Troubleshooting WireGuard connections
Riccardo Berto
riccardo at rcrdbrt.com
Thu Apr 26 11:52:08 CEST 2018
On 2018-04-25 13:51, Jason A. Donenfeld wrote:
> Hi Riccardo,
>
> We really should debug this in real time. Perhaps pop into #wireguard
> on Freenode?
>
> Jason
I investigated the issue I was having with the 2 rpi3s and I finally got
it working somehow (aka without knowing exactly what I did wrong).
I've just arrived in my hometown and accessed a rpi2 that runs the alarm
system of my parents' house. I completely ignored the firewall and port
associations, I just configured a new WireGuard interface with my main
WireGuard hub as a peer and it worked flawlessly.
So I disabled the firewall on both the rpi3s, got someone to disable the
port associations of my apartment's router and managed to get both the
"randomly" working rpi3s to work in outgoing and incoming traffic! There
was a HUGE warm-up delay, though:
rpi3 pi # ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=238 ttl=64 time=98.8 ms
64 bytes from 10.0.0.1: icmp_seq=239 ttl=64 time=97.2 ms
64 bytes from 10.0.0.1: icmp_seq=240 ttl=64 time=97.3 ms
64 bytes from 10.0.0.1: icmp_seq=241 ttl=64 time=97.1 ms
64 bytes from 10.0.0.1: icmp_seq=242 ttl=64 time=98.1 ms
64 bytes from 10.0.0.1: icmp_seq=243 ttl=64 time=97.0 ms
64 bytes from 10.0.0.1: icmp_seq=244 ttl=64 time=97.2 ms
64 bytes from 10.0.0.1: icmp_seq=245 ttl=64 time=97.5 ms
64 bytes from 10.0.0.1: icmp_seq=246 ttl=64 time=97.1 ms
64 bytes from 10.0.0.1: icmp_seq=247 ttl=64 time=97.1 ms
64 bytes from 10.0.0.1: icmp_seq=248 ttl=64 time=97.2 ms
^C
--- 10.0.0.1 ping statistics ---
248 packets transmitted, 11 received, 95% packet loss, time 256349ms
rtt min/avg/max/mdev = 97.068/97.463/98.844/0.524 ms
This got solved somehow by the `PersistentKeepalive` feature.
I think the whole issue I was having was related to the firewall/port
associations and systemd's services start order that sometimes was right
and some other time wasn't, hence the randomly working peers. I really
don't know what I did wrong on the firewall side, though. Maybe it was
the port association thing that got my network confused.
Ending morale: if you happen to have multiple peers on the same network,
be very well aware of what you are doing with the ports/firewalls.
I'm still having quite a lot of bad UDP checksums though, from every
peer. But the whole network works fine so I should just ignore them,
right?
Kudos to Jason for this awesome Virtual Private Network, I'm speechless.
More information about the WireGuard
mailing list