WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Weird connected but not established wireguard connection
@ 2019-05-14  5:36 Alex Rodriguez
  0 siblings, 0 replies; only message in thread
From: Alex Rodriguez @ 2019-05-14  5:36 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 3257 bytes --]

Greetings everyone,

So I am working on establishing a wireguard connection that is acting very
strange, and I am thinking that the problem is that specific machine is
acting weird and not wireguard. I wanted to message in here to figure out
if there was a way I could confirm this though.

I currently have 2 machines that I have hooked up to the vpn server,
through wireguard, no problem. They have established connections and
traffic flows perfectly.

The problem is, with this third machine that is running Kali Linux
(version 0.0.20190227 of wireguard dkms by default), I can see that it is
successfully contacting my server (because it registers the endpoints
external ip address) but it never sends a handshake successfully (that the
server knows of). If you look in the gist below I ran wg show (or just wg
which does a show), and it says that from the client side thinks that it
sent a successful handshake. The server side though doesn't have any latest
handshake field populated, and I can confirm that from the server side it
didn't by looking at the dump (also in the gist).

So it seems like it is trying to connect, but something isn't allowing it
handshake properly. As you can see from me running the wg show the keys
match up properly, so it isn't that I miss-configured the keys. If it was a
firewall in the way then I wouldn't be seeing on the server side that it is
connecting, right? So I don't think that it is a firewall.

I have tried the following:

   - purge the apt installed version completely (i.e. sudo apt remove
   --purge "wireguard*")
   - walked through twice (after doing the purge of the first one)
   confirming that the setup wasn't a mistake the first time
   - upgraded wg version by compiling and installing 0.0.20190406
   - Multiple tcpdumps on both sides, and I see that the traffic is
   attempting to send, but only sends syns (because the connection isn't
   established)


So here is my setup:

*https://gist.github.com/elreydetoda/948dd184402493c5e1d97d826d22a4a5
<https://gist.github.com/elreydetoda/948dd184402493c5e1d97d826d22a4a5>*

The weird thing is that the 80NPQXXXXX peer in the wg0.conf is identical in
os, kernel, etc...  (i.e. kali linux) and it establishes perfectly fine
with that machine. So there is something weird with specifically that
machine but I don't know of anything that would affect the connection when
it already makes the initial connection.

Sincerely,
Alex Rodriguez

P.S. So one of my co-workers and I figured out the weird vulnerability
scanner and wireguard issue kind of...So we assume that the problem with
the vulnerability scanner is implementing their own network driver/stack
thing to handle the scanning that they do. So having wireguard on that
server wasn't acting properly, so we simply moved wireguard to another
server and just route all traffic through that wireguard server into
whatever wireguard pipe we want. I will probably post a blog post about it
soon to let you all know how we implemented it. Just wanted to give a heads
up.

--
Alex Rodriguez
Developer

Secure Ideas, LLC - Professionally Evil ®

https://www.secureideas.com/

Cell: 980-277-2746 / Office: 866-404-7837 x741

[-- Attachment #1.2: Type: text/html, Size: 5276 bytes --]

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Greetings everyone,<div><br></div><div>So I am working on establishing a wireguard connection that is acting very strange, and I am thinking that the problem is that specific machine is acting weird and not wireguard. I wanted to message in here to figure out if there was a way I could confirm this though. </div><div><br></div><div>I currently have 2 machines that I have hooked up to the vpn server, through wireguard, no problem. They have established connections and traffic flows perfectly.</div><div><br></div><div>The problem is, with this third machine that is running Kali Linux (version 0.0.20190227 of wireguard dkms by default), I can see that it is successfully contacting my server (because it registers the endpoints external ip address) but it never sends a handshake successfully (that the server knows of). If you look in the gist below I ran wg show (or just wg which does a show), and it says that from the client side thinks that it sent a successful handshake. The server side though doesn&#39;t have any latest handshake field populated, and I can confirm that from the server side it didn&#39;t by looking at the dump (also in the gist). </div><div><br></div><div>So it seems like it is trying to connect, but something isn&#39;t allowing it handshake properly. As you can see from me running the wg show the keys match up properly, so it isn&#39;t that I miss-configured the keys. If it was a firewall in the way then I wouldn&#39;t be seeing on the server side that it is connecting, right? So I don&#39;t think that it is a firewall. </div><div><br></div><div>I have tried the following:</div><div><ul><li>purge the apt installed version completely (i.e. sudo apt remove --purge &quot;wireguard*&quot;)</li><li>walked through twice (after doing the purge of the first one) confirming that the setup wasn&#39;t a mistake the first time</li><li>upgraded wg version by compiling and installing 0.0.20190406</li><li>Multiple tcpdumps on both sides, and I see that the traffic is attempting to send, but only sends syns (because the connection isn&#39;t established)</li></ul></div><div><br></div><div>So here is my setup: </div><div><br></div><div><font color="#5ca7f1" style="--darkreader-inline-color:#5caef1;"><u><a href="https://gist.github.com/elreydetoda/948dd184402493c5e1d97d826d22a4a5">https://gist.github.com/elreydetoda/948dd184402493c5e1d97d826d22a4a5</a></u></font><br></div><div><br></div><div>The weird thing is that the 80NPQXXXXX peer in the wg0.conf is identical in os, kernel, etc...  (i.e. kali linux) and it establishes perfectly fine with that machine. So there is something weird with specifically that machine but I don&#39;t know of anything that would affect the connection when it already makes the initial connection.</div><div><div><div dir="ltr" class="gmail-m_-693339639610110678gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div><span style="font-size:small"><font face="arial, helvetica, sans-serif"><br></font></span></div><div><span style="font-size:small"><font face="arial, helvetica, sans-serif">Sincerely,</font></span></div><div><span style="font-size:small"><font face="arial, helvetica, sans-serif">Alex Rodriguez</font></span></div><div><span style="font-size:small"><font face="arial, helvetica, sans-serif"><br></font></span></div><div>P.S. So one of my co-workers and I figured out the weird vulnerability scanner and wireguard issue kind of...So we assume that the problem with the vulnerability scanner is implementing their own network driver/stack thing to handle the scanning that they do. So having wireguard on that server wasn&#39;t acting properly, so we simply moved wireguard to another server and just route all traffic through that wireguard server into whatever wireguard pipe we want. I will probably post a blog post about it soon to let you all know how we implemented it. Just wanted to give a heads up.<span style="font-size:small"><font face="arial, helvetica, sans-serif"><br></font></span></div><div><span style="font-family:calibri,sans-serif;font-size:small"><br></span></div><div><span style="font-family:calibri,sans-serif;font-size:small">--</span></div><div><span style="font-family:calibri,sans-serif;font-size:small">Alex Rodriguez</span><br></div><div dir="ltr"><font face="calibri, sans-serif" size="2">Developer<br></font><p style="margin:0in 0in 0.0001pt"><font face="calibri, sans-serif" size="2">Secure Ideas, LLC - Professionally Evil ®</font></p><font style="font-family:sans-serif" size="2"></font><p style="margin:0in 0in 0.0001pt"><font size="2" style="font-family:calibri,sans-serif"><a href="https://www.secureideas.com/" style="font-family:calibri,sans-serif" target="_blank">https://www.secureideas.com/</a></font></p><p style="margin:0in 0in 0.0001pt"><span style="font-family:calibri,sans-serif;font-size:small">Cell: 980-277-2746 / Office: 866-404-7837 x741</span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-14  5:36 Weird connected but not established wireguard connection Alex Rodriguez

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox