[WireGuard] Client changes endpoint port, why?

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Jul 7 15:13:24 CEST 2016

On Thu, Jul 07, 2016 at 12:53:24PM +0000, Jan De Landtsheer wrote:
>   - about changing ports:
> hmmm. can't really say...
> What I noticed: I could ping yesterday, without doing anything, I couldn't
> this morning. that's when I saw the difference.
> I had something like it yesterday, and thinking I did something wrong, I
> set it in stone in a config file. applied it, had my ping, kept the
> terminal session on the server open (had also an openvpn to the remote).
> This morning, from the remote , there was no ping. Verified why. And then I
> sent this mail ;-)

Could there be a NAT or stateful firewall on your network, messing up the
UDP source port of packets received from the server?

If you manage to reproduce, it would be helpful to have a packet capture
before your wireguard client changes endpoint, with something like:

  client# tcpdump -w wireguard.pcap -i eth0 -s 64 'udp and host xxx.xxx.xxx.126'

Change the interface if needed, and xxx.xxx.xxx.126 is the public IP of
your server.  The packet trace will only contain the packet headers and
a small bit of encrypted data, but you can send it privately (to me and/or

> Note: it's properly up since, so I don't know...
> I'll keep it as it is, will let you know if something switches again.
> Note2: No, no different peers, there is only one client, one server, so
> there wouldn't be any overlap.
> running arch linux, latest & geatest
>   - about something else:
> are these pure ip  tunnels, or could I envision to add the interfaces to an
> OpenVSwitch bridge and use them as tunnel ports?
> Thx
> Jan
> On Thu, Jul 7, 2016 at 1:29 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> > Hi Jan,
> >
> > That's very strange. Are you sure there aren't other wireguard peers
> > running thare using the same private key?
> >
> > Does it always change to the *same* wrong port?
> >
> > Jason
> >

> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/8e07887a/attachment.asc>

More information about the WireGuard mailing list