RX Errors from Android Peer

Eddie stunnel at attglobal.net
Thu Apr 26 18:09:00 CEST 2018


Gottcha.  Thank you for the explanation.


On 4/26/2018 6:04 AM, Jason A. Donenfeld wrote:
> Hello Eddie,
> Precisely what's happening here is that your device has various TCP
> connections that are open _before_ you turn on the VPN. Then you turn
> on the VPN, and now those prior TCP sessions try to continue over the
> VPN, using the old source IP address. It takes a few seconds for
> everything to time out, and for those TCP connections to be
> reestablished with the right new tunnel source IP. In the meantime,
> the WireGuard server gets packets using the old source IP, which of
> course isn't correlated with that peer's allowed IPs, and so it
> complains and rejects those packets. If it allowed them, that'd be a
> security problem.
> So, nothing to worry about.
> Jason

More information about the WireGuard mailing list