Trouble understanding the role of persistent keep-alive

Bogdan Bivolaru bogdan.bivolaru at gmail.com
Sun Jan 21 12:49:07 CET 2018 

Hello,

Thank you for your dedication to improving security.

I am writing to you because I do not understand the behavior of Wireguard
in my home lab.

In SUMMARY: Without KEEPALIVE on, after an 1-2 hours my WG endpoints tend
to lose the ability to answer each other ping signals. Usually this is
restored by sending pings on both ends. Sometimes though (see my config)
the list of ALLOWED-IPs is lost altogether and I have to re-add the peer
manually. AFAIK this is not a firewall issue on either Ubuntu nor OpenWrt
side. What am I missing?


In DETAILS, with more context:
I have 2 devices:
 * laptop (172.21.15.118, Linux Mint 18.2 based on Ubuntu Xenial 16.04)
with WG version 0.0.20180118-wg1~xenial (from PPA);
 * router (172.21.15.224 => WAN port, OpenWrt 15.05 platform mvebu) with WG
version 0.0.20171017-1.

No special firewall rules for Wireguard are setup either on either router
or on laptop.

*Laptop* Wireguard config:
# wg
interface: wg0
  public key: XvuUjjO/iw5gNKFe5496u0sK75isEcguB1U8Srk5RCo=
  private key: (hidden)
  listening port: 51820

peer: I4PoxPUWykmlgCJqD7mjKKWIcF2zJif+mfQtdlG+xxg=
  endpoint: 172.21.15.224:51820
  allowed ips: 172.31.1.0/24, 172.21.0.0/16, 172.21.43.0/24
  latest handshake: 2 minutes, 17 seconds ago
  transfer: 51.72 KiB received, 85.04 KiB sent
  persistent keepalive: every 50 seconds

peer: UQzm7fFBBTnJY9BJRk7y1lJtzryFAR/1vDZGyL9Nv2I=
  endpoint: 172.21.15.224:45154
  allowed ips: (none)


*Router* Wireguard config:
interface: wg0
  public key: I4PoxPUWykmlgCJqD7mjKKWIcF2zJif+mfQtdlG+xxg=
  private key: (hidden)
  listening port: 51820

peer: XvuUjjO/iw5gNKFe5496u0sK75isEcguB1U8Srk5RCo=
  endpoint: 172.21.15.118:51820
  allowed ips: 172.31.1.0/24, 172.21.0.0/16, 172.21.43.0/24
  latest handshake: 2 minutes, 20 seconds ago
  transfer: 12.74 KiB received, 33.67 KiB sent
  persistent keepalive: every 50 seconds

peer: +Qs4tOrg2YqwCgmA10ZBGdvOgekkVry0ymYQcX09kns=
  endpoint: 172.21.15.118:51820
  allowed ips: (none)
  latest handshake: 31 minutes ago
  transfer: 36.13 KiB received, 86.55 KiB sent
  persistent keepalive: every 50 seconds


Now, with persistent-keepalive the connection appears to be holding and
latency seems constant at 0.5 ms. Without keepalive I have observed some
behavior I do not understand:

LAPTOP ~ # ping -I wg0 172.31.1.1
PING 172.31.1.1 (172.31.1.1) from 172.31.1.12 wg0: 56(84) bytes of data.
64 bytes from 172.31.1.1: icmp_seq=1 ttl=64 time=28348 ms
64 bytes from 172.31.1.1: icmp_seq=2 ttl=64 time=27347 ms

64 bytes from 172.31.1.1: icmp_seq=10 ttl=64 time=19203 ms
64 bytes from 172.31.1.1: icmp_seq=11 ttl=64 time=18179 ms

64 bytes from 172.31.1.1: icmp_seq=20 ttl=64 time=9023 ms
64 bytes from 172.31.1.1: icmp_seq=21 ttl=64 time=8003 ms

64 bytes from 172.31.1.1: icmp_seq=27 ttl=64 time=1913 ms
64 bytes from 172.31.1.1: icmp_seq=28 ttl=64 time=899 ms
64 bytes from 172.31.1.1: icmp_seq=29 ttl=64 time=0.439 ms

ROUTER ~ # ping -I wg0 172.31.1.12
PING 172.31.1.12 (172.31.1.12): 56 data bytes
64 bytes from 172.31.1.12: seq=0 ttl=64 time=8.298 ms
64 bytes from 172.31.1.12: seq=1 ttl=64 time=0.530 ms
64 bytes from 172.31.1.12: seq=2 ttl=64 time=0.483 ms

64 bytes from 172.31.1.12: seq=23 ttl=64 time=0.639 ms


So until I send ping signals from both ends, neither end of the wg link
does not "see" the other.
The laptop waited 28 seconds for a response which is roughly just after I
have given ping command from the router to the laptop. This is not just
some latency problem: unless I send ping from both during the timeout
period, pinging from either side results in 100% package loss.

Also after a few hours of inactivity on WG, both ends lose the configured
allowed-ips and can be reconnected after a manual resetup.

So I guess the question is: is the keepalive required to maintain the
connection and it would degrade if not set? OR is it only for avoiding
firewall filtering? Also, should this be a firewall issue how can I narrow
it down to which firewall is to blame?



And thank you in advance for your attention and support,
Bogdan BIV


"The best way to predict the future is to invent it.", 1971, Alan Kay:
http://www.smalltalk.org/alankay.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180121/67813816/attachment.html>

More information about the WireGuard mailing list