[WireGuard] Client changes endpoint port, why?

Jan De Landtsheer jan at incubaid.com
Fri Jul 8 18:01:29 CEST 2016


happened again, link was up a few moments ago, and then no ping …

[delandtj at rt01 ~]$ sudo wg
interface: wg0
  public key: Stillthesame=
  private key: Stillthesame=
  listening port: 23123

peer: Stillthesame=
  endpoint: xxx.xxx.xxx.126:17059    #### changed port
  allowed ips: 192.168.251.1/32
  latest handshake: 1 hour, 58 minutes, 4 seconds ago
  bandwidth: 161.04 MiB received, 5.38 MiB sent

Then, with

[delandtj at rt01 ~]$ sudo wg setconf wg0 wg/
conf        Dockerfile  priv        pub
[delandtj at rt01 ~]$ sudo wg setconf wg0 wg/conf
[delandtj at rt01 ~]$ sudo wg
interface: wg0
  public key: REDACTED=
  private key: REDACTED=
  listening port: 23123

peer: REDACTED=
  endpoint: xxx.xxx.xxx.126:51820
  allowed ips: 192.168.251.1/32
[delandtj at rt01 ~]$ ping -c1 192.168.251.1
PING 192.168.251.1 (192.168.251.1) 56(84) bytes of data.
64 bytes from 192.168.251.1: icmp_seq=1 ttl=64 time=27.3 ms

--- 192.168.251.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.333/27.333/27.333/0.000 ms

and ping was back

it took 24-ish hours to happen, but not having touched the tunnel, nor the
set-up, I can definitely confirm this happening…

[delandtj at rt01 ~]$ cat wg/conf
[Interface]
PrivateKey = REDACTED=
ListenPort = 23123

[Peer]
PublicKey = REDACTED=
EndPoint = xxx.xxx.xxx.126:51820
AllowedIPs =  192.168.251.1/32

### and server :
[root at Firewall001 ~]# cat /etc/zcomp/wireguard/wg.conf
[Interface]
ListenPort = 51820
PrivateKey = REDACTED=

[Peer]
PublicKey = REDACTED=
AllowedIPs =  192.168.251.2/32, 192.168.64.0/24

Jan
​

On Thu, Jul 7, 2016 at 6:38 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> On Thu, Jul 7, 2016 at 5:00 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> > On Thu, Jul 07, 2016 at 14:45:22 +0000,
> >  Jan De Landtsheer <jan at incubaid.com> wrote:
> >>
> >>
> >> nope, Start with basics, use pub ip to pub ip
> >> BTW, can a client run behind NAT ? (I assume not, as AFAICT both need to
> >> listen on a port)
> >
> >
> > The one behind nat can hold the tunnel open so the other end can always
> > reach it.
>
> This is the thrust of the issue -- holding the tunnel open when
> there's no traffic. This needs to be addressed. Started new thread to
> discuss this.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160708/97e7e6aa/attachment-0001.html>


More information about the WireGuard mailing list