Connections dropped after long in-activity

[Kalin KOZHUHAROV]

On Tue, Jan 8, 2019 at 3:20 AM Muhammad Naseer Bhatti <nbhatti at gmail.com> wrote:
> Facing a strange issue with single and sometimes with double NAT with client running Wireguard with the server on Public IP address. If client remains idle for long time (more than 15 minutes) NAT table in the route is dropped for that port combination (at the ISP side) since there is no activity, and Wireguard does not re-establishes the connection or tries to refresh. I am not sure why Keep alives set to 30 seconds not working either since if Keep Alives are set this should not happen.
>
This should not be the case, if keep-alive is enabled. But note that
it is off by default, e.g. man page

The use of persistent-keepalive is optional and is by default off;
setting it to 0 or "off" disables it.  Otherwise it reprеsents, in
seconds, between 1 and 65535 inclusive, how often to send an
authenticated empty packet to the peer, for the  purpose  of keeping a
stateful firewall or NAT mapping valid persistently. For example, if
the interface very rarely sends traffic, but it might at anytime
receive traffic from a peer, and it is  behind  NAT,  the interface
might  benefit  from having a persistent keepalive interval of 25
seconds; however, most users will not need this.

What does this command (replace <INTERFACE> with yours) say:
wg show <INTERFACE> persistent-keepalive

> Is this the desired behavior or am I missing something here?
>
Do a packet dump/capture and observe that there is indeed traffic
(keep-alives) going from the client (wireshark, tcpdump, etc). If you
use iptables, you can check packet count going through wg interface.

Cheers,
Kalin.