* Re: snapshot 0.0.20170628 broken?
@ 2017-06-29 16:14 HDA
2017-06-29 16:32 ` Reuben Martin
0 siblings, 1 reply; 11+ messages in thread
From: HDA @ 2017-06-29 16:14 UTC (permalink / raw)
To: wireguard, egbert, Jason
Did you use same snapshot version across all machines?
Should we postpone snapshot update in Ubuntu PPA?
On Thu, Jun 29, 2017, at 15:47, Reuben Martin wrote:
> Something is off with this latest snapshot:
>=20
> - Computer-X sitting in the cloud accepting incomming connections.
>=20
> - Computer-A sits behind a masquerade NAT or a remote network. Computer-A
> can=20
> connect to Computer-X, and then create a TCP session with services on=20
> Computer-X directly over the wg0 interface.
>=20
> - Computer-B is behind the same NAT as Computer-A. It can also create a=
=20
> connection with Computer-X. It gets a response pinging Computer-X on it=
=E2=80=99s
> wg0=20
> address, but it cannont create a TCP session with services on Computer-X
> over=20
> the wg0 interface.
>=20
> The only thing I have found that might be relevant is that A was the
> first to=20
> connect, so the NAT port assigned is the same as the port that wireguard
> on X=20
> is listening to. Where-as B gets assigned a random port on the NAT side.
> That =20
> may just be coincidental though. Downgrading to 20170613 and TCP sessions
> work=20
> from all connections again.
>=20
> -Reuben
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: snapshot 0.0.20170628 broken?
2017-06-29 16:14 snapshot 0.0.20170628 broken? HDA
@ 2017-06-29 16:32 ` Reuben Martin
0 siblings, 0 replies; 11+ messages in thread
From: Reuben Martin @ 2017-06-29 16:32 UTC (permalink / raw)
To: wireguard
On Thursday, June 29, 2017 11:14:01 AM CDT HDA wrote:
> Did you use same snapshot version across all machines?
yes.
> Should we postpone snapshot update in Ubuntu PPA?
>=20
> On Thu, Jun 29, 2017, at 15:47, Reuben Martin wrote:
> > Something is off with this latest snapshot:
> >=20
> > - Computer-X sitting in the cloud accepting incomming connections.
> >=20
> > - Computer-A sits behind a masquerade NAT or a remote network. Computer=
=2DA
> > can
> > connect to Computer-X, and then create a TCP session with services on
> > Computer-X directly over the wg0 interface.
> >=20
> > - Computer-B is behind the same NAT as Computer-A. It can also create a
> > connection with Computer-X. It gets a response pinging Computer-X on it=
=E2=80=99s
> > wg0
> > address, but it cannont create a TCP session with services on Computer-X
> > over
> > the wg0 interface.
> >=20
> > The only thing I have found that might be relevant is that A was the
> > first to
> > connect, so the NAT port assigned is the same as the port that wireguard
> > on X
> > is listening to. Where-as B gets assigned a random port on the NAT side.
> > That
> > may just be coincidental though. Downgrading to 20170613 and TCP sessio=
ns
> > work
> > from all connections again.
> >=20
> > -Reuben
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
>=20
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: snapshot 0.0.20170628 broken?
@ 2017-06-29 18:02 HDA
2017-06-29 19:34 ` Jason A. Donenfeld
0 siblings, 1 reply; 11+ messages in thread
From: HDA @ 2017-06-29 18:02 UTC (permalink / raw)
To: wireguard, reuben.m.work
Just to be sure, you can replace wg-quick for 0.0.20170628 with 0.0.2017061=
3 wg-quick version from https://git.zx2c4.com/WireGuard/tree/src/tools/wg-=
quick.bash?h=3D0.0.20170613 and try it out.
On Thu, Jun 29, 2017, at 17:23, Reuben Martin wrote:
> On Thursday, June 29, 2017 11:39:33 AM CDT Jason A. Donenfeld wrote:
> > Hey Reuben,
> >=20
> > I'm unable to reproduce these results. How sure are you about this
> > situation? Have you tried to reproduce more than once? What are you
> > using to configure the peers?
> >=20
> > Jason
>=20
> Yes, I can consistantly reproduce when I move all 3 computers to the
> newer
> snapshot. This is Gentoo system using (gasp) systemd. I configure the
> peers
> using the wg-quick@wg0 service unit. I use a post-up and pre-down in the
> config to setup a vxlan overlayed on top of the VPN connections, but I
> don=E2=80=99t
> think that should matter since this is just using the wg0 interface
> directly. I
> can provide that setup info if you think it might be relevant.
>=20
> tshark capture of a simple wget from the computer that can=E2=80=99t conn=
ect.
>=20
>=20
> 5 7.615139647 192.168.100.12 =E2=86=92 192.168.100.1 TCP 60 54134 =E2=
=86=92 80 [SYN]
> Seq=3D0 Win=3D27600 Len=3D0 MSS=3D1380 SACK_PERM=3D1 TSval=3D38525263=
53 TSecr=3D0
> WS=3D128
> 6 7.684940917 192.168.100.1 =E2=86=92 192.168.100.12 TCP 60 80 =E2=86=
=92 54134 [SYN,
> ACK] Seq=3D0 Ack=3D1 Win=3D27360 Len=3D0 MSS=3D1380 SACK_PERM=3D1
> TSval=3D3308550712 TSecr=3D3852526353 WS=3D128
> 7 7.684956294 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =E2=
=86=92 80 [ACK]
> Seq=3D1 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D3852526423 TSecr=3D330855=
0712
> 8 7.685008715 192.168.100.12 =E2=86=92 192.168.100.1 HTTP 202 GET /in=
dex.html
> HTTP/1.1=20
> 9 7.754723388 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 80 =E2=86=
=92 54134 [ACK]
> Seq=3D1 Ack=3D151 Win=3D28544 Len=3D0 TSval=3D3308550782 TSecr=3D3852=
526423
> 10 7.998440304 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)=
_00 STP
> 88 Conf. Root =3D 0/0/8a:46:93:88:40:8b Cost =3D 0 Port =3D 0x8003
> 11 9.982462221 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)=
_00 STP
> 88 Conf. Root =3D 0/0/8a:46:93:88:40:8b Cost =3D 0 Port =3D 0x8003
> 12 10.321889091 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =
=E2=86=92 80 [FIN,
> ACK] Seq=3D151 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D3852529060 TSecr=3D=
3308550782
> 13 10.392081110 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 [TCP Pre=
vious
> segment not captured] 80 =E2=86=92 54134 [FIN, ACK] Seq=3D1010 Ack=3D1=
52 Win=3D28544
> Len=3D0 TSval=3D3308553420 TSecr=3D3852529060
> 14 10.392097109 192.168.100.12 =E2=86=92 192.168.100.1 TCP 40 54134 =
=E2=86=92 80 [RST]
> Seq=3D152 Win=3D0 Len=3D0
>=20
>=20
> -Reuben
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 11+ messages in thread
* snapshot 0.0.20170628 broken?
@ 2017-06-29 15:47 Reuben Martin
2017-06-29 16:39 ` Jason A. Donenfeld
2017-06-29 17:23 ` Jason A. Donenfeld
0 siblings, 2 replies; 11+ messages in thread
From: Reuben Martin @ 2017-06-29 15:47 UTC (permalink / raw)
To: wireguard
Something is off with this latest snapshot:
=2D Computer-X sitting in the cloud accepting incomming connections.
=2D Computer-A sits behind a masquerade NAT or a remote network. Computer-A=
can=20
connect to Computer-X, and then create a TCP session with services on=20
Computer-X directly over the wg0 interface.
=2D Computer-B is behind the same NAT as Computer-A. It can also create a=20
connection with Computer-X. It gets a response pinging Computer-X on it=E2=
=80=99s wg0=20
address, but it cannont create a TCP session with services on Computer-X ov=
er=20
the wg0 interface.
The only thing I have found that might be relevant is that A was the first =
to=20
connect, so the NAT port assigned is the same as the port that wireguard on=
X=20
is listening to. Where-as B gets assigned a random port on the NAT side. Th=
at =20
may just be coincidental though. Downgrading to 20170613 and TCP sessions w=
ork=20
from all connections again.
=2DReuben
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: snapshot 0.0.20170628 broken?
2017-06-29 15:47 Reuben Martin
@ 2017-06-29 16:39 ` Jason A. Donenfeld
2017-06-29 16:41 ` Kalin KOZHUHAROV
2017-06-29 17:23 ` Reuben Martin
2017-06-29 17:23 ` Jason A. Donenfeld
1 sibling, 2 replies; 11+ messages in thread
From: Jason A. Donenfeld @ 2017-06-29 16:39 UTC (permalink / raw)
To: Reuben Martin; +Cc: WireGuard mailing list
Hey Reuben,
I'm unable to reproduce these results. How sure are you about this
situation? Have you tried to reproduce more than once? What are you
using to configure the peers?
Jason
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: snapshot 0.0.20170628 broken?
2017-06-29 16:39 ` Jason A. Donenfeld
@ 2017-06-29 16:41 ` Kalin KOZHUHAROV
2017-06-29 16:42 ` Jason A. Donenfeld
2017-06-29 17:23 ` Reuben Martin
1 sibling, 1 reply; 11+ messages in thread
From: Kalin KOZHUHAROV @ 2017-06-29 16:41 UTC (permalink / raw)
To: Reuben Martin; +Cc: WireGuard mailing list
Hello Reuben,
And what was the last good version that was working in this same setup?
Kalin.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: snapshot 0.0.20170628 broken?
2017-06-29 16:39 ` Jason A. Donenfeld
2017-06-29 16:41 ` Kalin KOZHUHAROV
@ 2017-06-29 17:23 ` Reuben Martin
1 sibling, 0 replies; 11+ messages in thread
From: Reuben Martin @ 2017-06-29 17:23 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
On Thursday, June 29, 2017 11:39:33 AM CDT Jason A. Donenfeld wrote:
> Hey Reuben,
>=20
> I'm unable to reproduce these results. How sure are you about this
> situation? Have you tried to reproduce more than once? What are you
> using to configure the peers?
>=20
> Jason
Yes, I can consistantly reproduce when I move all 3 computers to the newer
snapshot. This is Gentoo system using (gasp) systemd. I configure the peers
using the wg-quick@wg0 service unit. I use a post-up and pre-down in the
config to setup a vxlan overlayed on top of the VPN connections, but I don=
=E2=80=99t
think that should matter since this is just using the wg0 interface directl=
y. I
can provide that setup info if you think it might be relevant.
tshark capture of a simple wget from the computer that can=E2=80=99t connec=
t.
5 7.615139647 192.168.100.12 =E2=86=92 192.168.100.1 TCP 60 54134 =E2=
=86=92 80 [SYN] Seq=3D0 Win=3D27600 Len=3D0 MSS=3D1380 SACK_PERM=3D1 TSval=
=3D3852526353 TSecr=3D0 WS=3D128
6 7.684940917 192.168.100.1 =E2=86=92 192.168.100.12 TCP 60 80 =E2=86=
=92 54134 [SYN, ACK] Seq=3D0 Ack=3D1 Win=3D27360 Len=3D0 MSS=3D1380 SACK_PE=
RM=3D1 TSval=3D3308550712 TSecr=3D3852526353 WS=3D128
7 7.684956294 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =E2=
=86=92 80 [ACK] Seq=3D1 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D3852526423 TSec=
r=3D3308550712
8 7.685008715 192.168.100.12 =E2=86=92 192.168.100.1 HTTP 202 GET /inde=
x.html HTTP/1.1=20
9 7.754723388 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 80 =E2=86=
=92 54134 [ACK] Seq=3D1 Ack=3D151 Win=3D28544 Len=3D0 TSval=3D3308550782 TS=
ecr=3D3852526423
10 7.998440304 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)_0=
0 STP 88 Conf. Root =3D 0/0/8a:46:93:88:40:8b Cost =3D 0 Port =3D 0x8003
11 9.982462221 a6:67:de:b7:51:27 =E2=86=92 Spanning-tree-(for-bridges)_0=
0 STP 88 Conf. Root =3D 0/0/8a:46:93:88:40:8b Cost =3D 0 Port =3D 0x8003
12 10.321889091 192.168.100.12 =E2=86=92 192.168.100.1 TCP 52 54134 =E2=
=86=92 80 [FIN, ACK] Seq=3D151 Ack=3D1 Win=3D27648 Len=3D0 TSval=3D38525290=
60 TSecr=3D3308550782
13 10.392081110 192.168.100.1 =E2=86=92 192.168.100.12 TCP 52 [TCP Previ=
ous segment not captured] 80 =E2=86=92 54134 [FIN, ACK] Seq=3D1010 Ack=3D15=
2 Win=3D28544 Len=3D0 TSval=3D3308553420 TSecr=3D3852529060
14 10.392097109 192.168.100.12 =E2=86=92 192.168.100.1 TCP 40 54134 =E2=
=86=92 80 [RST] Seq=3D152 Win=3D0 Len=3D0
=2DReuben
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: snapshot 0.0.20170628 broken?
2017-06-29 15:47 Reuben Martin
2017-06-29 16:39 ` Jason A. Donenfeld
@ 2017-06-29 17:23 ` Jason A. Donenfeld
1 sibling, 0 replies; 11+ messages in thread
From: Jason A. Donenfeld @ 2017-06-29 17:23 UTC (permalink / raw)
To: Reuben Martin; +Cc: WireGuard mailing list
Hello Reuben,
I've tried several things to try to reproduce this, in different
network configurations, and I'm entirely unable to. Could you provide
more details? Like the output of:
wg
ip link
ip addr
cat /proc/cpuinfo
cat /proc/version
lspci
lsusb
lshw
lsmod
lsb_release -a
cat /sys/module/wireguard/version
dmesg
nping --tcp wireguard.io -p 80 -c 1 -vv
For each of the three systems?
Thanks,
Jason
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2017-06-29 19:17 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-29 16:14 snapshot 0.0.20170628 broken? HDA
2017-06-29 16:32 ` Reuben Martin
-- strict thread matches above, loose matches on Subject: below --
2017-06-29 18:02 HDA
2017-06-29 19:34 ` Jason A. Donenfeld
2017-06-29 15:47 Reuben Martin
2017-06-29 16:39 ` Jason A. Donenfeld
2017-06-29 16:41 ` Kalin KOZHUHAROV
2017-06-29 16:42 ` Jason A. Donenfeld
2017-06-29 16:47 ` Kalin KOZHUHAROV
2017-06-29 17:23 ` Reuben Martin
2017-06-29 17:23 ` Jason A. Donenfeld
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.