<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 7, 2016 at 3:13 PM Baptiste Jonglez <<a href="mailto:baptiste@bitsofnetworks.org">baptiste@bitsofnetworks.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Jul 07, 2016 at 12:53:24PM +0000, Jan De Landtsheer wrote:<br>
> - about changing ports:<br>
> hmmm. can't really say...<br>
> What I noticed: I could ping yesterday, without doing anything, I couldn't<br>
> this morning. that's when I saw the difference.<br>
> I had something like it yesterday, and thinking I did something wrong, I<br>
> set it in stone in a config file. applied it, had my ping, kept the<br>
> terminal session on the server open (had also an openvpn to the remote).<br>
> This morning, from the remote , there was no ping. Verified why. And then I<br>
> sent this mail ;-)<br>
<br>
Could there be a NAT or stateful firewall on your network, messing up the<br>
UDP source port of packets received from the server?<br></blockquote><div> </div><div>nope, Start with basics, use pub ip to pub ip</div><div>BTW, can a client run behind NAT ? (I assume not, as AFAICT both need to listen on a port)</div><div><br></div><div>But like I said, I'll see if it happens again... went through my history log still thinking it might be me, but it doesn't seem so.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If you manage to reproduce, it would be helpful to have a packet capture<br>
before your wireguard client changes endpoint, with something like:<br>
<br>
client# tcpdump -w wireguard.pcap -i eth0 -s 64 'udp and host xxx.xxx.xxx.126'<br>
<br>
Change the interface if needed, and xxx.xxx.xxx.126 is the public IP of<br>
your server. The packet trace will only contain the packet headers and<br>
a small bit of encrypted data, but you can send it privately (to me and/or<br>
Jason).<br>
<br>
> Note: it's properly up since, so I don't know...<br>
> I'll keep it as it is, will let you know if something switches again.<br>
> Note2: No, no different peers, there is only one client, one server, so<br>
> there wouldn't be any overlap.<br>
><br>
> running arch linux, latest & geatest<br>
><br>
> - about something else:<br>
> are these pure ip tunnels, or could I envision to add the interfaces to an<br>
> OpenVSwitch bridge and use them as tunnel ports?<br>
><br>
> Thx<br>
> Jan<br>
><br>
><br>
> On Thu, Jul 7, 2016 at 1:29 PM Jason A. Donenfeld <<a href="mailto:Jason@zx2c4.com" target="_blank">Jason@zx2c4.com</a>> wrote:<br>
><br>
> > Hi Jan,<br>
> ><br>
> > That's very strange. Are you sure there aren't other wireguard peers<br>
> > running thare using the same private key?<br>
> ><br>
> > Does it always change to the *same* wrong port?<br>
> ><br>
> > Jason<br>
> ><br>
<br>
> _______________________________________________<br>
> WireGuard mailing list<br>
> <a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
> <a href="http://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">http://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
<br>
</blockquote></div></div>