[WireGuard] Client changes endpoint port, why?

Jan De Landtsheer jan at incubaid.com
Thu Jul 7 16:45:22 CEST 2016


On Thu, Jul 7, 2016 at 3:13 PM Baptiste Jonglez <baptiste at bitsofnetworks.org>
wrote:

> On Thu, Jul 07, 2016 at 12:53:24PM +0000, Jan De Landtsheer wrote:
> >   - about changing ports:
> > hmmm. can't really say...
> > What I noticed: I could ping yesterday, without doing anything, I
> couldn't
> > this morning. that's when I saw the difference.
> > I had something like it yesterday, and thinking I did something wrong, I
> > set it in stone in a config file. applied it, had my ping, kept the
> > terminal session on the server open (had also an openvpn to the remote).
> > This morning, from the remote , there was no ping. Verified why. And
> then I
> > sent this mail ;-)
>
> Could there be a NAT or stateful firewall on your network, messing up the
> UDP source port of packets received from the server?
>

nope, Start with basics, use pub ip to pub ip
BTW, can a client run behind NAT ? (I assume not, as AFAICT both need to
listen on a port)

But like I said, I'll see if it happens again... went through my history
log still thinking it might be me, but it doesn't seem so.



> If you manage to reproduce, it would be helpful to have a packet capture
> before your wireguard client changes endpoint, with something like:
>
>   client# tcpdump -w wireguard.pcap -i eth0 -s 64 'udp and host
> xxx.xxx.xxx.126'
>
> Change the interface if needed, and xxx.xxx.xxx.126 is the public IP of
> your server.  The packet trace will only contain the packet headers and
> a small bit of encrypted data, but you can send it privately (to me and/or
> Jason).
>
> > Note: it's properly up since, so I don't know...
> > I'll keep it as it is, will let you know if something switches again.
> > Note2: No, no different peers, there is only one client, one server, so
> > there wouldn't be any overlap.
> >
> > running arch linux, latest & geatest
> >
> >   - about something else:
> > are these pure ip  tunnels, or could I envision to add the interfaces to
> an
> > OpenVSwitch bridge and use them as tunnel ports?
> >
> > Thx
> > Jan
> >
> >
> > On Thu, Jul 7, 2016 at 1:29 PM Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
> >
> > > Hi Jan,
> > >
> > > That's very strange. Are you sure there aren't other wireguard peers
> > > running thare using the same private key?
> > >
> > > Does it always change to the *same* wrong port?
> > >
> > > Jason
> > >
>
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/wireguard
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/af3efa79/attachment-0001.html>


More information about the WireGuard mailing list