARyoPjxU\x3d.service: Main process exited, code=exited, status=1/FAILURE
Oct 29 19:08:48 mord wireguard-wg0-peer-J4rZgtReGrTwTglP05wLQt1GniIfUV4o4zAqcO-b3AI--x3d-start[1047]: Name or service not known: `9fa2756baed60cb5f18e.freemyip.com:12345'
Oct 29 19:08:48 mord systemd[1]: wireguard-wg0-peer-J4rZgtReGrTwTglP05wLQt1GniIfUV4o4zAqcO-b3AI\x3d.service: Main process exited, code=exited, status=1/FAILURE

This host gets an IP from DHCP a few seconds later, and after that I can SSH in and manually start the Wireguard tunnels without issue.

The assumption that wg(8) makes - that EAI_NONAME / "name or service not known" is a permanent failure - may be true in some cases, but isn't true in mine. 

I think it might also make sense, along with not special-casing those error codes, to lower the default number of retries to maybe 1 or 2 (instead of 15)? That would achieve the desired effect of not taking forever to fail if the error truly is permanent, but also allow use cases like mine where the tunnel is configured to start on boot and I want "the network will be up soon, trust me" retry behavior.

0: https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n245

1: https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix#L280

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: DNS resolution retries and EAI_NONAME
  2020-11-03  8:57 DNS resolution retries and EAI_NONAME Zack Elan
@ 2020-11-10  1:48 ` Lonnie Abelbeck
  0 siblings, 0 replies; 2+ messages in thread
From: Lonnie Abelbeck @ 2020-11-10  1:48 UTC (permalink / raw)
  To: Zack Elan; +Cc: wireguard



> On Nov 3, 2020, at 2:57 AM, Zack Elan <wireguard@zackelan.com> wrote:
> 
> Short version: if I set WG_ENDPOINT_RESOLUTION_RETRIES=infinity, I would like wg(8) to actually retry infinitely, rather than exiting the first time it gets what it assumes to be a permanent failure.
> 
> Long version:
> 
> When WG_ENDPOINT_RESOLUTION_RETRIES is set, wg will retry endpoint resolution failures...but it special-cases 2 or 3 error response codes [0] - EAI_NONAME, EAI_FAIL and (if defined) EAI_NODATA because it considers them "permanent" failures that are not worth retrying.
> 
> I have several Wireguard tunnels that are set to start at boot on a NixOS box I host. NixOS sets this variable to infinite for me [1]. Despite this, when I reboot that host, I consistently have the tunnels fail on startup. They're failing with a error that wg(8) considers permanent:

Hi Zack,

Our project reversed the logic to make a DNS failure to be a non-fatal 'wg' error. [2]

This trivial patch has worked well for our usage.

Lonnie

[2] https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/wireguard-tools/wireguard-tools-0001-ignore-endpoint-dns-failure.patch



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-11-10  1:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-03  8:57 DNS resolution retries and EAI_NONAME Zack Elan
2020-11-10  1:48 ` Lonnie Abelbeck

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git