From: reox <mailinglist@reox.at>
To: wireguard@lists.zx2c4.com
Subject: Re: Connection hangs over CGNAT (Starlink)
Date: Tue, 10 Jan 2023 10:44:43 +0100 [thread overview]
Message-ID: <fc9bde3b-2366-b9f2-3a90-aacf5890c9f4@reox.at> (raw)
In-Reply-To: <CA+hy6dtEXTG9wQJ0Cb=2iEgZd6bOpCghBinawgS5UPCQ+95sGA@mail.gmail.com>
Interesting, because I was going to post a similar question here - but
would not have thought about multi-network.
For me, this happens on my Android phone, where I use WG to route DNS
traffic to my own server.
In some wifi networks, I get this issue that after some time (sometimes
only minutes, sometimes hours), that for example K9mail is unable to
fetch mails because it presumably runs into a DNS timeout (it cannot be
a connection timeout to the mail server, because that is not routed via WG)
Toggling Wifi, switching to mobile network only, or toggling wireguard
solves the issue.
I had this problem, however, also rarely in other wifis. Before that, I
thought that the wifi network itself was the culprit, but as it happens
also on other occasions, thus I thought it might be a combination of
specific wifi setup and my server setup.
However, I have no idea how I could debug this, especially as DNS
requests using termux and dig work flawlessly, even though at the same
time k9mail hangs.
Using KeepAlive did not work so far.
I wanted to debug this further by running tcpdump on the server, but
unfortunately, I have right now no wifi where I can trigger this bug
reliably. In my own wifi, it happens every now and then - typically only
once a month or less...
Best,
Sebastian
On 17.12.2022 23:15, Szymon Nowak wrote:
> I've noticed the same thing on a WIndows client, it happens when you
> provide internet from two sources, e.g. Wifi and mobile network or
> Wifi and LAN in case of computer, When one of these sources has a
> problem and internet is not available on it. Then Wireguard stops
> working even though it doesn't break the tunnel. Completely
> disconnecting the faulty connection and reconnecting the tunleu solves
> this problem. I don't know why they don't work even though the tunnel
> is connected
>
> On Sat, Dec 17, 2022 at 11:05 PM Nikolay Martynov <mar.kolya@gmail.com> wrote:
>>
>> Hi!
>>
>> I'm experiencing strange behaviour with wireguard: from time to time
>> connection 'freezes'.
>> Most often I'm observing this on an Android phone when connected from
>> my home over Starlink.
>> Server: latest Openwrt, Client: latest Android app.
>> The connection establishes and works fine for some time. After some
>> time the client still shows connection is established, but no incoming
>> data is coming.
>> On a server side 'latest handshake' goes into hours/days.
>> The freeze happens randomly, for no apparent reason and I think only
>> over starlink. I do not think I have ever observed this problem on
>> cell networks.
>>
>> Reconnection solves the problem immediately.
>> I did some tcpdumping when the problem was present and found the following:
>> * Server side sees incoming traffic from the client and sends responses.
>> * On my own router connected to Starlink (i.e. interface between my
>> router and Starlink router) I see data going from the client to the
>> server - but no packets coming back.
>>
>> So my 'hypothesis' is that somehow Starlink's CGNAT 'forgets' one side
>> of the connection - and so data continues to go in one direction, but
>> it doesn't come back. The thing with the wireguard is that it looks
>> like it doesn't change the outgoing port when it attempts to do
>> another handshake. This means that it continues using the same 'half
>> broken' connection forever.
>>
>> I think the same happens to me at least once on a Linux client - but
>> the difference with the phone is that the phone is always on and
>> therefore the duration of the connection is much longer.
>>
>> I tried experimenting with keepalive messages - but it looks like they
>> make no difference. Once connection freezes I see keepalived arriving
>> onto the server, server sending reply - but that reply never arrives
>> to the client.
>>
>> It looks like the solution to this problem would be for the client to
>> use a different outgoing port when sending a handshake but I was not
>> able to find an option for that.
>>
>> Is this something that is possible to do?
>> Thanks!
>>
>>
>> --
>> Martynov Nikolay.
>> Email: mar.kolya@gmail.com
next prev parent reply other threads:[~2023-01-12 0:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-16 2:12 Nikolay Martynov
2022-12-17 22:15 ` Szymon Nowak
2023-01-10 9:44 ` reox [this message]
2022-12-18 13:24 ` Lonnie Abelbeck
2022-12-19 3:41 ` Dean Davis
2022-12-31 1:08 ` Nikolay Martynov
2023-01-10 10:55 ` Nikolay Kichukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fc9bde3b-2366-b9f2-3a90-aacf5890c9f4@reox.at \
--to=mailinglist@reox.at \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).