Re: snapshot 0.0.20170628 broken?

Re: snapshot 0.0.20170628 broken?

[HDA]

Did you use same snapshot version across all machines?
Should we postpone snapshot update in Ubuntu PPA?
On Thu, Jun 29, 2017, at 15:47, Reuben Martin wrote:
> Something is off with this latest snapshot:
>=20
> - Computer-X sitting in the cloud accepting incomming connections.
>=20
> - Computer-A sits behind a masquerade NAT or a remote network. Computer-A
> can=20
> connect to Computer-X, and then create a TCP session with services on=20
> Computer-X directly over the wg0 interface.
>=20
> - Computer-B is behind the same NAT as Computer-A. It can also create a=
=20
> connection with Computer-X. It gets a response pinging Computer-X on it=
=E2=80=99s
> wg0=20
> address, but it cannont create a TCP session with services on Computer-X
> over=20
> the wg0 interface.
>=20
> The only thing I have found that might be relevant is that A was the
> first to=20
> connect, so the NAT port assigned is the same as the port that wireguard
> on X=20
> is listening to. Where-as B gets assigned a random port on the NAT side.
> That =20
> may just be coincidental though. Downgrading to 20170613 and TCP sessions
> work=20
> from all connections again.
>=20
> -Reuben
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: snapshot 0.0.20170628 broken?

[Reuben Martin]

On Thursday, June 29, 2017 11:14:01 AM CDT HDA wrote:
> Did you use same snapshot version across all machines?

yes.

> Should we postpone snapshot update in Ubuntu PPA?
>=20
> On Thu, Jun 29, 2017, at 15:47, Reuben Martin wrote:
> > Something is off with this latest snapshot:
> >=20
> > - Computer-X sitting in the cloud accepting incomming connections.
> >=20
> > - Computer-A sits behind a masquerade NAT or a remote network. Computer=
=2DA
> > can
> > connect to Computer-X, and then create a TCP session with services on
> > Computer-X directly over the wg0 interface.
> >=20
> > - Computer-B is behind the same NAT as Computer-A. It can also create a
> > connection with Computer-X. It gets a response pinging Computer-X on it=
=E2=80=99s
> > wg0
> > address, but it cannont create a TCP session with services on Computer-X
> > over
> > the wg0 interface.
> >=20
> > The only thing I have found that might be relevant is that A was the
> > first to
> > connect, so the NAT port assigned is the same as the port that wireguard
> > on X
> > is listening to. Where-as B gets assigned a random port on the NAT side.
> > That
> > may just be coincidental though. Downgrading to 20170613 and TCP sessio=
ns
> > work
> > from all connections again.
> >=20
> > -Reuben
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
>=20
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: snapshot 0.0.20170628 broken?

[Jason A. Donenfeld]

This issue has been fixed in the snapshot I just published.

Re: snapshot 0.0.20170628 broken?

[HDA]

Just to be sure, you can replace wg-quick for 0.0.20170628 with 0.0.2017061=
3  wg-quick version from https://git.zx2c4.com/WireGuard/tree/src/tools/wg-=
quick.bash?h=3D0.0.20170613 and try it out.
On Thu, Jun 29, 2017, at 17:23, Reuben Martin wrote:
> On Thursday, June 29, 2017 11:39:33 AM CDT Jason A. Donenfeld wrote:
> > Hey Reuben,
> >=20
> > I'm unable to reproduce these results. How sure are you about this
> > situation? Have you tried to reproduce more than once? What are you
> > using to configure the peers?
> >=20
> > Jason
>=20
> Yes, I can consistantly reproduce when I move all 3 computers to the
> newer
> snapshot. This is Gentoo system using (gasp) systemd. I configure the
> peers
> using the wg-quick@wg0 service unit. I use a post-up and pre-down in the
> config to setup a vxlan overlayed on top of the VPN connections, but I
> don=E2=80=99t
> think that should matter since this is just using the wg0 interface
> directly. I
> can provide that setup info if you think it might be relevant.
>=20
> tshark capture of a simple wget from the computer that can=E2=80=99t conn=
ect.
>=20
>=20
>     5 7.615139647 192.168.100.12 =E2=86=92 192.168.100.1 TCP 60 54134 =E2=
=86=92 80 [SYN]
>     Seq=3D0 Win=3D27600 Len=3D0 MSS=3D1380 SACK_PERM=3D1 TSval=3D38525263=
53 TSecr=3D0
>     WS=3D128
>     6 7.684940917 192.168.100.1 =E2=86=92 192.168.100.12 TCP 60 80 =E2=86=
=92 54134 [SYN,
>     ACK] Seq=3D0 Ack=3D1 Win=3D27360 Len=3D0 MSS=3D1380 SACK_PERM=3D1
>     TSval=3D3308550712 TSecr=3D3852526353 WS=3D128
>     7 7.684956294 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =E2=
=86=92 80 [ACK]
>     Seq=3D1 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D3852526423 TSecr=3D330855=
0712
>     8 7.685008715 192.168.100.12 =E2=86=92 192.168.100.1 HTTP 202 GET /in=
dex.html
>     HTTP/1.1=20
>     9 7.754723388 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 80 =E2=86=
=92 54134 [ACK]
>     Seq=3D1 Ack=3D151 Win=3D28544 Len=3D0 TSval=3D3308550782 TSecr=3D3852=
526423
>    10 7.998440304 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)=
_00 STP
>    88 Conf. Root =3D 0/0/8a:46:93:88:40:8b  Cost =3D 0  Port =3D 0x8003
>    11 9.982462221 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)=
_00 STP
>    88 Conf. Root =3D 0/0/8a:46:93:88:40:8b  Cost =3D 0  Port =3D 0x8003
>    12 10.321889091 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =
=E2=86=92 80 [FIN,
>    ACK] Seq=3D151 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D3852529060 TSecr=3D=
3308550782
>    13 10.392081110 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 [TCP Pre=
vious
>    segment not captured] 80 =E2=86=92 54134 [FIN, ACK] Seq=3D1010 Ack=3D1=
52 Win=3D28544
>    Len=3D0 TSval=3D3308553420 TSecr=3D3852529060
>    14 10.392097109 192.168.100.12 =E2=86=92 192.168.100.1 TCP 40 54134 =
=E2=86=92 80 [RST]
>    Seq=3D152 Win=3D0 Len=3D0
>=20
>=20
> -Reuben
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: snapshot 0.0.20170628 broken?

[Jason A. Donenfeld]

Hello Reuben,

I've tried several things to try to reproduce this, in different
network configurations, and I'm entirely unable to. Could you provide
more details? Like the output of:

wg
ip link
ip addr
cat /proc/cpuinfo
cat /proc/version
lspci
lsusb
lshw
lsmod
lsb_release -a
cat /sys/module/wireguard/version
dmesg
nping --tcp wireguard.io -p 80 -c 1 -vv

For each of the three systems?

Thanks,
Jason

Re: snapshot 0.0.20170628 broken?

[Reuben Martin]

On Thursday, June 29, 2017 11:39:33 AM CDT Jason A. Donenfeld wrote:
> Hey Reuben,
>=20
> I'm unable to reproduce these results. How sure are you about this
> situation? Have you tried to reproduce more than once? What are you
> using to configure the peers?
>=20
> Jason

Yes, I can consistantly reproduce when I move all 3 computers to the newer
snapshot. This is Gentoo system using (gasp) systemd. I configure the peers
using the wg-quick@wg0 service unit. I use a post-up and pre-down in the
config to setup a vxlan overlayed on top of the VPN connections, but I don=
=E2=80=99t
think that should matter since this is just using the wg0 interface directl=
y. I
can provide that setup info if you think it might be relevant.

tshark capture of a simple wget from the computer that can=E2=80=99t connec=
t.


    5 7.615139647 192.168.100.12 =E2=86=92 192.168.100.1 TCP 60 54134 =E2=
=86=92 80 [SYN] Seq=3D0 Win=3D27600 Len=3D0 MSS=3D1380 SACK_PERM=3D1 TSval=
=3D3852526353 TSecr=3D0 WS=3D128
    6 7.684940917 192.168.100.1 =E2=86=92 192.168.100.12 TCP 60 80 =E2=86=
=92 54134 [SYN, ACK] Seq=3D0 Ack=3D1 Win=3D27360 Len=3D0 MSS=3D1380 SACK_PE=
RM=3D1 TSval=3D3308550712 TSecr=3D3852526353 WS=3D128
    7 7.684956294 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =E2=
=86=92 80 [ACK] Seq=3D1 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D3852526423 TSec=
r=3D3308550712
    8 7.685008715 192.168.100.12 =E2=86=92 192.168.100.1 HTTP 202 GET /inde=
x.html HTTP/1.1=20
    9 7.754723388 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 80 =E2=86=
=92 54134 [ACK] Seq=3D1 Ack=3D151 Win=3D28544 Len=3D0 TSval=3D3308550782 TS=
ecr=3D3852526423
   10 7.998440304 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)_0=
0 STP 88 Conf. Root =3D 0/0/8a:46:93:88:40:8b  Cost =3D 0  Port =3D 0x8003
   11 9.982462221 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)_0=
0 STP 88 Conf. Root =3D 0/0/8a:46:93:88:40:8b  Cost =3D 0  Port =3D 0x8003
   12 10.321889091 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =E2=
=86=92 80 [FIN, ACK] Seq=3D151 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D38525290=
60 TSecr=3D3308550782
   13 10.392081110 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 [TCP Previ=
ous segment not captured] 80 =E2=86=92 54134 [FIN, ACK] Seq=3D1010 Ack=3D15=
2 Win=3D28544 Len=3D0 TSval=3D3308553420 TSecr=3D3852529060
   14 10.392097109 192.168.100.12 =E2=86=92 192.168.100.1 TCP 40 54134 =E2=
=86=92 80 [RST] Seq=3D152 Win=3D0 Len=3D0


=2DReuben

Re: snapshot 0.0.20170628 broken?

[Kalin KOZHUHAROV]

On Thu, Jun 29, 2017 at 6:42 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> He said already: 20170613
Ooops!

Sorry about the noise, time for evening coffee it seems ;-/

Kalin.

Re: snapshot 0.0.20170628 broken?

[Jason A. Donenfeld]

He said already: 20170613

Re: snapshot 0.0.20170628 broken?

[Kalin KOZHUHAROV]

Hello Reuben,

And what was the last good version that was working in this same setup?

Kalin.

Re: snapshot 0.0.20170628 broken?

[Jason A. Donenfeld]

Hey Reuben,

I'm unable to reproduce these results. How sure are you about this
situation? Have you tried to reproduce more than once? What are you
using to configure the peers?

Jason

snapshot 0.0.20170628 broken?

[Reuben Martin]

Something is off with this latest snapshot:

=2D Computer-X sitting in the cloud accepting incomming connections.

=2D Computer-A sits behind a masquerade NAT or a remote network. Computer-A=
 can=20
connect to Computer-X, and then create a TCP session with services on=20
Computer-X directly over the wg0 interface.

=2D Computer-B is behind the same NAT as Computer-A. It can also create a=20
connection with Computer-X. It gets a response pinging Computer-X on it=E2=
=80=99s wg0=20
address, but it cannont create a TCP session with services on Computer-X ov=
er=20
the wg0 interface.

The only thing I have found that might be relevant is that A was the first =
to=20
connect, so the NAT port assigned is the same as the port that wireguard on=
 X=20
is listening to. Where-as B gets assigned a random port on the NAT side. Th=
at =20
may just be coincidental though. Downgrading to 20170613 and TCP sessions w=
ork=20
from all connections again.

=2DReuben