RX Errors from Android Peer

Jason A. Donenfeld Jason at zx2c4.com
Thu Apr 26 15:04:49 CEST 2018

Hello Eddie,

Precisely what's happening here is that your device has various TCP
connections that are open _before_ you turn on the VPN. Then you turn
on the VPN, and now those prior TCP sessions try to continue over the
VPN, using the old source IP address. It takes a few seconds for
everything to time out, and for those TCP connections to be
reestablished with the right new tunnel source IP. In the meantime,
the WireGuard server gets packets using the old source IP, which of
course isn't correlated with that peer's allowed IPs, and so it
complains and rejects those packets. If it allowed them, that'd be a
security problem.

So, nothing to worry about.


More information about the WireGuard mailing list