From: Sander Saares <saares@axinom.com>
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Windows tunnel shows established but traffic sometimes does not move after recycling tunnel
Date: Mon, 5 Aug 2019 07:55:20 +0000 [thread overview]
Message-ID: <4844fb6f08514ebaa39511d00e9cf9dd@Shepherd.axinom.de> (raw)
Hi!
I submit a report on a problem encountered attempting to use WireGuard in a Windows-to-Windows "VPN gateway/proxy" deployment. I have a test deployment available in case I can provide further data for ease of debugging.
Scenario:
* Server A set up as WireGuard server, accepting connections from server B.
* Traffic from WireGuard network is forwarded and NATed by server A using built-in Windows networking features.
* Server B connects through WireGuard tunnel to access the internet.
For purpose of experimentation, the internet is defined as 8.8.8.8/32.
Expected result: tunnel is successfully established, internet traffic of server B is forwarded through server A.
Actual result: tunnel is successfully established (at least as shown in WireGuard GUI) but sometimes the expected traffic flows do not occur.
Occasionally, actual result matches expected result.
Method of observation: mutual ping on private IP address; ping from server B (WG client) to 8.8.8.8.
In failure case:
* both pings time out (server A and server B cannot ping each other on private IP)
* ping to 8.8.8.8 times out, EXCEPT for the first ping after tunnel is re-established (server B always seems to get 1 response before connectivity vanishes; possibly this is a ping not routed through the VPN, so it just goes directly out from server B to the internet?)
In success case, all pings work fine and get expected responses.
I suspect some startup/lifecycle/timing issue disrupting proper operation of the tunnel and/or associated routing configuration. If I can provide more data that may prove useful, I am happy to do so when instructed on how to collect it.
Configuration and experiment log follows.
Both systems are Windows 2019 (17763.652) running in clean Azure VMs, fully patched. WireGuard 0.0.19.
WireGuard server (server A)
=======================
[Interface]
PrivateKey =
ListenPort = 9000
Address = 172.16.16.1/24
[Peer]
PublicKey =
AllowedIPs = 172.16.16.0/24
WireGuard client (server B)
=======================
[Interface]
PrivateKey =
Address = 172.16.16.2/24
[Peer]
PublicKey =
AllowedIPs = 172.16.16.0/24, 8.8.8.8/32
Endpoint = xxx:9000
Forward+NAT setup (server A)
=================
PS C:\Users\saares> $interfaces = Get-NetIPInterface
PS C:\Users\saares> $interfaces[4]
ifIndex InterfaceAlias AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp ConnectionState PolicyStore
------- -------------- ------------- ------------ --------------- ---- --------------- -----------
3 wg-test IPv4 1420 5 Disabled Connected ActiveStore
PS C:\Users\saares> $interfaces[4] | Set-NetIPInterface -Forwarding Enabled
PS C:\Users\saares> New-NetNat -Name NAT -InternalIPInterfaceAddressPrefix "172.16.16.0/24"
Name : NAT
ExternalIPInterfaceAddressPrefix :
InternalIPInterfaceAddressPrefix : 172.16.16.0/24
IcmpQueryTimeout : 30
TcpEstablishedConnectionTimeout : 1800
TcpTransientConnectionTimeout : 120
TcpFilteringBehavior : AddressDependentFiltering
UdpFilteringBehavior : AddressDependentFiltering
UdpIdleSessionTimeout : 120
UdpInboundRefresh : False
Store : Local
Active : True
Experiment log
===============
Immediate after setup -> all OK
Recycle tunnel on server -> all OK
Restart server PC -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> all OK
Recycle tunnel on server -> all OK
Recycle tunnel on server -> all OK
Recycle tunnel on server -> all OK
Recycle tunnel on server -> all OK
Recycle tunnel on server -> all OK
Restart server PC -> all OK
Restart server PC -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> all OK
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Recycle tunnel on server -> tunnel reestablished but traffic does not move
Cheers,
Sander Saares
Advisor
Axinom | Soola 8 | 51004 Tartu | Estonia
phone: +49 911 80109-54
saares@axinom.com | www.axinom.com
Managing Directors: Sergei Gussev, Oleg Knut
Tartu Circuit Court, Reg. 11046287
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next reply other threads:[~2019-08-05 18:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-05 7:55 Sander Saares [this message]
2019-12-11 7:27 ` Windows tunnel shows established but traffic sometimes does not move after recycling tunnel Sander Saares
2019-12-19 1:23 ` Jason A. Donenfeld
2019-12-19 12:21 ` Sander Saares
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4844fb6f08514ebaa39511d00e9cf9dd@Shepherd.axinom.de \
--to=saares@axinom.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).