From Jason at zx2c4.com  Tue Jan  4 15:58:04 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 4 Jan 2022 16:58:04 +0100
Subject: PSA: systemd-networkd v250 adds routes from allowedips by default
Message-ID: <CAHmME9pxSFhfFB9VNyvyKLk9jDTyOwp_p7VG3+9uHx0fN1+hGg@mail.gmail.com>

Hi everyone,

Hope you all had a nice new year's.

Version 250 of systemd-networkd added support for a `RouteTable`
option in the `[WireGuard]` section of a `.netdev` config file. By
default, it is "main". When this happens, the allowed IPs from
configured peers are added to the system's main routing table using
the metric specified by the also added `RouteMetric` option.

This is pretty similar to wg-quick(8)'s behavior with its `Table`
option in the `[Interface]` section, except that it doesn't do
anything fancy for default routes or for routes that overlap with
configured endpoints.

This means that if you're currently using systemd-networkd v250 with
0.0.0.0/0 or ::/0 or similar in your allowed IPs, those allowed IPs
will be automatically added to the main routing table, which might
prove problematic for folks who are already manually doing fancy
fwmark things with systemd-networkd. If this applies to you, you may
want to set `RouteTable=off` explicitly.

At the moment, I suspect this mostly affects Arch Linux users who
followed fwmark instructions on their wiki.

Regards,
Jason

From toke at toke.dk  Tue Jan  4 21:34:35 2022
From: toke at toke.dk (Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?=)
Date: Tue, 04 Jan 2022 22:34:35 +0100
Subject: [RFC PATCH 0/4] Introduce per-peer MTU setting
In-Reply-To: <20211228234524.633509-1-leon@is.currently.online>
References: <20211228234524.633509-1-leon@is.currently.online>
Message-ID: <87tuejb2xg.fsf@toke.dk>

leon at is.currently.online writes:

> From: Leon Schuermann <leon at is.currently.online>
>
> This patch series is an attempt to integrate a per-peer MTU setting
> into WireGuard. With matching changes to the wireguard-tools,
> individual MTU values can be set and retrieved for each registered
> peer.
>
> While Linux supports setting an MTU metric for specific FIB route
> entries [which I've only found out after implementing this :)], and
> thus allows to lower the MTU for individual peers, this appears to
> disable regular path MTU discovery (PMTUD) entirely on the
> route. While regular PMTUD does not work over the tunnel link, it
> should still be usable on the rest of the route.

I'm not sure I understand the use case? Either PMTUD works through the
tunnel and you can just let that do its job, or it doesn't and you have
to do out-of-band discovery anyway in which case you can just use the
FIB route MTU? Or what do you mean by "usable on the rest of the route"?

> Furthermore, with the goal of eventually introducing an in-band
> per-peer PMTUD mechanism, keeping an internal per-peer MTU value does
> not require modifying the FIB and thus potentially interfere with
> userspace.

What "in-band per-peer PMTUD mechanism"? And why does it need this?

-Toke

From toke at toke.dk  Wed Jan  5 00:14:47 2022
From: toke at toke.dk (Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?=)
Date: Wed, 05 Jan 2022 01:14:47 +0100
Subject: [RFC] wiregard RX packet processing.
In-Reply-To: <CAHmME9rzEjKg41eq5jBtsLXF+vZSEnvdomZJ-rTzx8Q=ac1ayg@mail.gmail.com>
References: <20211208173205.zajfvg6zvi4g5kln@linutronix.de>
 <CAHmME9rzEjKg41eq5jBtsLXF+vZSEnvdomZJ-rTzx8Q=ac1ayg@mail.gmail.com>
Message-ID: <87mtkbavig.fsf@toke.dk>

"Jason A. Donenfeld" <Jason at zx2c4.com> writes:

> Hi Sebastian,
>
> Seems like you've identified two things, the use of need_resched, and
> potentially surrounding napi_schedule in local_bh_{disable,enable}.
>
> Regarding need_resched, I pulled that out of other code that seemed to
> have the "same requirements", as vaguely conceived. It indeed might
> not be right. The intent is to have that worker running at maximum
> throughput for extended periods of time, but not preventing other
> threads from running elsewhere, so that, e.g., a user's machine
> doesn't have a jenky mouse when downloading a file.
>
> What are the effects of unconditionally calling cond_resched() without
> checking for if (need_resched())? Sounds like you're saying none at
> all?

I believe so: AFAIU, you use need_resched() if you need to do some kind
of teardown before the schedule point, like this example I was recently
looking at:

https://elixir.bootlin.com/linux/latest/source/net/bpf/test_run.c#L73

If you just need to maybe reschedule, you can just call cond_resched()
and it'll do what it says on the tin: do a schedule if needed, and
return immediately otherwise.

> Regarding napi_schedule, I actually wasn't aware that it's requirement
> to _only_ ever run from softirq was a strict one. When I switched to
> using napi_schedule in this way, throughput really jumped up
> significantly. Part of this indeed is from the batching, so that the
> napi callback can then handle more packets in one go later. But I
> assumed it was something inside of NAPI that was batching and
> scheduling it, rather than a mistake on my part to call this from a wq
> and not from a softirq.
>
> What, then, are the effects of surrounding that in
> local_bh_{disable,enable} as you've done in the patch? You mentioned
> one aspect is that it will "invoke wg_packet_rx_poll() where you see
> only one skb." It sounds like that'd be bad for performance, though,
> given that the design of napi is really geared toward batching.

Heh, I wrote a whole long explanation he about variable batch sizes
because you don't control when the NAPI is scheduled, etc... And then I
noticed the while loop is calling ptr_ring_consume_bh(), which means
that there's already a local_bh_disable/enable pair on every loop
invocation. So you already have this :)

Which of course raises the question of whether there's anything to gain
from *adding* batching to the worker? Something like:

#define BATCH_SIZE 8
void wg_packet_decrypt_worker(struct work_struct *work)
{
	struct crypt_queue *queue = container_of(work, struct multicore_worker,
						 work)->ptr;
	void *skbs[BATCH_SIZE];
	bool again;
	int i;

restart:
	local_bh_disable();
	ptr_ring_consume_batched(&queue->ring, skbs, BATCH_SIZE);

	for (i = 0; i < BATCH_SIZE; i++) {
		struct sk_buff *skb = skbs[i];
		enum packet_state state;

		if (!skb)
			break;

		state = likely(decrypt_packet(skb, PACKET_CB(skb)->keypair)) ?
				PACKET_STATE_CRYPTED : PACKET_STATE_DEAD;
		wg_queue_enqueue_per_peer_rx(skb, state);
	}
        
	again = !ptr_ring_empty(&queue->ring);
	local_bh_enable();

	if (again) {
		cond_resched();
		goto restart;
	}
}


Another thing that might be worth looking into is whether it makes sense
to enable threaded NAPI for Wireguard. See:
https://lore.kernel.org/r/20210208193410.3859094-1-weiwan at google.com

-Toke

From leon at is.currently.online  Fri Jan  7 22:13:21 2022
From: leon at is.currently.online (Leon Schuermann)
Date: Fri, 07 Jan 2022 23:13:21 +0100
Subject: [RFC PATCH 0/4] Introduce per-peer MTU setting
In-Reply-To: <87tuejb2xg.fsf@toke.dk>
References: <20211228234524.633509-1-leon@is.currently.online>
 <87tuejb2xg.fsf@toke.dk>
Message-ID: <87tuefry7y.fsf@silicon>


Toke H?iland-J?rgensen <toke at toke.dk> writes:
> I'm not sure I understand the use case? Either PMTUD works through the
> tunnel and you can just let that do its job, or it doesn't and you
> have to do out-of-band discovery anyway in which case you can just use
> the FIB route MTU?

For traffic _through_ the WireGuard tunnel, that is correct. As
WireGuard in general does not do any funny business with the traffic it
forwards, path MTU discovery through the tunnel works just fine. I'll
call that end-to-end PMTUD. If this does not work for any reason, one
has to fall back onto specifying the MTU in FIB, or some other
mechanism.

I am however concerned about the link(s) _underneath_ the WireGuard
tunnel (where the encrypted + authenticated packets are forwarded), so
the endpoint-to-endpoint link. Regular path MTU discovery does not work
here. As far as I understand, the reasoning behind this is that even if
the WireGuard endpoint does receive ICMP Fragmentation Needed / Packet
Too Big messages from a host on the path the tunnel traverses, these
messages are not and cannot be authenticated. This means that this
information cannot be forwarded to the sender of the original packet,
outside of the tunnel.

This is a real-word issue I am experiencing in WireGuard setups. For
instance, I administer the WireGuard instance of a small student ISP.
Clients connect from a variety of networks to this endpoint, such as DSL
links (PPPoE) which commonly have 1492 bytes MTU, or connections using
Dual-Stack Lite, having 1460 bytes MTU due to the encapsulation
overhead. Essentially no residential providers fragment packets, and
some do not even send ICMP responses. Sometimes people use a tunnel
inside another tunnel, further decreasing MTU.

While reducing the server and client MTUs to the maximum MTU supported
by all supported link types technically works, it increases IP, tunnel
and transport header overhead. It is thus desirable to be able to
specify an individual MTU per WireGuard peer, to use the available MTU
on the respective routes. This is also on the WireGuard project's todo
[1] and has been discussed before [2].

> what do you mean by "usable on the rest of the route"?

Actually, I think I might be wrong here. Initial tests have suggested me
that if the route MTU is specified in the FIB, Linux would not take any
ICMP Fragmentation Needed / Packet Too Big responses into account. I've
tested this again, and it seems to indeed perform proper path MTU
discovery even if the route MTU is specified. This is important as a
route to the destination host might first go through a WireGuard tunnel
to a peer, and then forwarded over paths which might have an even lower
MTU.

Thus the FIB entry MTU is a viable solution for setting individual
peer's route limits, but it might be rather inelegant to modify the
route's MTU values in the FIB from within kernel space, which might be
needed for an in-band PMTUD mechanism.

>> Furthermore, with the goal of eventually introducing an in-band
>> per-peer PMTUD mechanism, keeping an internal per-peer MTU value does
>> not require modifying the FIB and thus potentially interfere with
>> userspace.
>
> What "in-band per-peer PMTUD mechanism"? And why does it need this?

As outlined above, WireGuard cannot utilize the regular ICMP-based PMTUD
mechanism over the endpoint-to-endpoint path. It is however not great to
default to a low MTU to accomodate for low-MTU links on this path, and
very inconvenient to manually adjust the tunnel MTUs.

A solution to this issue could be a PMTUD mechanism through the tunnel
link itself. It would circumvent the security considerations with
ICMP-based PMTUD by relying exclusively on an encrypted + authenticated
message exchange. For instance, a naive approach could be to send ICMP
echo messages with increasing/decreasing payload size to the peer and
discover the usable tunnel MTU based on the (lost) responses. While this
can be implemented outside of the WireGuard kernel module, it makes
certain assumptions about the tunnel and endpoint configuration, such as
the endpoints having an IP assigned, this IP being in the AllowedIPs
(not a given), responding to ICMP echo packets, etc. If such a mechanism
were to be (optionally) integrated into WireGuard directly, it could
have the potential to reduce these kinds of headaches significantly.

#+BEGIN_EXAMPLE
Here is an illustration of these issues using a hacky Mininet test
setup[3], which has the following topology (all traffic from h5 being
routed over the tunnel between h1 and h4), with fragmentation disabled:

      /--- wireguard ---\
     /                   \
    /  eth    eth    eth  \
    h1 <-> h2 <-> h3 <-> h4 <-> h5

The route from h1 to h4 has an MTU of 1500 bytes:

    mininet> h1 ping -c1 -Mdo -s1472 h4
    1480 bytes from 10.0.2.2: icmp_seq=1 ttl=62 time=0.508 ms

The route from h1 to h5 (through the WireGuard tunnel, via h4) has an
MTU of 1420 bytes:

    mininet> h1 ping -c1 -Mdo -s1392 h5
    1400 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=7.44 ms

When decreasing the MTU of the h2 to h3 link, we can observe that PMTUD
works on the route of h1 to h4:

    mininet> h2 ip link set h2-eth1 mtu 1492
    mininet> h3 ip link set h3-eth0 mtu 1492
    mininet> h1 ping -c1 -Mdo -s1472 h4
    From 10.0.0.2 icmp_seq=1 Frag needed and DF set (mtu = 1492)

However, when trying to ping h5 from h1 through the WireGuard tunnel,
the packet is silently dropped:

    mininet> h1 ping -c1 -Mdo -s1392 -W1 h5
    PING 192.168.1.2 (192.168.1.2) 1392(1420) bytes of data.

    --- 192.168.1.2 ping statistics ---
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

We can change the appropriate FIB entry of the route _through_ the
tunnel to make Linux aware of the lower MTU:

    mininet> h1 ip route change 192.168.1.0/24 dev wg0 mtu 1412
    mininet> h1 ping -c1 -Mdo -s1392 -W1 h5
    ping: local error: message too long, mtu=1412
    mininet> h1 ping -c1 -Mdo -s1384 -W1 h5
    1392 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=10.8 ms

When lowering the MTU of the h4 to h5 link even further (not part of the
endpoint-to-endpoint link, but the route), PMTUD does work, which is
good:

    mininet> h4 ip link set h4-eth1 mtu 1400
    mininet> h5 ip link set h5-eth0 mtu 1400
    mininet> h1 ping -c1 -Mdo -s1384 -W1 h5
    PING 192.168.1.2 (192.168.1.2) 1384(1412) bytes of data.
    From 192.168.0.2 icmp_seq=1 Frag needed and DF set (mtu = 1400)
#+END_EXAMPLE

Let me know if that made things any clearer. :)

- Leon

[1]: https://www.wireguard.com/todo/#per-peer-pmtu
[2]: https://lists.zx2c4.com/pipermail/wireguard/2018-April/002651.html
[3]: https://gist.github.com/lschuermann/7e5de6e00358d1312c86e2144d7352b4

From houmie at gmail.com  Sun Jan  9 10:02:56 2022
From: houmie at gmail.com (Houman)
Date: Sun, 9 Jan 2022 10:02:56 +0000
Subject: Does Bitcode have to remain disabled?
Message-ID: <CABBZOs=ihCjiLEE9vLyHZpFRn=ERi6rXO2i660R9oWyuBVf4CA@mail.gmail.com>

Hello,

Based on the instructions on Wireguard Github page
https://github.com/WireGuard/wireguard-apple#wireguardkit-integration,
BitCode has to remain disabled in build settings.

The problem is that by disabling BitCode, crashing information won't
be as accurate and we won't be able to download the Dsym from the
AppStore, which is needed for Crashlytics.

Is there a reason why we couldn't enable it?

Many Thanks,
Houman

From henning.reich at gmail.com  Mon Jan 10 20:37:35 2022
From: henning.reich at gmail.com (henning.reich at gmail.com)
Date: Mon, 10 Jan 2022 21:37:35 +0100
Subject: Question about MTU and Wireguard and the current changes
Message-ID: <1e345f21-4564-7df8-1aae-32ba14d42779@qupfer.de>

Hi,
I run in some connection troubles between two wireguards host (one 
running fedora 35, one arch linux). If I tried to transfer large files 
through SSH (SCP or btrfs send/receive thorugh ssh through wireguard 
tunnel) it stucks after a few byte and nothing transfered anymore.

This happens in the last days, so probably an update on one or both 
machines. I also saw, that there some changes on the MTU thing (If I 
remember correctly, a per peer MTU is configurable)

However. My first try was just set the MTU to a lower number (MTU = 
1200) and yes, scp works again.
Okay, so I did the good old ping test. "ping -M do -s $SIZE -c 1 
172.16.0.2" with $SIZE increasing. And that surprised me. It works until 
an Size of 36932 Bytes. Checked with wireguard and "MTU = 36932" and 
yes, scp still working.

Can somebody explain, why the old default setting of "65456" doesn't 
work anymore but the MTU can set to much higher values as typical ones?

Thanks
Henning


From tlhackque at yahoo.com  Mon Jan 10 20:56:07 2022
From: tlhackque at yahoo.com (tlhackque)
Date: Mon, 10 Jan 2022 15:56:07 -0500
Subject: Question about MTU and Wireguard and the current changes
In-Reply-To: <1e345f21-4564-7df8-1aae-32ba14d42779@qupfer.de>
References: <1e345f21-4564-7df8-1aae-32ba14d42779@qupfer.de>
Message-ID: <f1444860-f37f-c268-1972-79dc31df2a9a@yahoo.com>

On 10-Jan-22 15:37, henning.reich at gmail.com wrote:
> Hi,
> I run in some connection troubles between two wireguards host (one 
> running fedora 35, one arch linux). If I tried to transfer large files 
> through SSH (SCP or btrfs send/receive thorugh ssh through wireguard 
> tunnel) it stucks after a few byte and nothing transfered anymore.
>
> This happens in the last days, so probably an update on one or both 
> machines. I also saw, that there some changes on the MTU thing (If I 
> remember correctly, a per peer MTU is configurable)
>
> However. My first try was just set the MTU to a lower number (MTU = 
> 1200) and yes, scp works again.
> Okay, so I did the good old ping test. "ping -M do -s $SIZE -c 1 
> 172.16.0.2" with $SIZE increasing. And that surprised me. It works 
> until an Size of 36932 Bytes. Checked with wireguard and "MTU = 36932" 
> and yes, scp still working.
>
> Can somebody explain, why the old default setting of "65456" doesn't 
> work anymore but the MTU can set to much higher values as typical ones?
>
> Thanks
> Henning
>
Guess: Fragmentation happens somewhere and fragments are blocked at your 
router/firewall/host.? Blocking fragments is a common, if misguided, 
"security enhancement".

A packet trace would provide the necessary clues in any case.

Wireshark is a convenient way to get one.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20220110/5a80ea98/attachment.sig>

From Jason at zx2c4.com  Tue Jan 11 13:49:32 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 14:49:32 +0100
Subject: [PATCH crypto 0/2] smaller blake2s code size on m68k and other small
 platforms
In-Reply-To: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
Message-ID: <20220111134934.324663-1-Jason@zx2c4.com>

Hi,

Geert emailed me this afternoon concerned about blake2s codesize on m68k
and other small systems. We identified two extremely effective ways of
chopping down the size. One of them moves some wireguard-specific things
into wireguard proper. The other one adds a slower codepath for
CONFIG_CC_OPTIMIZE_FOR_SIZE configurations. I really don't like that
slower codepath, but since it is configuration gated, at least it stays
out of the way except for people who know they need a tiny kernel image

Thanks,
Jason

Jason A. Donenfeld (2):
  lib/crypto: blake2s-generic: reduce code size on small systems
  lib/crypto: blake2s: move hmac construction into wireguard

 drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
 include/crypto/blake2s.h      |  3 ---
 lib/crypto/blake2s-generic.c  | 30 +++++++++++++----------
 lib/crypto/blake2s-selftest.c | 31 ------------------------
 lib/crypto/blake2s.c          | 37 ----------------------------
 5 files changed, 57 insertions(+), 89 deletions(-)

-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 13:49:33 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 14:49:33 +0100
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size on
 small systems
In-Reply-To: <20220111134934.324663-1-Jason@zx2c4.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
Message-ID: <20220111134934.324663-2-Jason@zx2c4.com>

Re-wind the loops entirely on kernels optimized for code size. This is
really not good at all performance-wise. But on m68k, it shaves off 4k
of code size, which is apparently important.

Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Cc: Ard Biesheuvel <ardb at kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
 lib/crypto/blake2s-generic.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c
index 75ccb3e633e6..990f000e22ee 100644
--- a/lib/crypto/blake2s-generic.c
+++ b/lib/crypto/blake2s-generic.c
@@ -46,7 +46,7 @@ void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
 {
 	u32 m[16];
 	u32 v[16];
-	int i;
+	int i, j;
 
 	WARN_ON(IS_ENABLED(DEBUG) &&
 		(nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE));
@@ -86,17 +86,23 @@ void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
 	G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
 	G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
 } while (0)
-		ROUND(0);
-		ROUND(1);
-		ROUND(2);
-		ROUND(3);
-		ROUND(4);
-		ROUND(5);
-		ROUND(6);
-		ROUND(7);
-		ROUND(8);
-		ROUND(9);
-
+		if (IS_ENABLED(CONFIG_CC_OPTIMIZE_FOR_SIZE)) {
+			for (i = 0; i < 10; ++i) {
+				for (j = 0; j < 8; ++j)
+					G(i, j, v[j % 4], v[((j + (j / 4)) % 4) + 4], v[((j + 2 * (j / 4)) % 4) + 8], v[((j + 3 * (j / 4)) % 4) + 12]);
+			}
+		} else {
+			ROUND(0);
+			ROUND(1);
+			ROUND(2);
+			ROUND(3);
+			ROUND(4);
+			ROUND(5);
+			ROUND(6);
+			ROUND(7);
+			ROUND(8);
+			ROUND(9);
+		}
 #undef G
 #undef ROUND
 
-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 13:49:34 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 14:49:34 +0100
Subject: [PATCH crypto 2/2] lib/crypto: blake2s: move hmac construction into
 wireguard
In-Reply-To: <20220111134934.324663-1-Jason@zx2c4.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
Message-ID: <20220111134934.324663-3-Jason@zx2c4.com>

Basically nobody should use blake2s in an HMAC construction; it already
has a keyed variant. But for unfortunately historical reasons, Noise,
used by WireGuard, uses HKDF quite strictly, which means we have to use
this. Because this really shouldn't be used by others, this commit moves
it into wireguard's noise.c locally, so that kernels that aren't using
WireGuard don't get this superfluous code baked in. On m68k systems,
this shaves off ~314 bytes.

Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Cc: Ard Biesheuvel <ardb at kernel.org>
Cc: netdev at vger.kernel.org
Cc: wireguard at lists.zx2c4.com
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
 drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
 include/crypto/blake2s.h      |  3 ---
 lib/crypto/blake2s-selftest.c | 31 ------------------------
 lib/crypto/blake2s.c          | 37 ----------------------------
 4 files changed, 39 insertions(+), 77 deletions(-)

diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c
index c0cfd9b36c0b..720952b92e78 100644
--- a/drivers/net/wireguard/noise.c
+++ b/drivers/net/wireguard/noise.c
@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_private_key(
 		static_identity->static_public, private_key);
 }
 
+static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
+{
+	struct blake2s_state state;
+	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
+	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
+	int i;
+
+	if (keylen > BLAKE2S_BLOCK_SIZE) {
+		blake2s_init(&state, BLAKE2S_HASH_SIZE);
+		blake2s_update(&state, key, keylen);
+		blake2s_final(&state, x_key);
+	} else
+		memcpy(x_key, key, keylen);
+
+	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+		x_key[i] ^= 0x36;
+
+	blake2s_init(&state, BLAKE2S_HASH_SIZE);
+	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+	blake2s_update(&state, in, inlen);
+	blake2s_final(&state, i_hash);
+
+	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+		x_key[i] ^= 0x5c ^ 0x36;
+
+	blake2s_init(&state, BLAKE2S_HASH_SIZE);
+	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
+	blake2s_final(&state, i_hash);
+
+	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
+	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
+	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
+}
+
 /* This is Hugo Krawczyk's HKDF:
  *  - https://eprint.iacr.org/2010/264.pdf
  *  - https://tools.ietf.org/html/rfc5869
@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 		 ((third_len || third_dst) && (!second_len || !second_dst))));
 
 	/* Extract entropy from data into secret */
-	blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
+	hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
 
 	if (!first_dst || !first_len)
 		goto out;
 
 	/* Expand first key: key = secret, data = 0x1 */
 	output[0] = 1;
-	blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
 	memcpy(first_dst, output, first_len);
 
 	if (!second_dst || !second_len)
@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 
 	/* Expand second key: key = secret, data = first-key || 0x2 */
 	output[BLAKE2S_HASH_SIZE] = 2;
-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
-			BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
 	memcpy(second_dst, output, second_len);
 
 	if (!third_dst || !third_len)
@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 
 	/* Expand third key: key = secret, data = second-key || 0x3 */
 	output[BLAKE2S_HASH_SIZE] = 3;
-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
-			BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
 	memcpy(third_dst, output, third_len);
 
 out:
diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
index bc3fb59442ce..4e30e1799e61 100644
--- a/include/crypto/blake2s.h
+++ b/include/crypto/blake2s.h
@@ -101,7 +101,4 @@ static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
 	blake2s_final(&state, out);
 }
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-		     const size_t keylen);
-
 #endif /* _CRYPTO_BLAKE2S_H */
diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
index 5d9ea53be973..409e4b728770 100644
--- a/lib/crypto/blake2s-selftest.c
+++ b/lib/crypto/blake2s-selftest.c
@@ -15,7 +15,6 @@
  * #include <stdio.h>
  *
  * #include <openssl/evp.h>
- * #include <openssl/hmac.h>
  *
  * #define BLAKE2S_TESTVEC_COUNT	256
  *
@@ -58,16 +57,6 @@
  *	}
  *	printf("};\n\n");
  *
- *	printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
- *
- *	HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
- *	print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *	HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
- *	print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *	printf("};\n");
- *
  *	return 0;
  *}
  */
@@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
     0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
 };
 
-static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
-  { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
-    0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
-    0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
-  { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
-    0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
-    0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
-};
-
 bool __init blake2s_selftest(void)
 {
 	u8 key[BLAKE2S_KEY_SIZE];
@@ -607,16 +587,5 @@ bool __init blake2s_selftest(void)
 		}
 	}
 
-	if (success) {
-		blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
-		success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
-
-		blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
-		success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
-
-		if (!success)
-			pr_err("blake2s256_hmac self-test: FAIL\n");
-	}
-
 	return success;
 }
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..9364f79937b8 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -30,43 +30,6 @@ void blake2s_final(struct blake2s_state *state, u8 *out)
 }
 EXPORT_SYMBOL(blake2s_final);
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-		     const size_t keylen)
-{
-	struct blake2s_state state;
-	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
-	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
-	int i;
-
-	if (keylen > BLAKE2S_BLOCK_SIZE) {
-		blake2s_init(&state, BLAKE2S_HASH_SIZE);
-		blake2s_update(&state, key, keylen);
-		blake2s_final(&state, x_key);
-	} else
-		memcpy(x_key, key, keylen);
-
-	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-		x_key[i] ^= 0x36;
-
-	blake2s_init(&state, BLAKE2S_HASH_SIZE);
-	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-	blake2s_update(&state, in, inlen);
-	blake2s_final(&state, i_hash);
-
-	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-		x_key[i] ^= 0x5c ^ 0x36;
-
-	blake2s_init(&state, BLAKE2S_HASH_SIZE);
-	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
-	blake2s_final(&state, i_hash);
-
-	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
-	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
-	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
-}
-EXPORT_SYMBOL(blake2s256_hmac);
-
 static int __init blake2s_mod_init(void)
 {
 	if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
-- 
2.34.1


From ardb at kernel.org  Tue Jan 11 14:43:52 2022
From: ardb at kernel.org (Ard Biesheuvel)
Date: Tue, 11 Jan 2022 15:43:52 +0100
Subject: [PATCH crypto 2/2] lib/crypto: blake2s: move hmac construction
 into wireguard
In-Reply-To: <20220111134934.324663-3-Jason@zx2c4.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-3-Jason@zx2c4.com>
Message-ID: <CAMj1kXFynd4K7Zp6czgTWnDp9RHimizyMs4Yo2RsjCsEfa89fA@mail.gmail.com>

On Tue, 11 Jan 2022 at 14:49, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Basically nobody should use blake2s in an HMAC construction; it already
> has a keyed variant. But for unfortunately historical reasons, Noise,

-ly

> used by WireGuard, uses HKDF quite strictly, which means we have to use
> this. Because this really shouldn't be used by others, this commit moves
> it into wireguard's noise.c locally, so that kernels that aren't using
> WireGuard don't get this superfluous code baked in. On m68k systems,
> this shaves off ~314 bytes.
>
> Cc: Geert Uytterhoeven <geert at linux-m68k.org>
> Cc: Herbert Xu <herbert at gondor.apana.org.au>
> Cc: Ard Biesheuvel <ardb at kernel.org>
> Cc: netdev at vger.kernel.org
> Cc: wireguard at lists.zx2c4.com
> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>

Acked-by: Ard Biesheuvel <ardb at kernel.org>

> ---
>  drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
>  include/crypto/blake2s.h      |  3 ---
>  lib/crypto/blake2s-selftest.c | 31 ------------------------
>  lib/crypto/blake2s.c          | 37 ----------------------------
>  4 files changed, 39 insertions(+), 77 deletions(-)
>
> diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c
> index c0cfd9b36c0b..720952b92e78 100644
> --- a/drivers/net/wireguard/noise.c
> +++ b/drivers/net/wireguard/noise.c
> @@ -302,6 +302,41 @@ void wg_noise_set_static_identity_private_key(
>                 static_identity->static_public, private_key);
>  }
>
> +static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
> +{
> +       struct blake2s_state state;
> +       u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
> +       u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
> +       int i;
> +
> +       if (keylen > BLAKE2S_BLOCK_SIZE) {
> +               blake2s_init(&state, BLAKE2S_HASH_SIZE);
> +               blake2s_update(&state, key, keylen);
> +               blake2s_final(&state, x_key);
> +       } else
> +               memcpy(x_key, key, keylen);
> +
> +       for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
> +               x_key[i] ^= 0x36;
> +
> +       blake2s_init(&state, BLAKE2S_HASH_SIZE);
> +       blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
> +       blake2s_update(&state, in, inlen);
> +       blake2s_final(&state, i_hash);
> +
> +       for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
> +               x_key[i] ^= 0x5c ^ 0x36;
> +
> +       blake2s_init(&state, BLAKE2S_HASH_SIZE);
> +       blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
> +       blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
> +       blake2s_final(&state, i_hash);
> +
> +       memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
> +       memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
> +       memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
> +}
> +
>  /* This is Hugo Krawczyk's HKDF:
>   *  - https://eprint.iacr.org/2010/264.pdf
>   *  - https://tools.ietf.org/html/rfc5869
> @@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
>                  ((third_len || third_dst) && (!second_len || !second_dst))));
>
>         /* Extract entropy from data into secret */
> -       blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
> +       hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
>
>         if (!first_dst || !first_len)
>                 goto out;
>
>         /* Expand first key: key = secret, data = 0x1 */
>         output[0] = 1;
> -       blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
> +       hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
>         memcpy(first_dst, output, first_len);
>
>         if (!second_dst || !second_len)
> @@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
>
>         /* Expand second key: key = secret, data = first-key || 0x2 */
>         output[BLAKE2S_HASH_SIZE] = 2;
> -       blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
> -                       BLAKE2S_HASH_SIZE);
> +       hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
>         memcpy(second_dst, output, second_len);
>
>         if (!third_dst || !third_len)
> @@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
>
>         /* Expand third key: key = secret, data = second-key || 0x3 */
>         output[BLAKE2S_HASH_SIZE] = 3;
> -       blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
> -                       BLAKE2S_HASH_SIZE);
> +       hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
>         memcpy(third_dst, output, third_len);
>
>  out:
> diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
> index bc3fb59442ce..4e30e1799e61 100644
> --- a/include/crypto/blake2s.h
> +++ b/include/crypto/blake2s.h
> @@ -101,7 +101,4 @@ static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
>         blake2s_final(&state, out);
>  }
>
> -void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
> -                    const size_t keylen);
> -
>  #endif /* _CRYPTO_BLAKE2S_H */
> diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
> index 5d9ea53be973..409e4b728770 100644
> --- a/lib/crypto/blake2s-selftest.c
> +++ b/lib/crypto/blake2s-selftest.c
> @@ -15,7 +15,6 @@
>   * #include <stdio.h>
>   *
>   * #include <openssl/evp.h>
> - * #include <openssl/hmac.h>
>   *
>   * #define BLAKE2S_TESTVEC_COUNT       256
>   *
> @@ -58,16 +57,6 @@
>   *     }
>   *     printf("};\n\n");
>   *
> - *     printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
> - *
> - *     HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
> - *     print_vec(hash, BLAKE2S_OUTBYTES);
> - *
> - *     HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
> - *     print_vec(hash, BLAKE2S_OUTBYTES);
> - *
> - *     printf("};\n");
> - *
>   *     return 0;
>   *}
>   */
> @@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
>      0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
>  };
>
> -static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
> -  { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
> -    0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
> -    0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
> -  { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
> -    0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
> -    0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
> -};
> -
>  bool __init blake2s_selftest(void)
>  {
>         u8 key[BLAKE2S_KEY_SIZE];
> @@ -607,16 +587,5 @@ bool __init blake2s_selftest(void)
>                 }
>         }
>
> -       if (success) {
> -               blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
> -               success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
> -
> -               blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
> -               success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
> -
> -               if (!success)
> -                       pr_err("blake2s256_hmac self-test: FAIL\n");
> -       }
> -
>         return success;
>  }
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 93f2ae051370..9364f79937b8 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -30,43 +30,6 @@ void blake2s_final(struct blake2s_state *state, u8 *out)
>  }
>  EXPORT_SYMBOL(blake2s_final);
>
> -void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
> -                    const size_t keylen)
> -{
> -       struct blake2s_state state;
> -       u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
> -       u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
> -       int i;
> -
> -       if (keylen > BLAKE2S_BLOCK_SIZE) {
> -               blake2s_init(&state, BLAKE2S_HASH_SIZE);
> -               blake2s_update(&state, key, keylen);
> -               blake2s_final(&state, x_key);
> -       } else
> -               memcpy(x_key, key, keylen);
> -
> -       for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
> -               x_key[i] ^= 0x36;
> -
> -       blake2s_init(&state, BLAKE2S_HASH_SIZE);
> -       blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
> -       blake2s_update(&state, in, inlen);
> -       blake2s_final(&state, i_hash);
> -
> -       for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
> -               x_key[i] ^= 0x5c ^ 0x36;
> -
> -       blake2s_init(&state, BLAKE2S_HASH_SIZE);
> -       blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
> -       blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
> -       blake2s_final(&state, i_hash);
> -
> -       memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
> -       memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
> -       memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
> -}
> -EXPORT_SYMBOL(blake2s256_hmac);
> -
>  static int __init blake2s_mod_init(void)
>  {
>         if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
> --
> 2.34.1
>

From bigeasy at linutronix.de  Tue Jan 11 15:40:31 2022
From: bigeasy at linutronix.de (Sebastian Andrzej Siewior)
Date: Tue, 11 Jan 2022 16:40:31 +0100
Subject: [RFC] wiregard RX packet processing.
In-Reply-To: <CAHmME9rzEjKg41eq5jBtsLXF+vZSEnvdomZJ-rTzx8Q=ac1ayg@mail.gmail.com>
References: <20211208173205.zajfvg6zvi4g5kln@linutronix.de>
 <CAHmME9rzEjKg41eq5jBtsLXF+vZSEnvdomZJ-rTzx8Q=ac1ayg@mail.gmail.com>
Message-ID: <Yd2k7yCGCQXfibk3@linutronix.de>

On 2021-12-20 18:29:49 [+0100], Jason A. Donenfeld wrote:
> Hi Sebastian,
> 
> Seems like you've identified two things, the use of need_resched, and
> potentially surrounding napi_schedule in local_bh_{disable,enable}.
> 
> Regarding need_resched, I pulled that out of other code that seemed to
> have the "same requirements", as vaguely conceived. It indeed might
> not be right. The intent is to have that worker running at maximum
> throughput for extended periods of time, but not preventing other
> threads from running elsewhere, so that, e.g., a user's machine
> doesn't have a jenky mouse when downloading a file.
>
> What are the effects of unconditionally calling cond_resched() without
> checking for if (need_resched())? Sounds like you're saying none at
> all?

I stand to be corrected but "if need_resched() cond_resched())" is not
something one should do. If you hold a lock and need to drop it first
and und you don't want to drop the lock if there is no need for
scheduling then there is cond_resched_lock() for instance. If you need
to do something more complex (say set a marker if you drop the lock)
then okay _but_ in this case you do more than just the "if ?" from
above.

cond_resched() gets optimized away on a preemptible kernel. The side
effect is that you have always a branch (to cond_resched()) including a
possible RCU section (urgently needed quiescent state).

> Regarding napi_schedule, I actually wasn't aware that it's requirement
> to _only_ ever run from softirq was a strict one. When I switched to
> using napi_schedule in this way, throughput really jumped up
> significantly. Part of this indeed is from the batching, so that the
> napi callback can then handle more packets in one go later. But I
> assumed it was something inside of NAPI that was batching and
> scheduling it, rather than a mistake on my part to call this from a wq
> and not from a softirq.

There is no strict requirement to do napi_schedule() from hard-IRQ but
it makes sense actually. So napi_schedule() invokes
__raise_softirq_irqoff() which only ors a bit in the softirq state.
Nothing else. The only reason that the softirq is invoked in a
deterministic way is that irq_exit() has this "if
(local_softirq_pending()) invoke_softirq()" check before returing (to
interrupted user/ kernel code).

So if you use it in a worker (for instance) the NAPI call is delayed
until the next IRQ (due to irq_exit() part) or a random
local_bh_enable() user.

> What, then, are the effects of surrounding that in
> local_bh_{disable,enable} as you've done in the patch? You mentioned
> one aspect is that it will "invoke wg_packet_rx_poll() where you see
> only one skb." It sounds like that'd be bad for performance, though,
> given that the design of napi is really geared toward batching.

As Toke H?iland-J?rgensen wrote in the previous reply, I missed the BH
disable/ enable in ptr_ring_consume_bh(). So what happens is that
ptr_ring_consume_bh() gives you one skb, you do
wg_queue_enqueue_per_peer_rx() which raises NAPI then the following
ptr_ring_consume_bh() (that local_bh_enable() to be exact) invokes the
NAPI callback (I guess wg_packet_rx_poll() but as I wrote earlier, I
didn't figure out how the skbs move from here to the other queue for
that callback).

So there is probably no batching assuming that one skb is processed in
the NAPI callback.

> Jason

Sebastian

From Jason at zx2c4.com  Tue Jan 11 18:10:35 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 19:10:35 +0100
Subject: [PATCH crypto v2 0/2] reduce code size from blake2s on m68k and other
 small platforms
In-Reply-To: <20220111134934.324663-1-Jason@zx2c4.com>
References: <20220111134934.324663-1-Jason@zx2c4.com>
Message-ID: <20220111181037.632969-1-Jason@zx2c4.com>

Hi,

Geert emailed me this afternoon concerned about blake2s codesize on m68k
and other small systems. We identified two effective ways of chopping
down the size. One of them moves some wireguard-specific things into
wireguard proper. The other one adds a slower codepath for small
machines to blake2s. This worked, and was v1 of this patchset, but I
wasn't so much of a fan. Then someone pointed out that the generic C
SHA-1 implementation is still unrolled, which is a *lot* of extra code.
Simply rerolling that saves about as much as v1 did. So, we instead do
that in this v2 patchset. SHA-1 is being phased out, and soon it won't
be included at all (hopefully). And nothing performance-oriented has
anything to do with it anyway.

The result of these two patches mitigates Geert's feared code size
increase for 5.17.

Thanks,
Jason


Jason A. Donenfeld (2):
  lib/crypto: blake2s: move hmac construction into wireguard
  lib/crypto: sha1: re-roll loops to reduce code size

 drivers/net/wireguard/noise.c |  45 +++++++++++--
 include/crypto/blake2s.h      |   3 -
 lib/crypto/blake2s-selftest.c |  31 ---------
 lib/crypto/blake2s.c          |  37 -----------
 lib/sha1.c                    | 117 ++++++++--------------------------
 5 files changed, 64 insertions(+), 169 deletions(-)

-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 18:10:36 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 19:10:36 +0100
Subject: [PATCH crypto v2 1/2] lib/crypto: blake2s: move hmac construction
 into wireguard
In-Reply-To: <20220111181037.632969-1-Jason@zx2c4.com>
References: <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111181037.632969-1-Jason@zx2c4.com>
Message-ID: <20220111181037.632969-2-Jason@zx2c4.com>

Basically nobody should use blake2s in an HMAC construction; it already
has a keyed variant. But unfortunately for historical reasons, Noise,
used by WireGuard, uses HKDF quite strictly, which means we have to use
this. Because this really shouldn't be used by others, this commit moves
it into wireguard's noise.c locally, so that kernels that aren't using
WireGuard don't get this superfluous code baked in. On m68k systems,
this shaves off ~314 bytes.

Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Acked-by: Ard Biesheuvel <ardb at kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
 drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
 include/crypto/blake2s.h      |  3 ---
 lib/crypto/blake2s-selftest.c | 31 ------------------------
 lib/crypto/blake2s.c          | 37 ----------------------------
 4 files changed, 39 insertions(+), 77 deletions(-)

diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c
index c0cfd9b36c0b..720952b92e78 100644
--- a/drivers/net/wireguard/noise.c
+++ b/drivers/net/wireguard/noise.c
@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_private_key(
 		static_identity->static_public, private_key);
 }
 
+static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
+{
+	struct blake2s_state state;
+	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
+	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
+	int i;
+
+	if (keylen > BLAKE2S_BLOCK_SIZE) {
+		blake2s_init(&state, BLAKE2S_HASH_SIZE);
+		blake2s_update(&state, key, keylen);
+		blake2s_final(&state, x_key);
+	} else
+		memcpy(x_key, key, keylen);
+
+	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+		x_key[i] ^= 0x36;
+
+	blake2s_init(&state, BLAKE2S_HASH_SIZE);
+	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+	blake2s_update(&state, in, inlen);
+	blake2s_final(&state, i_hash);
+
+	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+		x_key[i] ^= 0x5c ^ 0x36;
+
+	blake2s_init(&state, BLAKE2S_HASH_SIZE);
+	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
+	blake2s_final(&state, i_hash);
+
+	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
+	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
+	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
+}
+
 /* This is Hugo Krawczyk's HKDF:
  *  - https://eprint.iacr.org/2010/264.pdf
  *  - https://tools.ietf.org/html/rfc5869
@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 		 ((third_len || third_dst) && (!second_len || !second_dst))));
 
 	/* Extract entropy from data into secret */
-	blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
+	hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
 
 	if (!first_dst || !first_len)
 		goto out;
 
 	/* Expand first key: key = secret, data = 0x1 */
 	output[0] = 1;
-	blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
 	memcpy(first_dst, output, first_len);
 
 	if (!second_dst || !second_len)
@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 
 	/* Expand second key: key = secret, data = first-key || 0x2 */
 	output[BLAKE2S_HASH_SIZE] = 2;
-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
-			BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
 	memcpy(second_dst, output, second_len);
 
 	if (!third_dst || !third_len)
@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 
 	/* Expand third key: key = secret, data = second-key || 0x3 */
 	output[BLAKE2S_HASH_SIZE] = 3;
-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
-			BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
 	memcpy(third_dst, output, third_len);
 
 out:
diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
index bc3fb59442ce..4e30e1799e61 100644
--- a/include/crypto/blake2s.h
+++ b/include/crypto/blake2s.h
@@ -101,7 +101,4 @@ static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
 	blake2s_final(&state, out);
 }
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-		     const size_t keylen);
-
 #endif /* _CRYPTO_BLAKE2S_H */
diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
index 5d9ea53be973..409e4b728770 100644
--- a/lib/crypto/blake2s-selftest.c
+++ b/lib/crypto/blake2s-selftest.c
@@ -15,7 +15,6 @@
  * #include <stdio.h>
  *
  * #include <openssl/evp.h>
- * #include <openssl/hmac.h>
  *
  * #define BLAKE2S_TESTVEC_COUNT	256
  *
@@ -58,16 +57,6 @@
  *	}
  *	printf("};\n\n");
  *
- *	printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
- *
- *	HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
- *	print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *	HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
- *	print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *	printf("};\n");
- *
  *	return 0;
  *}
  */
@@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
     0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
 };
 
-static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
-  { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
-    0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
-    0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
-  { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
-    0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
-    0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
-};
-
 bool __init blake2s_selftest(void)
 {
 	u8 key[BLAKE2S_KEY_SIZE];
@@ -607,16 +587,5 @@ bool __init blake2s_selftest(void)
 		}
 	}
 
-	if (success) {
-		blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
-		success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
-
-		blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
-		success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
-
-		if (!success)
-			pr_err("blake2s256_hmac self-test: FAIL\n");
-	}
-
 	return success;
 }
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..9364f79937b8 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -30,43 +30,6 @@ void blake2s_final(struct blake2s_state *state, u8 *out)
 }
 EXPORT_SYMBOL(blake2s_final);
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-		     const size_t keylen)
-{
-	struct blake2s_state state;
-	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
-	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
-	int i;
-
-	if (keylen > BLAKE2S_BLOCK_SIZE) {
-		blake2s_init(&state, BLAKE2S_HASH_SIZE);
-		blake2s_update(&state, key, keylen);
-		blake2s_final(&state, x_key);
-	} else
-		memcpy(x_key, key, keylen);
-
-	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-		x_key[i] ^= 0x36;
-
-	blake2s_init(&state, BLAKE2S_HASH_SIZE);
-	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-	blake2s_update(&state, in, inlen);
-	blake2s_final(&state, i_hash);
-
-	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-		x_key[i] ^= 0x5c ^ 0x36;
-
-	blake2s_init(&state, BLAKE2S_HASH_SIZE);
-	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
-	blake2s_final(&state, i_hash);
-
-	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
-	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
-	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
-}
-EXPORT_SYMBOL(blake2s256_hmac);
-
 static int __init blake2s_mod_init(void)
 {
 	if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 18:10:37 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 19:10:37 +0100
Subject: [PATCH crypto v2 2/2] lib/crypto: sha1: re-roll loops to reduce code
 size
In-Reply-To: <20220111181037.632969-1-Jason@zx2c4.com>
References: <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111181037.632969-1-Jason@zx2c4.com>
Message-ID: <20220111181037.632969-3-Jason@zx2c4.com>

With SHA-1 no longer being used for anything performance oriented, and
also soon to be phased out entirely, we can make up for the space added
by unrolled BLAKE2s by simply re-rolling SHA-1. Since SHA-1 is so much
more complex, re-rolling it more or less takes care of the code size
added by BLAKE2s. And eventually, hopefully we'll see SHA-1 removed
entirely from most small kernel builds.

Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Cc: Ard Biesheuvel <ardb at kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
 lib/sha1.c | 117 ++++++++++++-----------------------------------------
 1 file changed, 25 insertions(+), 92 deletions(-)

diff --git a/lib/sha1.c b/lib/sha1.c
index 9bd1935a1472..f2acfa294e64 100644
--- a/lib/sha1.c
+++ b/lib/sha1.c
@@ -9,6 +9,7 @@
 #include <linux/kernel.h>
 #include <linux/export.h>
 #include <linux/bitops.h>
+#include <linux/string.h>
 #include <crypto/sha1.h>
 #include <asm/unaligned.h>
 
@@ -83,109 +84,41 @@
  */
 void sha1_transform(__u32 *digest, const char *data, __u32 *array)
 {
-	__u32 A, B, C, D, E;
+	u32 d[5];
+	unsigned int i = 0;
 
-	A = digest[0];
-	B = digest[1];
-	C = digest[2];
-	D = digest[3];
-	E = digest[4];
+	memcpy(d, digest, sizeof(d));
 
 	/* Round 1 - iterations 0-16 take their input from 'data' */
-	T_0_15( 0, A, B, C, D, E);
-	T_0_15( 1, E, A, B, C, D);
-	T_0_15( 2, D, E, A, B, C);
-	T_0_15( 3, C, D, E, A, B);
-	T_0_15( 4, B, C, D, E, A);
-	T_0_15( 5, A, B, C, D, E);
-	T_0_15( 6, E, A, B, C, D);
-	T_0_15( 7, D, E, A, B, C);
-	T_0_15( 8, C, D, E, A, B);
-	T_0_15( 9, B, C, D, E, A);
-	T_0_15(10, A, B, C, D, E);
-	T_0_15(11, E, A, B, C, D);
-	T_0_15(12, D, E, A, B, C);
-	T_0_15(13, C, D, E, A, B);
-	T_0_15(14, B, C, D, E, A);
-	T_0_15(15, A, B, C, D, E);
+	for (; i < 16; ++i)
+		T_0_15(i, d[(-6 - i) % 5], d[(-5 - i) % 5],
+		       d[(-4 - i) % 5], d[(-3 - i) % 5], d[(-2 - i) % 5]);
 
 	/* Round 1 - tail. Input from 512-bit mixing array */
-	T_16_19(16, E, A, B, C, D);
-	T_16_19(17, D, E, A, B, C);
-	T_16_19(18, C, D, E, A, B);
-	T_16_19(19, B, C, D, E, A);
+	for (; i < 20; ++i)
+		T_16_19(i, d[(-6 - i) % 5], d[(-5 - i) % 5],
+			d[(-4 - i) % 5], d[(-3 - i) % 5], d[(-2 - i) % 5]);
 
 	/* Round 2 */
-	T_20_39(20, A, B, C, D, E);
-	T_20_39(21, E, A, B, C, D);
-	T_20_39(22, D, E, A, B, C);
-	T_20_39(23, C, D, E, A, B);
-	T_20_39(24, B, C, D, E, A);
-	T_20_39(25, A, B, C, D, E);
-	T_20_39(26, E, A, B, C, D);
-	T_20_39(27, D, E, A, B, C);
-	T_20_39(28, C, D, E, A, B);
-	T_20_39(29, B, C, D, E, A);
-	T_20_39(30, A, B, C, D, E);
-	T_20_39(31, E, A, B, C, D);
-	T_20_39(32, D, E, A, B, C);
-	T_20_39(33, C, D, E, A, B);
-	T_20_39(34, B, C, D, E, A);
-	T_20_39(35, A, B, C, D, E);
-	T_20_39(36, E, A, B, C, D);
-	T_20_39(37, D, E, A, B, C);
-	T_20_39(38, C, D, E, A, B);
-	T_20_39(39, B, C, D, E, A);
+	for (; i < 40; ++i)
+		T_20_39(i, d[(-6 - i) % 5], d[(-5 - i) % 5],
+			d[(-4 - i) % 5], d[(-3 - i) % 5], d[(-2 - i) % 5]);
 
 	/* Round 3 */
-	T_40_59(40, A, B, C, D, E);
-	T_40_59(41, E, A, B, C, D);
-	T_40_59(42, D, E, A, B, C);
-	T_40_59(43, C, D, E, A, B);
-	T_40_59(44, B, C, D, E, A);
-	T_40_59(45, A, B, C, D, E);
-	T_40_59(46, E, A, B, C, D);
-	T_40_59(47, D, E, A, B, C);
-	T_40_59(48, C, D, E, A, B);
-	T_40_59(49, B, C, D, E, A);
-	T_40_59(50, A, B, C, D, E);
-	T_40_59(51, E, A, B, C, D);
-	T_40_59(52, D, E, A, B, C);
-	T_40_59(53, C, D, E, A, B);
-	T_40_59(54, B, C, D, E, A);
-	T_40_59(55, A, B, C, D, E);
-	T_40_59(56, E, A, B, C, D);
-	T_40_59(57, D, E, A, B, C);
-	T_40_59(58, C, D, E, A, B);
-	T_40_59(59, B, C, D, E, A);
+	for (; i < 60; ++i)
+		T_40_59(i, d[(-6 - i) % 5], d[(-5 - i) % 5],
+			d[(-4 - i) % 5], d[(-3 - i) % 5], d[(-2 - i) % 5]);
 
 	/* Round 4 */
-	T_60_79(60, A, B, C, D, E);
-	T_60_79(61, E, A, B, C, D);
-	T_60_79(62, D, E, A, B, C);
-	T_60_79(63, C, D, E, A, B);
-	T_60_79(64, B, C, D, E, A);
-	T_60_79(65, A, B, C, D, E);
-	T_60_79(66, E, A, B, C, D);
-	T_60_79(67, D, E, A, B, C);
-	T_60_79(68, C, D, E, A, B);
-	T_60_79(69, B, C, D, E, A);
-	T_60_79(70, A, B, C, D, E);
-	T_60_79(71, E, A, B, C, D);
-	T_60_79(72, D, E, A, B, C);
-	T_60_79(73, C, D, E, A, B);
-	T_60_79(74, B, C, D, E, A);
-	T_60_79(75, A, B, C, D, E);
-	T_60_79(76, E, A, B, C, D);
-	T_60_79(77, D, E, A, B, C);
-	T_60_79(78, C, D, E, A, B);
-	T_60_79(79, B, C, D, E, A);
-
-	digest[0] += A;
-	digest[1] += B;
-	digest[2] += C;
-	digest[3] += D;
-	digest[4] += E;
+	for (; i < 80; ++i)
+		T_60_79(i, d[(-6 - i) % 5], d[(-5 - i) % 5],
+			d[(-4 - i) % 5], d[(-3 - i) % 5], d[(-2 - i) % 5]);
+
+	digest[0] += d[0];
+	digest[1] += d[1];
+	digest[2] += d[2];
+	digest[3] += d[3];
+	digest[4] += d[4];
 }
 EXPORT_SYMBOL(sha1_transform);
 
-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 22:05:04 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 23:05:04 +0100
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and other
 small platforms
In-Reply-To: <20220111181037.632969-1-Jason@zx2c4.com>
References: <20220111181037.632969-1-Jason@zx2c4.com>
Message-ID: <20220111220506.742067-1-Jason@zx2c4.com>

Hi,

Geert emailed me this afternoon concerned about blake2s codesize on m68k
and other small systems. We identified two effective ways of chopping
down the size. One of them moves some wireguard-specific things into
wireguard proper. The other one adds a slower codepath for small
machines to blake2s. This worked, and was v1 of this patchset, but I
wasn't so much of a fan. Then someone pointed out that the generic C
SHA-1 implementation is still unrolled, which is a *lot* of extra code.
Simply rerolling that saves about as much as v1 did. So, we instead do
that in this patchset. SHA-1 is being phased out, and soon it won't
be included at all (hopefully). And nothing performance-oriented has
anything to do with it anyway.

The result of these two patches mitigates Geert's feared code size
increase for 5.17.

v3 improves on v2 by making the re-rolling of SHA-1 much simpler,
resulting in even larger code size reduction and much better
performance. The reason I'm sending yet a third version in such a short
amount of time is because the trick here feels obvious and substantial
enough that I'd hate for Geert to waste time measuring the impact of the
previous commit.

Thanks,
Jason

Jason A. Donenfeld (2):
  lib/crypto: blake2s: move hmac construction into wireguard
  lib/crypto: sha1: re-roll loops to reduce code size

 drivers/net/wireguard/noise.c | 45 ++++++++++++++---
 include/crypto/blake2s.h      |  3 --
 lib/crypto/blake2s-selftest.c | 31 ------------
 lib/crypto/blake2s.c          | 37 --------------
 lib/sha1.c                    | 95 ++++++-----------------------------
 5 files changed, 53 insertions(+), 158 deletions(-)

-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 22:05:05 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 23:05:05 +0100
Subject: [PATCH crypto v3 1/2] lib/crypto: blake2s: move hmac construction
 into wireguard
In-Reply-To: <20220111220506.742067-1-Jason@zx2c4.com>
References: <20220111181037.632969-1-Jason@zx2c4.com>
 <20220111220506.742067-1-Jason@zx2c4.com>
Message-ID: <20220111220506.742067-2-Jason@zx2c4.com>

Basically nobody should use blake2s in an HMAC construction; it already
has a keyed variant. But unfortunately for historical reasons, Noise,
used by WireGuard, uses HKDF quite strictly, which means we have to use
this. Because this really shouldn't be used by others, this commit moves
it into wireguard's noise.c locally, so that kernels that aren't using
WireGuard don't get this superfluous code baked in. On m68k systems,
this shaves off ~314 bytes.

Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Acked-by: Ard Biesheuvel <ardb at kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
 drivers/net/wireguard/noise.c | 45 ++++++++++++++++++++++++++++++-----
 include/crypto/blake2s.h      |  3 ---
 lib/crypto/blake2s-selftest.c | 31 ------------------------
 lib/crypto/blake2s.c          | 37 ----------------------------
 4 files changed, 39 insertions(+), 77 deletions(-)

diff --git a/drivers/net/wireguard/noise.c b/drivers/net/wireguard/noise.c
index c0cfd9b36c0b..720952b92e78 100644
--- a/drivers/net/wireguard/noise.c
+++ b/drivers/net/wireguard/noise.c
@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_private_key(
 		static_identity->static_public, private_key);
 }
 
+static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)
+{
+	struct blake2s_state state;
+	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
+	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
+	int i;
+
+	if (keylen > BLAKE2S_BLOCK_SIZE) {
+		blake2s_init(&state, BLAKE2S_HASH_SIZE);
+		blake2s_update(&state, key, keylen);
+		blake2s_final(&state, x_key);
+	} else
+		memcpy(x_key, key, keylen);
+
+	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+		x_key[i] ^= 0x36;
+
+	blake2s_init(&state, BLAKE2S_HASH_SIZE);
+	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+	blake2s_update(&state, in, inlen);
+	blake2s_final(&state, i_hash);
+
+	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
+		x_key[i] ^= 0x5c ^ 0x36;
+
+	blake2s_init(&state, BLAKE2S_HASH_SIZE);
+	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
+	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
+	blake2s_final(&state, i_hash);
+
+	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
+	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
+	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
+}
+
 /* This is Hugo Krawczyk's HKDF:
  *  - https://eprint.iacr.org/2010/264.pdf
  *  - https://tools.ietf.org/html/rfc5869
@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 		 ((third_len || third_dst) && (!second_len || !second_dst))));
 
 	/* Extract entropy from data into secret */
-	blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
+	hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
 
 	if (!first_dst || !first_len)
 		goto out;
 
 	/* Expand first key: key = secret, data = 0x1 */
 	output[0] = 1;
-	blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
 	memcpy(first_dst, output, first_len);
 
 	if (!second_dst || !second_len)
@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 
 	/* Expand second key: key = secret, data = first-key || 0x2 */
 	output[BLAKE2S_HASH_SIZE] = 2;
-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
-			BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
 	memcpy(second_dst, output, second_len);
 
 	if (!third_dst || !third_len)
@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
 
 	/* Expand third key: key = secret, data = second-key || 0x3 */
 	output[BLAKE2S_HASH_SIZE] = 3;
-	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
-			BLAKE2S_HASH_SIZE);
+	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);
 	memcpy(third_dst, output, third_len);
 
 out:
diff --git a/include/crypto/blake2s.h b/include/crypto/blake2s.h
index bc3fb59442ce..4e30e1799e61 100644
--- a/include/crypto/blake2s.h
+++ b/include/crypto/blake2s.h
@@ -101,7 +101,4 @@ static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
 	blake2s_final(&state, out);
 }
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-		     const size_t keylen);
-
 #endif /* _CRYPTO_BLAKE2S_H */
diff --git a/lib/crypto/blake2s-selftest.c b/lib/crypto/blake2s-selftest.c
index 5d9ea53be973..409e4b728770 100644
--- a/lib/crypto/blake2s-selftest.c
+++ b/lib/crypto/blake2s-selftest.c
@@ -15,7 +15,6 @@
  * #include <stdio.h>
  *
  * #include <openssl/evp.h>
- * #include <openssl/hmac.h>
  *
  * #define BLAKE2S_TESTVEC_COUNT	256
  *
@@ -58,16 +57,6 @@
  *	}
  *	printf("};\n\n");
  *
- *	printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
- *
- *	HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
- *	print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *	HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
- *	print_vec(hash, BLAKE2S_OUTBYTES);
- *
- *	printf("};\n");
- *
  *	return 0;
  *}
  */
@@ -554,15 +543,6 @@ static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
     0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
 };
 
-static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
-  { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
-    0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
-    0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
-  { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
-    0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
-    0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
-};
-
 bool __init blake2s_selftest(void)
 {
 	u8 key[BLAKE2S_KEY_SIZE];
@@ -607,16 +587,5 @@ bool __init blake2s_selftest(void)
 		}
 	}
 
-	if (success) {
-		blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
-		success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
-
-		blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
-		success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
-
-		if (!success)
-			pr_err("blake2s256_hmac self-test: FAIL\n");
-	}
-
 	return success;
 }
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..9364f79937b8 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -30,43 +30,6 @@ void blake2s_final(struct blake2s_state *state, u8 *out)
 }
 EXPORT_SYMBOL(blake2s_final);
 
-void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
-		     const size_t keylen)
-{
-	struct blake2s_state state;
-	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
-	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
-	int i;
-
-	if (keylen > BLAKE2S_BLOCK_SIZE) {
-		blake2s_init(&state, BLAKE2S_HASH_SIZE);
-		blake2s_update(&state, key, keylen);
-		blake2s_final(&state, x_key);
-	} else
-		memcpy(x_key, key, keylen);
-
-	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-		x_key[i] ^= 0x36;
-
-	blake2s_init(&state, BLAKE2S_HASH_SIZE);
-	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-	blake2s_update(&state, in, inlen);
-	blake2s_final(&state, i_hash);
-
-	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
-		x_key[i] ^= 0x5c ^ 0x36;
-
-	blake2s_init(&state, BLAKE2S_HASH_SIZE);
-	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
-	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
-	blake2s_final(&state, i_hash);
-
-	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
-	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
-	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
-}
-EXPORT_SYMBOL(blake2s256_hmac);
-
 static int __init blake2s_mod_init(void)
 {
 	if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
-- 
2.34.1


From Jason at zx2c4.com  Tue Jan 11 22:05:06 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 11 Jan 2022 23:05:06 +0100
Subject: [PATCH crypto v3 2/2] lib/crypto: sha1: re-roll loops to reduce code
 size
In-Reply-To: <20220111220506.742067-1-Jason@zx2c4.com>
References: <20220111181037.632969-1-Jason@zx2c4.com>
 <20220111220506.742067-1-Jason@zx2c4.com>
Message-ID: <20220111220506.742067-3-Jason@zx2c4.com>

With SHA-1 no longer being used for anything performance oriented, and
also soon to be phased out entirely, we can make up for the space added
by unrolled BLAKE2s by simply re-rolling SHA-1. Since SHA-1 is so much
more complex, re-rolling it more or less takes care of the code size
added by BLAKE2s. And eventually, hopefully we'll see SHA-1 removed
entirely from most small kernel builds.

Cc: Geert Uytterhoeven <geert at linux-m68k.org>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Cc: Ard Biesheuvel <ardb at kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
---
 lib/sha1.c | 95 ++++++++----------------------------------------------
 1 file changed, 14 insertions(+), 81 deletions(-)

diff --git a/lib/sha1.c b/lib/sha1.c
index 9bd1935a1472..0494766fc574 100644
--- a/lib/sha1.c
+++ b/lib/sha1.c
@@ -9,6 +9,7 @@
 #include <linux/kernel.h>
 #include <linux/export.h>
 #include <linux/bitops.h>
+#include <linux/string.h>
 #include <crypto/sha1.h>
 #include <asm/unaligned.h>
 
@@ -55,7 +56,8 @@
 #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
 	__u32 TEMP = input(t); setW(t, TEMP); \
 	E += TEMP + rol32(A,5) + (fn) + (constant); \
-	B = ror32(B, 2); } while (0)
+	B = ror32(B, 2); \
+	TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0)
 
 #define T_0_15(t, A, B, C, D, E)  SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
 #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
@@ -84,6 +86,7 @@
 void sha1_transform(__u32 *digest, const char *data, __u32 *array)
 {
 	__u32 A, B, C, D, E;
+	unsigned int i = 0;
 
 	A = digest[0];
 	B = digest[1];
@@ -92,94 +95,24 @@ void sha1_transform(__u32 *digest, const char *data, __u32 *array)
 	E = digest[4];
 
 	/* Round 1 - iterations 0-16 take their input from 'data' */
-	T_0_15( 0, A, B, C, D, E);
-	T_0_15( 1, E, A, B, C, D);
-	T_0_15( 2, D, E, A, B, C);
-	T_0_15( 3, C, D, E, A, B);
-	T_0_15( 4, B, C, D, E, A);
-	T_0_15( 5, A, B, C, D, E);
-	T_0_15( 6, E, A, B, C, D);
-	T_0_15( 7, D, E, A, B, C);
-	T_0_15( 8, C, D, E, A, B);
-	T_0_15( 9, B, C, D, E, A);
-	T_0_15(10, A, B, C, D, E);
-	T_0_15(11, E, A, B, C, D);
-	T_0_15(12, D, E, A, B, C);
-	T_0_15(13, C, D, E, A, B);
-	T_0_15(14, B, C, D, E, A);
-	T_0_15(15, A, B, C, D, E);
+	for (; i < 16; ++i)
+		T_0_15(i, A, B, C, D, E);
 
 	/* Round 1 - tail. Input from 512-bit mixing array */
-	T_16_19(16, E, A, B, C, D);
-	T_16_19(17, D, E, A, B, C);
-	T_16_19(18, C, D, E, A, B);
-	T_16_19(19, B, C, D, E, A);
+	for (; i < 20; ++i)
+		T_16_19(i, A, B, C, D, E);
 
 	/* Round 2 */
-	T_20_39(20, A, B, C, D, E);
-	T_20_39(21, E, A, B, C, D);
-	T_20_39(22, D, E, A, B, C);
-	T_20_39(23, C, D, E, A, B);
-	T_20_39(24, B, C, D, E, A);
-	T_20_39(25, A, B, C, D, E);
-	T_20_39(26, E, A, B, C, D);
-	T_20_39(27, D, E, A, B, C);
-	T_20_39(28, C, D, E, A, B);
-	T_20_39(29, B, C, D, E, A);
-	T_20_39(30, A, B, C, D, E);
-	T_20_39(31, E, A, B, C, D);
-	T_20_39(32, D, E, A, B, C);
-	T_20_39(33, C, D, E, A, B);
-	T_20_39(34, B, C, D, E, A);
-	T_20_39(35, A, B, C, D, E);
-	T_20_39(36, E, A, B, C, D);
-	T_20_39(37, D, E, A, B, C);
-	T_20_39(38, C, D, E, A, B);
-	T_20_39(39, B, C, D, E, A);
+	for (; i < 40; ++i)
+		T_20_39(i, A, B, C, D, E);
 
 	/* Round 3 */
-	T_40_59(40, A, B, C, D, E);
-	T_40_59(41, E, A, B, C, D);
-	T_40_59(42, D, E, A, B, C);
-	T_40_59(43, C, D, E, A, B);
-	T_40_59(44, B, C, D, E, A);
-	T_40_59(45, A, B, C, D, E);
-	T_40_59(46, E, A, B, C, D);
-	T_40_59(47, D, E, A, B, C);
-	T_40_59(48, C, D, E, A, B);
-	T_40_59(49, B, C, D, E, A);
-	T_40_59(50, A, B, C, D, E);
-	T_40_59(51, E, A, B, C, D);
-	T_40_59(52, D, E, A, B, C);
-	T_40_59(53, C, D, E, A, B);
-	T_40_59(54, B, C, D, E, A);
-	T_40_59(55, A, B, C, D, E);
-	T_40_59(56, E, A, B, C, D);
-	T_40_59(57, D, E, A, B, C);
-	T_40_59(58, C, D, E, A, B);
-	T_40_59(59, B, C, D, E, A);
+	for (; i < 60; ++i)
+		T_40_59(i, A, B, C, D, E);
 
 	/* Round 4 */
-	T_60_79(60, A, B, C, D, E);
-	T_60_79(61, E, A, B, C, D);
-	T_60_79(62, D, E, A, B, C);
-	T_60_79(63, C, D, E, A, B);
-	T_60_79(64, B, C, D, E, A);
-	T_60_79(65, A, B, C, D, E);
-	T_60_79(66, E, A, B, C, D);
-	T_60_79(67, D, E, A, B, C);
-	T_60_79(68, C, D, E, A, B);
-	T_60_79(69, B, C, D, E, A);
-	T_60_79(70, A, B, C, D, E);
-	T_60_79(71, E, A, B, C, D);
-	T_60_79(72, D, E, A, B, C);
-	T_60_79(73, C, D, E, A, B);
-	T_60_79(74, B, C, D, E, A);
-	T_60_79(75, A, B, C, D, E);
-	T_60_79(76, E, A, B, C, D);
-	T_60_79(77, D, E, A, B, C);
-	T_60_79(78, C, D, E, A, B);
-	T_60_79(79, B, C, D, E, A);
+	for (; i < 80; ++i)
+		T_60_79(i, A, B, C, D, E);
 
 	digest[0] += A;
 	digest[1] += B;
-- 
2.34.1


From Jason at zx2c4.com  Wed Jan 12 13:16:28 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 12 Jan 2022 14:16:28 +0100
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size
 on small systems
In-Reply-To: <CAMuHMdWOheM0WsHNTA2dS=wJA8kXEYx6G78bnZ51T1X8HWdzNg@mail.gmail.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-2-Jason@zx2c4.com>
 <CAMuHMdWOheM0WsHNTA2dS=wJA8kXEYx6G78bnZ51T1X8HWdzNg@mail.gmail.com>
Message-ID: <CAHmME9q1Fm+m7JsGQWYY4qLApdaiqWHz-OYRE4qWjN1uA+HL9Q@mail.gmail.com>

Hi Geert,

Thanks for testing this. However, I've *abandoned* this patch, due to
unacceptable performance hits, and figuring out that we can accomplish
basically the same thing without as large of a hit by modifying the
obsolete sha1 implementation.

Herbert - please do not apply this patch. Instead, later versions of
this patchset (e.g. v3 [1] and potentially later if it comes to that)
are what should be applied.

Jason

[1] https://lore.kernel.org/linux-crypto/20220111220506.742067-1-Jason at zx2c4.com/

From Jason at zx2c4.com  Wed Jan 12 13:18:34 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 12 Jan 2022 14:18:34 +0100
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and
 other small platforms
In-Reply-To: <CAMuHMdUcJN_ZZLnx8TuhoXYV1DAKK9NsXjH2M0xAdn9JTS16wA@mail.gmail.com>
References: <20220111181037.632969-1-Jason@zx2c4.com>
 <20220111220506.742067-1-Jason@zx2c4.com>
 <CAMuHMdUcJN_ZZLnx8TuhoXYV1DAKK9NsXjH2M0xAdn9JTS16wA@mail.gmail.com>
Message-ID: <CAHmME9rxdksVZkN4DF_GabsEPrSDrKbo1cVQs77B_s-e2jZ64A@mail.gmail.com>

Hi Geert,

On Wed, Jan 12, 2022 at 12:00 PM Geert Uytterhoeven
<geert at linux-m68k.org> wrote:
> Thanks for the series!
>
> On m68k:
> add/remove: 1/4 grow/shrink: 0/1 up/down: 4/-4232 (-4228)
> Function                                     old     new   delta
> __ksymtab_blake2s256_hmac                     12       -     -12
> blake2s_init.constprop                        94       -     -94
> blake2s256_hmac                              302       -    -302
> sha1_transform                              4402     582   -3820
> Total: Before=4230537, After=4226309, chg -0.10%
>
> Tested-by: Geert Uytterhoeven <geert at linux-m68k.org>

Excellent, thanks for the breakdown. So this shaves off ~4k, which was
about what we were shooting for here, so I think indeed this series
accomplishes its goal of counteracting the addition of BLAKE2s.
Hopefully Herbert will apply this series for 5.17.

Jason

From houmie at gmail.com  Wed Jan 12 15:28:33 2022
From: houmie at gmail.com (Houman)
Date: Wed, 12 Jan 2022 15:28:33 +0000
Subject: Enable BitCode on libwg-go.a (Wireguard iOS project)
Message-ID: <CABBZOsm1hzRqQ65izwk23S4rQrVCYBkwL73yi3LT5BdvNVbeeg@mail.gmail.com>

Hello,

Currently libwg-go.a doesn't support bitcode in the Xcode project. It
crashes with the following message:

libwg-go.a does not contain bitcode. You must rebuild it with bitcode
enabled (Xcode setting ENABLE_BITCODE), obtain an updated library from
the vendor, or disable bitcode for this target. for architecture arm64

Disabling Bitcode for the whole project is very bad for dSYMs and
Crashlytics reporting, though.

Is there any chance to enable Bitcode for Wireguard, please?  If there
is anything I could do to help, please let me know.

Many Thanks,
Houman

From Jason at zx2c4.com  Wed Jan 12 15:43:35 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 12 Jan 2022 16:43:35 +0100
Subject: Enable BitCode on libwg-go.a (Wireguard iOS project)
In-Reply-To: <CABBZOsm1hzRqQ65izwk23S4rQrVCYBkwL73yi3LT5BdvNVbeeg@mail.gmail.com>
References: <CABBZOsm1hzRqQ65izwk23S4rQrVCYBkwL73yi3LT5BdvNVbeeg@mail.gmail.com>
Message-ID: <CAHmME9rtqmcjKnaR6fCC4Wtj7gkzBF+LJ8AWDsT3cweuZSkHLQ@mail.gmail.com>

Looks like gomobile fixed it via:

https://github.com/golang/mobile/commit/ddd6497b067577b19dddcb2b88017887a0227eb5

We should probably do the same.

From ebiggers at kernel.org  Wed Jan 12 18:31:57 2022
From: ebiggers at kernel.org (Eric Biggers)
Date: Wed, 12 Jan 2022 10:31:57 -0800
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size
 on small systems
In-Reply-To: <20220111134934.324663-2-Jason@zx2c4.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-2-Jason@zx2c4.com>
Message-ID: <Yd8enQTocuCSQVkT@gmail.com>

On Tue, Jan 11, 2022 at 02:49:33PM +0100, Jason A. Donenfeld wrote:
> Re-wind the loops entirely on kernels optimized for code size. This is
> really not good at all performance-wise. But on m68k, it shaves off 4k
> of code size, which is apparently important.
> 
> Cc: Geert Uytterhoeven <geert at linux-m68k.org>
> Cc: Herbert Xu <herbert at gondor.apana.org.au>
> Cc: Ard Biesheuvel <ardb at kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> ---
>  lib/crypto/blake2s-generic.c | 30 ++++++++++++++++++------------
>  1 file changed, 18 insertions(+), 12 deletions(-)
> 
> diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c
> index 75ccb3e633e6..990f000e22ee 100644
> --- a/lib/crypto/blake2s-generic.c
> +++ b/lib/crypto/blake2s-generic.c
> @@ -46,7 +46,7 @@ void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
>  {
>  	u32 m[16];
>  	u32 v[16];
> -	int i;
> +	int i, j;
>  
>  	WARN_ON(IS_ENABLED(DEBUG) &&
>  		(nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE));
> @@ -86,17 +86,23 @@ void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
>  	G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
>  	G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
>  } while (0)
> -		ROUND(0);
> -		ROUND(1);
> -		ROUND(2);
> -		ROUND(3);
> -		ROUND(4);
> -		ROUND(5);
> -		ROUND(6);
> -		ROUND(7);
> -		ROUND(8);
> -		ROUND(9);
> -
> +		if (IS_ENABLED(CONFIG_CC_OPTIMIZE_FOR_SIZE)) {
> +			for (i = 0; i < 10; ++i) {
> +				for (j = 0; j < 8; ++j)
> +					G(i, j, v[j % 4], v[((j + (j / 4)) % 4) + 4], v[((j + 2 * (j / 4)) % 4) + 8], v[((j + 3 * (j / 4)) % 4) + 12]);
> +			}

How about unrolling the inner loop but not the outer one?  Wouldn't that give
most of the benefit, without hurting performance as much?

If you stay with this approach and don't unroll either loop, can you use 'r' and
'i' instead of 'i' and 'j', to match the naming in G()?

Also, please wrap lines at 80 columns.

- Eric

From ebiggers at kernel.org  Wed Jan 12 18:35:38 2022
From: ebiggers at kernel.org (Eric Biggers)
Date: Wed, 12 Jan 2022 10:35:38 -0800
Subject: [PATCH crypto 2/2] lib/crypto: blake2s: move hmac construction
 into wireguard
In-Reply-To: <20220111134934.324663-3-Jason@zx2c4.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-3-Jason@zx2c4.com>
Message-ID: <Yd8fevK3n5aACJMF@gmail.com>

On Tue, Jan 11, 2022 at 02:49:34PM +0100, Jason A. Donenfeld wrote:
> Basically nobody should use blake2s in an HMAC construction; it already
> has a keyed variant. But for unfortunately historical reasons, Noise,
> used by WireGuard, uses HKDF quite strictly, which means we have to use
> this. Because this really shouldn't be used by others, this commit moves
> it into wireguard's noise.c locally, so that kernels that aren't using
> WireGuard don't get this superfluous code baked in. On m68k systems,
> this shaves off ~314 bytes.
> 
> Cc: Geert Uytterhoeven <geert at linux-m68k.org>
> Cc: Herbert Xu <herbert at gondor.apana.org.au>
> Cc: Ard Biesheuvel <ardb at kernel.org>
> Cc: netdev at vger.kernel.org
> Cc: wireguard at lists.zx2c4.com
> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> ---

Reviewed-by: Eric Biggers <ebiggers at google.com>

- Eric

From Jason at zx2c4.com  Wed Jan 12 18:50:58 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 12 Jan 2022 19:50:58 +0100
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size
 on small systems
In-Reply-To: <Yd8enQTocuCSQVkT@gmail.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-2-Jason@zx2c4.com>
 <Yd8enQTocuCSQVkT@gmail.com>
Message-ID: <CAHmME9qGs8yfYy0GVcV8XaUt9cjCqQF2D79RvrsQE+CNLCeojA@mail.gmail.com>

On Wed, Jan 12, 2022 at 7:32 PM Eric Biggers <ebiggers at kernel.org> wrote:
> How about unrolling the inner loop but not the outer one?  Wouldn't that give
> most of the benefit, without hurting performance as much?
>
> If you stay with this approach and don't unroll either loop, can you use 'r' and
> 'i' instead of 'i' and 'j', to match the naming in G()?

All this might work, sure. But as mentioned earlier, I've abandoned
this entirely, as I don't think this patch is necessary. See the v3
patchset instead:

https://lore.kernel.org/linux-crypto/20220111220506.742067-1-Jason at zx2c4.com/

From Jason at zx2c4.com  Wed Jan 12 22:00:48 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 12 Jan 2022 23:00:48 +0100
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size
 on small systems
In-Reply-To: <d7e206a5a03d46a69c0be3b8ed651518@AcuMS.aculab.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-2-Jason@zx2c4.com>
 <Yd8enQTocuCSQVkT@gmail.com>
 <CAHmME9qGs8yfYy0GVcV8XaUt9cjCqQF2D79RvrsQE+CNLCeojA@mail.gmail.com>
 <d7e206a5a03d46a69c0be3b8ed651518@AcuMS.aculab.com>
Message-ID: <CAHmME9p-JZS480-e3MvPsa1Q07rqX79h8oNEZsF970GjT-_nqA@mail.gmail.com>

Hi David,

On 1/12/22, David Laight <David.Laight at aculab.com> wrote:
> I think you mentioned in another thread that the buffers (eg for IPv6
> addresses) are actually often quite short.
>
> For short buffers the 'rolled-up' loop may be of similar performance
> to the unrolled one because of the time taken to read all the instructions
> into the I-cache and decode them.
> If the loop ends up small enough it will fit into the 'decoded loop
> buffer' of modern Intel x86 cpu and won't even need decoding on
> each iteration.
>
> I really suspect that the heavily unrolled loop is only really fast
> for big buffers and/or when it is already in the I-cache.
> In real life I wonder how often that actually happens?
> Especially for the uses the kernel is making of the code.
>
> You need to benchmark single executions of the function
> (doable on x86 with the performance monitor cycle counter)
> to get typical/best clocks/byte figures rather than a
> big average for repeated operation on a long buffer.
>
> 	David

This patch has been dropped entirely from future revisions. The latest
as of writing is at:

https://lore.kernel.org/linux-crypto/20220111220506.742067-1-Jason at zx2c4.com/

If you'd like to do something with blake2s, by all means submit a
patch and include various rationale and metrics and benchmarks. I do
not intend to do that myself and do not think my particular patch here
should be merged. But if you'd like to do something, feel free to CC
me for a review. However, as mentioned, I don't think much needs to be
done here.

Again, v3 is here:
https://lore.kernel.org/linux-crypto/20220111220506.742067-1-Jason at zx2c4.com/

Thanks,
Jason

From tony at tpro.tech  Wed Jan  5 18:47:46 2022
From: tony at tpro.tech (Tony Pros)
Date: Wed, 05 Jan 2022 18:47:46 +0000
Subject: Wireguard Windows Service Issues
Message-ID: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>

I believe there's a bug in the Windows service implementation, if this issue is by design, it's problematic.

I have non-admin users were when I initially set them up with wireguard, I configured it to use the service, using the command:

wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\vpn.domain.org.conf.dpapi"

The tunnel worked fine the first time. Then the user reboots the laptop, or closes it or leaves whatever coffee shop they were at and get disconnected from the wireless network they were using. When this happens, for some reason, the wireguard service then gets torn down never to come back again until I issue the command from my admin account again.

There was an issue with some users initial configuration in that they could not query hostname via DNS, so that entering the command to installservice would not even create the service.

Here's a few notes that might help with understanding.
- Users must have the VPN established before they log into the active directory servers on the remote network so that they can get all of their GPO directives.
- Wireguard Service should stay up so that any time a users connects to any network, the VPN is established immediately after that.
- The Wireguard service should also stay because non-admin users cannot create a new service


If this issue is how things will stay, and this is not considered a bug, how would you configure windows non-admin users to tunnel to an enterprise network before login via WireGuard and to continuously try to establish the tunnel while the user is not connected to a network?


--
Tony Pros - Owner
tony at tpro.tech
615 656 3543

T-Pro Tech LLC
Audio & IT Consulting

From cruise4k at gmail.com  Tue Jan 11 07:42:37 2022
From: cruise4k at gmail.com (cruise k)
Date: Tue, 11 Jan 2022 15:42:37 +0800
Subject: INFO: task hung in wg_noise_handshake_consume_initiation
Message-ID: <CAKcFiNC1w87Of0ukV3oPHiAkKeVT7bbTqG3p1LgoUs0bGXk9CQ@mail.gmail.com>

Hi,

Syzkaller found the following issue:

HEAD commit: 75acfdb Linux 5.16-rc8
git tree: upstream
console output: https://pastebin.com/raw/E1a5ZGSt
kernel config: https://pastebin.com/raw/XsnKfdRt

And hope the report log can help you.

INFO: task kworker/6:1:78 blocked for more than 143 seconds.
      Not tainted 5.16.0-rc8+ #10
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/6:1     state:D stack:26416 pid:   78 ppid:     2 flags:0x00004000
Workqueue: wg-kex-wg1 wg_packet_handshake_receive_worker
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:4972 [inline]
 __schedule+0xcd9/0x2550 kernel/sched/core.c:6253
 schedule+0xd2/0x260 kernel/sched/core.c:6326
 rwsem_down_read_slowpath+0x59c/0xa90 kernel/locking/rwsem.c:1041
 __down_read_common kernel/locking/rwsem.c:1223 [inline]
 __down_read kernel/locking/rwsem.c:1232 [inline]
 down_read+0xe2/0x440 kernel/locking/rwsem.c:1472
 wg_noise_handshake_consume_initiation+0x271/0x5f0
drivers/net/wireguard/noise.c:599
 wg_receive_handshake_packet+0x589/0x9d0 drivers/net/wireguard/receive.c:151
 wg_packet_handshake_receive_worker+0x18e/0x3d0
drivers/net/wireguard/receive.c:220
 process_one_work+0x9df/0x16a0 kernel/workqueue.c:2298
 worker_thread+0x90/0xe20 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

From geert at linux-m68k.org  Wed Jan 12 10:57:49 2022
From: geert at linux-m68k.org (Geert Uytterhoeven)
Date: Wed, 12 Jan 2022 11:57:49 +0100
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size
 on small systems
In-Reply-To: <20220111134934.324663-2-Jason@zx2c4.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-2-Jason@zx2c4.com>
Message-ID: <CAMuHMdWOheM0WsHNTA2dS=wJA8kXEYx6G78bnZ51T1X8HWdzNg@mail.gmail.com>

Hi Jason,

On Tue, Jan 11, 2022 at 2:49 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Re-wind the loops entirely on kernels optimized for code size. This is
> really not good at all performance-wise. But on m68k, it shaves off 4k
> of code size, which is apparently important.

On arm32:

add/remove: 1/0 grow/shrink: 0/1 up/down: 160/-4212 (-4052)
Function                                     old     new   delta
blake2s_sigma                                  -     160    +160
blake2s_compress_generic                    4872     660   -4212
Total: Before=9846148, After=9842096, chg -0.04%

On arm64:

add/remove: 1/2 grow/shrink: 0/1 up/down: 160/-4584 (-4424)
Function                                     old     new   delta
blake2s_sigma                                  -     160    +160
e843419 at 0710_00007634_e8a0                     8       -      -8
e843419 at 0441_0000423a_178c                     8       -      -8
blake2s_compress_generic                    5088     520   -4568
Total: Before=32800278, After=32795854, chg -0.01%

> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>

For the size reduction:
Tested-by: Geert Uytterhoeven <geert at linux-m68k.org>

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert at linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

From geert at linux-m68k.org  Wed Jan 12 10:59:48 2022
From: geert at linux-m68k.org (Geert Uytterhoeven)
Date: Wed, 12 Jan 2022 11:59:48 +0100
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and
 other small platforms
In-Reply-To: <20220111220506.742067-1-Jason@zx2c4.com>
References: <20220111181037.632969-1-Jason@zx2c4.com>
 <20220111220506.742067-1-Jason@zx2c4.com>
Message-ID: <CAMuHMdUcJN_ZZLnx8TuhoXYV1DAKK9NsXjH2M0xAdn9JTS16wA@mail.gmail.com>

Hi Jason,

On Tue, Jan 11, 2022 at 11:05 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Geert emailed me this afternoon concerned about blake2s codesize on m68k
> and other small systems. We identified two effective ways of chopping
> down the size. One of them moves some wireguard-specific things into
> wireguard proper. The other one adds a slower codepath for small
> machines to blake2s. This worked, and was v1 of this patchset, but I
> wasn't so much of a fan. Then someone pointed out that the generic C
> SHA-1 implementation is still unrolled, which is a *lot* of extra code.
> Simply rerolling that saves about as much as v1 did. So, we instead do
> that in this patchset. SHA-1 is being phased out, and soon it won't
> be included at all (hopefully). And nothing performance-oriented has
> anything to do with it anyway.
>
> The result of these two patches mitigates Geert's feared code size
> increase for 5.17.
>
> v3 improves on v2 by making the re-rolling of SHA-1 much simpler,
> resulting in even larger code size reduction and much better
> performance. The reason I'm sending yet a third version in such a short
> amount of time is because the trick here feels obvious and substantial
> enough that I'd hate for Geert to waste time measuring the impact of the
> previous commit.
>
> Thanks,
> Jason
>
> Jason A. Donenfeld (2):
>   lib/crypto: blake2s: move hmac construction into wireguard
>   lib/crypto: sha1: re-roll loops to reduce code size

Thanks for the series!

On m68k:
add/remove: 1/4 grow/shrink: 0/1 up/down: 4/-4232 (-4228)
Function                                     old     new   delta
__ksymtab_blake2s256_hmac                     12       -     -12
blake2s_init.constprop                        94       -     -94
blake2s256_hmac                              302       -    -302
sha1_transform                              4402     582   -3820
Total: Before=4230537, After=4226309, chg -0.10%

Tested-by: Geert Uytterhoeven <geert at linux-m68k.org>

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert at linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

From David.Laight at ACULAB.COM  Wed Jan 12 21:27:40 2022
From: David.Laight at ACULAB.COM (David Laight)
Date: Wed, 12 Jan 2022 21:27:40 +0000
Subject: [PATCH crypto 1/2] lib/crypto: blake2s-generic: reduce code size
 on small systems
In-Reply-To: <CAHmME9qGs8yfYy0GVcV8XaUt9cjCqQF2D79RvrsQE+CNLCeojA@mail.gmail.com>
References: <CAHmME9qbnYmhvsuarButi6s=58=FPiti0Z-QnGMJ=OsMzy1eOg@mail.gmail.com>
 <20220111134934.324663-1-Jason@zx2c4.com>
 <20220111134934.324663-2-Jason@zx2c4.com> <Yd8enQTocuCSQVkT@gmail.com>
 <CAHmME9qGs8yfYy0GVcV8XaUt9cjCqQF2D79RvrsQE+CNLCeojA@mail.gmail.com>
Message-ID: <d7e206a5a03d46a69c0be3b8ed651518@AcuMS.aculab.com>

From: Jason A. Donenfeld
> Sent: 12 January 2022 18:51
> 
> On Wed, Jan 12, 2022 at 7:32 PM Eric Biggers <ebiggers at kernel.org> wrote:
> > How about unrolling the inner loop but not the outer one?  Wouldn't that give
> > most of the benefit, without hurting performance as much?
> >
> > If you stay with this approach and don't unroll either loop, can you use 'r' and
> > 'i' instead of 'i' and 'j', to match the naming in G()?
> 
> All this might work, sure. But as mentioned earlier, I've abandoned
> this entirely, as I don't think this patch is necessary. See the v3
> patchset instead:
> 
> https://lore.kernel.org/linux-crypto/20220111220506.742067-1-Jason at zx2c4.com/

I think you mentioned in another thread that the buffers (eg for IPv6
addresses) are actually often quite short.

For short buffers the 'rolled-up' loop may be of similar performance
to the unrolled one because of the time taken to read all the instructions
into the I-cache and decode them.
If the loop ends up small enough it will fit into the 'decoded loop
buffer' of modern Intel x86 cpu and won't even need decoding on
each iteration.

I really suspect that the heavily unrolled loop is only really fast
for big buffers and/or when it is already in the I-cache.
In real life I wonder how often that actually happens?
Especially for the uses the kernel is making of the code.

You need to benchmark single executions of the function
(doable on x86 with the performance monitor cycle counter)
to get typical/best clocks/byte figures rather than a
big average for repeated operation on a long buffer.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

From aachterberg at emtech.com.ar  Fri Jan 14 19:43:19 2022
From: aachterberg at emtech.com.ar (Alejandro Pablo Achterberg)
Date: Fri, 14 Jan 2022 14:43:19 -0500 (EST)
Subject: wintun 0.13 driver - performance issue
Message-ID: <1138419590.64184.1642189399873@email.ionos.com>

Hi everyone !
I have this issue to share to see if it can be considered a natural limitation of the implementation or (more probably) that I am making some bad decisions.
I modified the example.c included in wintun-0.13 code to test higher rates of packet sending.
I am building Multicast UDP packets 200 bytes long that are received at a consumer application -that opens a socket to the wintun adapter registering the multicast group to the socket-.
I turned off all console logging during the test run.
I'm running on a Windows Server 2019, 8 cores, 32 GB RAM, Visual Studio Community 2019.
What I get is that the example can send the 100 Kpps (and up to ~300 Kpps) without problems, but not with the consumer application reading packets from the wintun adapter.
When the consumer application is reading packets from the wintun interface the top sending rate falls about 15-20%.
It keeps below 85 Kpps and shows some events of problems at WintunAllocateSendPacket(). I set the Rings capacity to the MAX allowed of 64 MB.
Trying to fix this behaviour I modified the ERROR_BUFFER_OVERFLOW error handling doing a wait on the Alertable state of the Receive Ring and settting the Receive.Tailmoved event when that happens.
This is the SendPackets() method:
static DWORD WINAPI
SendPackets(_Inout_ DWORD_PTR SessionPtr)
{
TUN_SESSION* Session = (TUN_SESSION*)SessionPtr;
while (!HaveQuit)
{
BYTE* Packet = WintunAllocateSendPacket(Session, 228);
if (Packet)
{
MakeIpPacket(Packet);
WintunSendPacket(Session, Packet);
++sentPkts;
spin(RATE, PPS);
}
else {
if (GetLastError() != ERROR_BUFFER_OVERFLOW) {
return LogLastError(L"Packet write failed");
}
else {
while (Session->Descriptor.Receive.Ring->Alertable != 1) {
spin(1000, FALSE);
}
SetEvent(Session->Descriptor.Receive.TailMoved);
++sendDelay;
}
}
}
return ERROR_SUCCESS;
}
and this is my spin() function:
// Packets per second sent can be defined as PPS using windows timers or with their period using a count loop
static boolean PPS = TRUE;
static LONG RATE = 115000;
static void
spin(LONGLONG rate, boolean isPPS) {
LARGE_INTEGER StartingTime, CurrentTime, ElapsedMicroseconds;
LONGLONG nano;
if (isPPS) {
nano = 1e9 / rate;
QueryPerformanceCounter(&StartingTime);
while (TRUE) {
if (HaveQuit)
break;
QueryPerformanceCounter(&CurrentTime);
ElapsedMicroseconds.QuadPart = CurrentTime.QuadPart - StartingTime.QuadPart;
ElapsedMicroseconds.QuadPart *= 1000000; // guard against loss-of-precision
ElapsedMicroseconds.QuadPart /= Frequency.QuadPart;
ElapsedMicroseconds.QuadPart *= 1000; // nanoseconds
if (nano < ElapsedMicroseconds.QuadPart) {
break;
}
}
}
else {
if (rate < 1000) {
return;
}
nano = rate;
while (nano > 0) {
if (HaveQuit)
break;
--nano;
}
}
}
Statistics reported look like this when sending to the wintun interface and without the consumer application active.
Rate of 100 Kpps is easily reached.
"Delayed" counts are ERROR_BUFFER_OVERFLOW events from WintunAllocateSendPacket().
> .\wintunprj.exe
2022-01-11 21:09:19.0371 [+] Wintun library loaded
2022-01-11 21:09:19.0377 [+] WintunCreateAdapter: Creating adapter
2022-01-11 21:09:19.0477 [+] SelectDriver: Using existing driver 0.13
2022-01-11 21:09:19.0757 [+] Wintun v0.13 loaded
2022-01-11 21:09:19.0762 [+] Starting -----------------------------
2022-01-11 21:09:19.0774 [+] Run started with PPS: 115000
2022-01-11 21:09:26.0764 [+] Elapsed time in seconds: 6.985698
2022-01-11 21:09:26.0766 [+] 757111 packets sent, 42 packets received
2022-01-11 21:09:26.0768 [+] Packets sent at 108380 pps
2022-01-11 21:09:26.0769 [+] Final Sending problem counts - delayed: 0
And the statistics look like this with the consumer application active.
Packet rate drops to 84 Kpps.
Delayed events are present but they don't look significant actually...
.\wintunprj.exe
2022-01-11 21:33:22.0198 [+] Wintun library loaded
2022-01-11 21:33:22.0204 [+] WintunCreateAdapter: Creating adapter
2022-01-11 21:33:22.0282 [+] SelectDriver: Using existing driver 0.13
2022-01-11 21:33:22.0564 [+] Wintun v0.13 loaded
2022-01-11 21:33:22.0576 [+] Starting -----------------------------
2022-01-11 21:33:22.0594 [+] Run started with PPS: 115000
2022-01-11 21:34:39.0068 [+] Elapsed time in seconds: 76.470261
2022-01-11 21:34:39.0070 [+] 6455902 packets sent, 45 packets received
2022-01-11 21:34:39.0072 [+] Packets sent at 84424 pps
2022-01-11 21:34:39.0074 [+] Final Sending problem counts - delayed: 5
Any thoughts or ideas on how is this happening and changes due will be really appreciated !
Thanks,
Alex

From alessio.nossa+list at gmail.com  Sun Jan 16 00:11:09 2022
From: alessio.nossa+list at gmail.com (Alessio Nossa)
Date: Sun, 16 Jan 2022 01:11:09 +0100
Subject: [wireguard-apple] Siri Shortcuts/Intents integration
Message-ID: <CAMTfdYr3YRv4MQKBhbj=Mq-QK_7nQF_DsbsB2wPLCf-idV8=ig@mail.gmail.com>

Hello
In the last month I worked on the implementation of Siri
Shortcuts/Intents integration for the WireGuard app (at the moment,
only on iOS), to automate some tasks like connecting a
tunnel, getting tunnel peers, and updating configuration at runtime. I
saw that this feature was on your TODO List too [1].

My idea is to have an interface to manage connections, to make up for
the absence of wgctrl-go [2] on iOS. I need this to dynamically update
endpoints at runtime for NAT Traversal purposes [3]; specifically, I
need peers' public keys and a way to set endpoints at runtime [4].

There are some issues due to an Apple's bug [5] that doesn't allow an
extension to update the configuration owned by its parent app. As a
workaround the update configuration action will launch the main app.

As this is my first time contributing to wireguard-apple, if you have
any advice, I'm here to hear from you.
As suggested in macOS and iOS TODO list, I?d like to have push access
to the repository (or any other way I can submit it) to contribute
with my work (I already sent an email to team at wireguard.com, but
received no response).

Kind regards,

[1] https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY2OmEHSckat62aZ6LYGY
[2] https://github.com/WireGuard/wgctrl-go
[3] https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/
[4] https://github.com/jwhited/wgsd/blob/master/cmd/wgsd-client/main.go
[5] https://developer.apple.com/forums/thread/96020

From simon at rozman.si  Mon Jan 17 10:51:01 2022
From: simon at rozman.si (Simon Rozman)
Date: Mon, 17 Jan 2022 10:51:01 +0000
Subject: Wireguard Windows Service Issues
In-Reply-To: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
References: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
Message-ID: <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>

Hi,

> I believe there's a bug in the Windows service implementation, if this
> issue is by design, it's problematic.
> 
> I have non-admin users were when I initially set them up with wireguard,
> I configured it to use the service, using the command:
> 
> wireguard /installtunnelservice "C:\Program
> Files\WireGuard\Data\Configurations\vpn.domain.org.conf.dpapi"
> 
> The tunnel worked fine the first time. Then the user reboots the laptop,
> or closes it or leaves whatever coffee shop they were at and get
> disconnected from the wireless network they were using. When this
> happens, for some reason, the wireguard service then gets torn down
> never to come back again until I issue the command from my admin account
> again.

Can you do the wireguard /dumplog > wireguard.log and investigate.

> There was an issue with some users initial configuration in that they
> could not query hostname via DNS, so that entering the command to
> installservice would not even create the service.

WireGuard services start early on boot - sometimes even before the DNSCache (DNS Client). If the service can't resolve hostnames used in the config file, it will stop. But it will log this. Resolution to this problem is:
- Use IPs rather than hostnames.
- Add hostnames you use in your .conf file to C:\Windows\system32\drivers\etc\hosts.
- Add DNSCache dependency to the WireGuardTunnel$<your tunnel name> service.

I personally would pick one of the first two options above. Don't like the idea my laptop is asking a coffee shop's DNS what is my VPN endpoint IP address.

> Here's a few notes that might help with understanding.
> - Users must have the VPN established before they log into the active
> directory servers on the remote network so that they can get all of
> their GPO directives.
> - Wireguard Service should stay up so that any time a users connects to
> any network, the VPN is established immediately after that.
> - The Wireguard service should also stay because non-admin users cannot
> create a new service

I understand. That is exactly how we use WireGuard in our company.

> If this issue is how things will stay, and this is not considered a bug,
> how would you configure windows non-admin users to tunnel to an
> enterprise network before login via WireGuard and to continuously try to
> establish the tunnel while the user is not connected to a network?

Let me assure you, the behavior you are expecting is definitely pathological. Please investigate the log file why the tunnel service does not persist as it should.

Best regards,
Simon

From tlhackque at yahoo.com  Mon Jan 17 11:18:55 2022
From: tlhackque at yahoo.com (tlhackque)
Date: Mon, 17 Jan 2022 06:18:55 -0500
Subject: Wireguard Windows Service Issues
In-Reply-To: <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
References: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
 <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
Message-ID: <56d2209f-f655-6302-df6d-bce587c8368d@yahoo.com>

On 17-Jan-22 05:51, Simon Rozman wrote:
> Hi,
>
>
> WireGuard services start early on boot - sometimes even before the DNSCache (DNS Client). If the service can't resolve hostnames used in the config file, it will stop. But it will log this. Resolution to this problem is:
> - Use IPs rather than hostnames.
> - Add hostnames you use in your .conf file to C:\Windows\system32\drivers\etc\hosts.
> - Add DNSCache dependency to the WireGuardTunnel$<your tunnel name> service.
>
> I personally would pick one of the first two options above. Don't like the idea my laptop is asking a coffee shop's DNS what is my VPN endpoint IP address.
>
>
 From this description, it seems that there's room for improvement.

It doesn't seem reasonable for the WireGuard service to stop. Log and 
perhaps display an error, sure.? But stopping seems harsh, and would 
prevent other tunnel endpoints from working - not a good user experience.

It would seem better for the service to set a timer and retry failures 
periodically - many DNS issues are transient.

It also seems to me that it would be better for the default to be option 
3 - make all tunnels dependent on DNSCache without requiring any 
user/admin action.? One could condition this on an endpoint being 
specified as a hostname, but that doesn't seem worth the effort.? Pretty 
much any use of a tunnel needs name resolution.? Even if your resolvers 
are at the other end of the tunnel, starting the client before it's up 
is harmless.

Anyone concerned about DNS snooping on name resolution of the endpoints 
can avoid it by using either of the other two options: hardcoded IP in 
the configuration, or an entry in "hosts".

"It just works" seems much more desirable than mystery service stops.? A 
UI status "waiting for hostname resolution" would be ideal.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20220117/d4977e3c/attachment.sig>

From simon at rozman.si  Mon Jan 17 12:47:07 2022
From: simon at rozman.si (Simon Rozman)
Date: Mon, 17 Jan 2022 12:47:07 +0000
Subject: Wireguard Windows Service Issues
In-Reply-To: <56d2209f-f655-6302-df6d-bce587c8368d@yahoo.com>
References: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
 <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
 <56d2209f-f655-6302-df6d-bce587c8368d@yahoo.com>
Message-ID: <022c115a7c254bec99bb67a12f9d59f4@rozman.si>

Hi,

>  From this description, it seems that there's room for improvement.
> 
> It doesn't seem reasonable for the WireGuard service to stop. Log and
> perhaps display an error, sure.? But stopping seems harsh, and would
> prevent other tunnel endpoints from working - not a good user
> experience.
> 
> It would seem better for the service to set a timer and retry failures
> periodically - many DNS issues are transient.
> 
> It also seems to me that it would be better for the default to be option
> 3 - make all tunnels dependent on DNSCache without requiring any
> user/admin action.? One could condition this on an endpoint being
> specified as a hostname, but that doesn't seem worth the effort.? Pretty
> much any use of a tunnel needs name resolution.? Even if your resolvers
> are at the other end of the tunnel, starting the client before it's up
> is harmless.
> 
> Anyone concerned about DNS snooping on name resolution of the endpoints
> can avoid it by using either of the other two options: hardcoded IP in
> the configuration, or an entry in "hosts".
> 
> "It just works" seems much more desirable than mystery service stops.? A
> UI status "waiting for hostname resolution" would be ideal.

The DNSCache service is optional on Windows 7/8/8.1/Server 2008R2/2012R2 and may be even disabled. (And the resolution would work just fine.) Since SCM treats all service dependencies as "hard" dependencies, that would render all WireGuard tunnel services fail to start. It's a fairly rare use case, but a demonstration SCM service dependencies must be authored with extreme care.

I'd rather suggest pursuing the macOS approach where services don't have any dependencies to force developers engineer their services to sleep and retry until their dependencies get available. As you suggested first. However, WireGuard for Windows already has DNS resolution retrying loop. Maybe it needs improvement? Let's wait to see what OP's log says.

Regards,
Simon

From Jason at zx2c4.com  Tue Jan 18 11:43:09 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 18 Jan 2022 12:43:09 +0100
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and
 other small platforms
In-Reply-To: <YeZhVGczxcBl0sI9@gondor.apana.org.au>
References: <CAHmME9rxdksVZkN4DF_GabsEPrSDrKbo1cVQs77B_s-e2jZ64A@mail.gmail.com>
 <YeZhVGczxcBl0sI9@gondor.apana.org.au>
Message-ID: <CAHmME9ogAW0o2PReNtsD+fFgwp28q2kP7WADtbd8kA7GsnKBpg@mail.gmail.com>

On 1/18/22, Herbert Xu <herbert at gondor.apana.org.au> wrote:
> As the patches that triggered this weren't part of the crypto
> tree, this will have to go through the random tree if you want
> them for 5.17.

Sure, will do.

From David.Laight at ACULAB.COM  Tue Jan 18 12:44:57 2022
From: David.Laight at ACULAB.COM (David Laight)
Date: Tue, 18 Jan 2022 12:44:57 +0000
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and
 other small platforms
In-Reply-To: <CAHmME9ogAW0o2PReNtsD+fFgwp28q2kP7WADtbd8kA7GsnKBpg@mail.gmail.com>
References: <CAHmME9rxdksVZkN4DF_GabsEPrSDrKbo1cVQs77B_s-e2jZ64A@mail.gmail.com>
 <YeZhVGczxcBl0sI9@gondor.apana.org.au>
 <CAHmME9ogAW0o2PReNtsD+fFgwp28q2kP7WADtbd8kA7GsnKBpg@mail.gmail.com>
Message-ID: <ad862f5ad048404ab452e25bba074824@AcuMS.aculab.com>

From: Jason A. Donenfeld
> Sent: 18 January 2022 11:43
> 
> On 1/18/22, Herbert Xu <herbert at gondor.apana.org.au> wrote:
> > As the patches that triggered this weren't part of the crypto
> > tree, this will have to go through the random tree if you want
> > them for 5.17.
> 
> Sure, will do.

I've rammed the code through godbolt... https://godbolt.org/z/Wv64z9zG8

Some things I've noticed;

1) There is no point having all the inline functions.
   Far better to have real functions to do the work.
   Given the cost of hashing 64 bytes of data the extra
   function call won't matter.
   Indeed for repeated calls it will help because the required
   code will be in the I-cache.

2) The compiles I tried do manage to remove the blake2_sigma[][]
   when unrolling everything - which is a slight gain for the full
   unroll. But I doubt it is that significant if the access can
   get sensibly optimised.
   For non-x86 that might require all the values by multiplied by 4.

3) Although G() is a massive register dependency chain the compiler
   knows that G(,[0-3],) are independent and can execute in parallel.
   This does help execution time on multi-issue cpu (like x86).
   With care it ought to be possible to use the same code for G(,[4-7],)
   without stopping the compiler interleaving all the instructions.

4) I strongly suspect that using a loop for the rounds will have
   minimal impact on performance - especially if the first call is
   'cold cache'.
   But I've not got time to test the code.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

From Jason at zx2c4.com  Tue Jan 18 12:50:51 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 18 Jan 2022 13:50:51 +0100
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and
 other small platforms
In-Reply-To: <ad862f5ad048404ab452e25bba074824@AcuMS.aculab.com>
References: <CAHmME9rxdksVZkN4DF_GabsEPrSDrKbo1cVQs77B_s-e2jZ64A@mail.gmail.com>
 <YeZhVGczxcBl0sI9@gondor.apana.org.au>
 <CAHmME9ogAW0o2PReNtsD+fFgwp28q2kP7WADtbd8kA7GsnKBpg@mail.gmail.com>
 <ad862f5ad048404ab452e25bba074824@AcuMS.aculab.com>
Message-ID: <CAHmME9qqqz80hd4er8eAqYpo1gzLSPVyDub0sfmY0YBEqLeiHw@mail.gmail.com>

On Tue, Jan 18, 2022 at 1:45 PM David Laight <David.Laight at aculab.com> wrote:
> I've rammed the code through godbolt... https://godbolt.org/z/Wv64z9zG8
>
> Some things I've noticed;

It seems like you've done a lot of work here but...

>    But I've not got time to test the code.

But you're not going to take it all the way. So it unfortunately
amounts to mailing list armchair optimization. That's too bad because
it really seems like you might be onto something worth seeing through.
As I've mentioned a few times now, I've dropped the blake2s
optimization patch, and I won't be developing that further. But it
appears as though you've really been captured by it, so I urge you:
please send a real patch with benchmarks on various platforms! (And CC
me on the patch.) Faster reference code would really be terrific.

Jason

From tony at tpro.tech  Fri Jan 21 21:03:43 2022
From: tony at tpro.tech (Tony Pros)
Date: Fri, 21 Jan 2022 21:03:43 +0000
Subject: Wireguard Windows Service Issues
In-Reply-To: <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
References: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
 <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
Message-ID: <9-M1j7GQozeUMiB1Qm-kk17KUFZ_tE4h4oF-n0QEGEXh0IYS-sv3PDvecqKRPasw5Kw_60Do1VAMBuWQymyiQ79wnej1AOl8KsvWwVZ3mlE=@tpro.tech>

I created a test account and ran through quite a few permutations of disconnecting and reconnecting to various wireless networks, rebooting the laptop and making it go to sleep, and I now have a bit more insight.

The problem still is occurring, the service seems to get torn down never to come back again once the user comes back to the office and connects back into the main network with ethernet. When the user is on the main network the VPN host address will not get resolved by DNS by design. We do not want the user to be on the VPN when they are already on the internal network. If there's a better way to handle the VPN not connecting when the non-admin user is on the internal network I'm open to that too. We use a hostname for VPN server resolution because we use both IPv4 and IPv6 for host connectivity.

Below I am pasting the logs that I have performed some scrubbing on:
-----------------------------

2022-01-21 10:54:00.402263: [MGR] Starting WireGuard/0.4.7 (Windows 10.0.19043; amd64)
2022-01-21 10:54:00.406469: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 10:54:00.599524: [MGR] An update is available
2022-01-21 10:54:04.650335: [MGR] Exited UI process for user 'admin at NETBIOS' for session 1 with status 0
2022-01-21 10:54:05.565857: [MGR] Starting WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 10:54:05.571428: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 10:59:40.136976: [MGR] Exited UI process for user 'admin at NETBIOS' for session 1 with status 40010004
2022-01-21 10:59:41.151462: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 10:59:41.723899: [MGR] Exited UI process for user 'admin at NETBIOS' for session 1 with status 40010004
2022-01-21 10:59:42.732795: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 10:59:42.732795: [MGR] Unable to start manager UI process for user 'admin at NETBIOS' for session 1: Session has logged out
2022-01-21 11:00:16.650075: [MGR] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 11:00:37.045737: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 11:02:50.557927: [MGR] Exited UI process for user 'admin at NETBIOS' for session 1 with status 40010004
2022-01-21 11:02:51.562675: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 11:02:51.562675: [MGR] Unable to start manager UI process for user 'admin at NETBIOS' for session 1: Session has logged out
2022-01-21 11:09:17.473420: [MGR] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 11:09:37.003152: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 12:58:29.317315: [TUN] [vpn.domain.com] Starting WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 12:58:29.317315: [TUN] [vpn.domain.com] Watching network interfaces
2022-01-21 12:58:29.318889: [TUN] [vpn.domain.com] Resolving DNS names
2022-01-21 12:58:29.359083: [TUN] [vpn.domain.com] Creating network adapter
2022-01-21 12:58:29.481814: [TUN] [vpn.domain.com] Installing driver 0.10
2022-01-21 12:58:29.493513: [TUN] [vpn.domain.com] Extracting driver
2022-01-21 12:58:29.500849: [TUN] [vpn.domain.com] Installing driver
2022-01-21 12:58:29.897233: [TUN] [vpn.domain.com] Creating adapter
2022-01-21 12:58:30.290389: [TUN] [vpn.domain.com] Using WireGuardNT/0.10
2022-01-21 12:58:30.290389: [TUN] [vpn.domain.com] Enabling firewall rules
2022-01-21 12:58:30.254228: [TUN] [vpn.domain.com] Interface created
2022-01-21 12:58:30.294639: [TUN] [vpn.domain.com] Dropping privileges
2022-01-21 12:58:30.294639: [TUN] [vpn.domain.com] Setting interface configuration
2022-01-21 12:58:30.295150: [TUN] [vpn.domain.com] Peer 1 created
2022-01-21 12:58:30.295683: [TUN] [vpn.domain.com] Monitoring MTU of default v4 routes
2022-01-21 12:58:30.295683: [TUN] [vpn.domain.com] Interface up
2022-01-21 12:58:30.302034: [TUN] [vpn.domain.com] Setting device v4 addresses
2022-01-21 12:58:30.303280: [TUN] [vpn.domain.com] Monitoring MTU of default v6 routes
2022-01-21 12:58:30.303783: [TUN] [vpn.domain.com] Setting device v6 addresses
2022-01-21 12:58:30.304926: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 12:58:30.325700: [TUN] [vpn.domain.com] Startup complete
2022-01-21 12:58:30.348690: [TUN] [vpn.domain.com] Receiving handshake response from peer 1 (x.x.x.x:51820)
2022-01-21 12:58:30.348690: [TUN] [vpn.domain.com] Keypair 1 created for peer 1
2022-01-21 12:58:53.611873: [MGR] Exited UI process for user 'admin at NETBIOS' for session 1 with status 40010004
2022-01-21 12:58:54.619283: [MGR] Starting UI process for user ?admin at NETBIOS? for session 1
2022-01-21 12:58:54.619283: [MGR] Unable to start manager UI process for user 'admin at NETBIOS' for session 1: Session has logged out
2022-01-21 12:59:56.879394: [TUN] [vpn.domain.com] Keypair 1 destroyed for peer 1
2022-01-21 13:00:17.467669: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:22.528338: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:27.557583: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:00:27.557583: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:32.606525: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:00:32.606525: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:37.664797: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:00:37.664797: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:42.669395: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:47.804906: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:00:47.804959: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:52.810389: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:00:52.810389: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:00:57.863445: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:00:57.863445: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:02.938686: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:07.955822: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:01:07.955822: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:12.965097: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:01:12.965097: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:17.972547: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:01:17.972547: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:23.089180: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:01:23.089180: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:28.202930: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:01:28.202930: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:01:28.230393: [TUN] [vpn.domain.com] Receiving handshake response from peer 1 (192.168.99.1:51820)
2022-01-21 13:01:28.230393: [TUN] [vpn.domain.com] Keypair 2 created for peer 1
2022-01-21 13:02:20.268277: [TUN] [vpn.domain.com] Sending keepalive packet to peer 1 (192.168.99.1:51820)
2022-01-21 13:02:52.586509: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:02:52.586509: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:02:57.727297: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:02:57.727297: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:02.800696: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:03:02.800696: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:07.645234: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:03:07.895820: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:07.895820: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:13.037051: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:03:13.037051: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:18.116518: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:03:18.116518: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:22.805189: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:03:23.288869: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:23.288869: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:28.308937: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:03:28.308937: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:33.418431: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:33.418431: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:37.882321: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:03:38.445762: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:43.519743: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:43.519743: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:48.581409: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:48.581409: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:52.981764: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:03:53.689057: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:53.689057: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:03:58.747131: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:03:58.747131: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:03.908738: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:03.908738: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:08.315502: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:04:08.958709: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:08.958709: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:14.016788: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:19.084504: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:19.084504: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:23.778633: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:04:24.127125: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:29.218748: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:29.218748: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:34.231731: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:34.231731: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:39.075199: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:04:39.341356: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:39.341356: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:44.513798: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:44.513798: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:49.610111: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:49.610111: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:54.738254: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:04:54.738254: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:04:59.818290: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:04:59.818290: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:04.899930: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:05:04.899930: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:09.935659: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:05:09.935659: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:15.031441: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:05:15.031441: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:20.202771: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:05:20.202771: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:25.247134: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:05:25.247134: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:30.364604: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:05:30.364604: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:35.457967: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:05:35.457967: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:40.513820: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:05:40.513820: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:45.605902: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:05:45.605902: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:50.780061: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 6)
2022-01-21 13:05:50.780061: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:05:55.921797: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 7)
2022-01-21 13:05:55.921797: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:01.057740: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 8)
2022-01-21 13:06:01.057740: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:06.187809: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 9)
2022-01-21 13:06:06.187809: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:11.310265: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 10)
2022-01-21 13:06:11.310265: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:16.471611: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 11)
2022-01-21 13:06:16.471611: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:21.571279: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 12)
2022-01-21 13:06:21.571279: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:26.698041: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:06:26.698041: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:31.860464: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:06:31.860529: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:36.886223: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:06:36.886223: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:42.057072: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:06:42.057072: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:47.146446: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:06:47.146446: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:52.286497: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:06:52.286497: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:06:57.424177: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:06:57.424177: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:02.482674: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:07:02.482674: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:07.563106: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:07:07.563106: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:12.732463: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 6)
2022-01-21 13:07:12.732463: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:17.845855: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 7)
2022-01-21 13:07:17.845855: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:22.909751: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 8)
2022-01-21 13:07:22.909751: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:27.959797: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 9)
2022-01-21 13:07:27.959797: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:33.045043: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 10)
2022-01-21 13:07:33.045043: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:38.165594: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:07:38.165594: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:43.351604: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:07:43.351604: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:48.449930: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:07:48.449930: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:53.572846: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:07:53.572846: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:07:58.717729: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:07:58.717931: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:03.752142: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:08:03.752142: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:08.929394: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:08:08.929394: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:14.057561: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 6)
2022-01-21 13:08:14.057561: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:19.101167: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 7)
2022-01-21 13:08:19.101167: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:24.277494: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 8)
2022-01-21 13:08:24.277494: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:29.419552: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:08:29.419552: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:34.606448: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:08:34.606448: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:39.736667: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:08:39.736667: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:44.826807: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:08:44.826807: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:49.921629: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:08:49.921629: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:08:55.074697: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:08:55.074697: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:00.157100: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:09:00.157100: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:05.305690: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 6)
2022-01-21 13:09:05.305690: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:10.389663: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 7)
2022-01-21 13:09:10.389663: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:15.559298: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 8)
2022-01-21 13:09:15.559298: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:20.699881: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 9)
2022-01-21 13:09:20.699881: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:25.801829: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 10)
2022-01-21 13:09:25.801829: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:30.877613: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 11)
2022-01-21 13:09:30.877613: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:36.000216: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 12)
2022-01-21 13:09:36.000216: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:41.041500: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:09:41.041500: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:46.085437: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:51.167640: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:09:51.167640: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:09:56.245602: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:09:56.245602: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:01.375144: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:10:01.375144: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:06.431110: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:10:06.431110: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:11.594853: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 6)
2022-01-21 13:10:11.594853: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:16.769072: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 7)
2022-01-21 13:10:16.769072: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:21.929730: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 8)
2022-01-21 13:10:21.929730: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:26.990764: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:10:26.990764: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:28.807783: [TUN] [vpn.domain.com] Zeroing out all keys for peer 1 (192.168.99.1:51820), since we haven't received a new one in 540 seconds
2022-01-21 13:10:28.807783: [TUN] [vpn.domain.com] Keypair 2 destroyed for peer 1
2022-01-21 13:10:32.095515: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:10:32.095515: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:37.212543: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:42.295710: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:10:42.295710: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:47.458538: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:10:47.458538: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:52.488316: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:10:52.488316: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:10:57.510976: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:02.543018: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:07.589466: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:12.620940: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:17.712428: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:22.860392: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:27.980474: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:11:27.980474: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:32.993213: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:38.095573: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:11:38.095573: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:43.232322: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:48.329984: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:11:48.329984: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:53.338681: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:11:53.338681: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:11:58.469384: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:11:58.469384: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:03.569297: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:12:03.569297: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:08.658482: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:13.688722: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:18.828337: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:23.949678: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:12:23.949678: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:29.010264: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:12:29.022034: [TUN] [vpn.domain.com] Receiving handshake response from peer 1 (192.168.99.1:51820)
2022-01-21 13:12:29.022034: [TUN] [vpn.domain.com] Keypair 3 created for peer 1
2022-01-21 13:14:24.960352: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:14:24.960352: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:29.978645: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:35.015136: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:14:35.015136: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:40.088048: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:14:40.088048: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:40.209395: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:14:45.147021: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:14:45.147021: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:50.267293: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:14:50.267293: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:55.299003: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:14:55.299003: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:14:55.441283: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:15:00.331353: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:05.502915: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:15:05.502915: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:10.536441: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:15:10.536441: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:15.624819: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:15:15.624819: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:20.749237: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:15:20.749237: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:25.726624: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:15:25.914733: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:15:25.914733: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:31.070989: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:15:31.070989: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:36.137150: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:41.137348: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (192.168.99.1:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:15:41.137348: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:46.138115: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:51.288239: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:15:51.288239: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:15:56.329555: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:01.469712: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:01.469712: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:06.548366: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:06.548366: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:11.610310: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:11.610310: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:16.625925: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:16.626664: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:21.704576: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:21.704576: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:26.815817: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:26.815817: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:31.830904: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:36.908518: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:41.955274: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:41.955274: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:47.002104: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:47.002104: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:52.168232: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:52.168232: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:16:57.304093: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:16:57.304093: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:02.335226: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:07.336829: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:12.339140: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:17.402083: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:22.449558: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:17:22.449558: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:27.493306: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:32.530377: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:17:32.530377: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:37.565357: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:42.729784: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:17:42.729784: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:47.890695: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:17:47.890695: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:52.997983: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:17:52.997983: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:17:58.008853: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:17:58.008853: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:03.059009: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:03.059009: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:08.134002: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:08.134002: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:13.213556: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:18.348460: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:18.348460: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:23.389702: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:23.389702: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:28.459212: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:28.459212: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:33.542736: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:33.542736: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:38.652018: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:38.652018: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:43.757606: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:43.757606: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:48.834638: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:53.968969: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:53.968969: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:18:59.123832: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:18:59.123832: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:04.241876: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:04.241876: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:09.401883: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:09.401883: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:14.479444: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:14.479444: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:19.536844: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:19.536844: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:24.593756: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:24.593756: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:29.624439: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:29.624439: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:34.670758: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:34.670758: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:39.780541: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:39.780541: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:44.921032: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:44.921032: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:50.078200: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:50.078200: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:19:55.182301: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:19:55.182301: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:00.306729: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:00.306729: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:05.337398: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:10.515088: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:10.515088: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:15.545749: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:15.545749: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:20.624360: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:20.624360: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:25.702797: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:30.730139: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:30.730139: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:35.865340: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:35.865340: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:40.875342: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:40.875342: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:45.937371: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:45.937371: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:51.073144: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:51.073144: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:20:56.198085: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:20:56.198085: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:01.230524: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:01.231273: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:06.401452: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:06.401452: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:11.429281: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:16.438693: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:21.497838: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:21.497838: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:26.554965: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:26.554965: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:29.032701: [TUN] [vpn.domain.com] Zeroing out all keys for peer 1 (192.168.99.1:51820), since we haven't received a new one in 540 seconds
2022-01-21 13:21:29.032701: [TUN] [vpn.domain.com] Keypair 3 destroyed for peer 1
2022-01-21 13:21:31.634251: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:31.634251: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:36.648994: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:41.744768: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:41.744768: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:46.820298: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:46.820298: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:51.978417: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:51.978417: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:21:57.092662: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:21:57.092662: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:02.244123: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:02.244123: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:07.304618: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:07.304618: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:12.450243: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:12.450243: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:17.585937: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:22:17.585937: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:22.700122: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:22:22.700122: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:27.829977: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:22:27.829977: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:32.914472: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:32.914472: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:38.031393: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:38.031393: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:43.087043: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:43.087043: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:48.259506: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:48.259506: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:53.283747: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:22:53.284048: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:22:58.287434: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:03.302845: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:08.333487: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:13.422465: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:13.422465: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:18.517639: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:18.517639: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:23.544872: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:28.666841: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:28.666841: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:33.721504: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:33.721504: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:38.722453: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:43.849861: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:43.849861: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:48.917255: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:48.917255: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:54.033999: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:54.033999: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:23:59.076944: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:23:59.076944: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:04.139259: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:04.139259: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:09.232144: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:09.232144: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:14.289650: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:14.289650: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:19.343783: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:24.431561: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:24.431561: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:29.500362: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:29.500362: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:34.595092: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:34.595092: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:39.740375: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:39.740375: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:44.841023: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:44.841023: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:49.860200: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:49.860200: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:54.916426: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:54.916426: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:24:59.999055: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:24:59.999055: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:05.024357: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:05.024357: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:10.130794: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:10.130794: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:15.256276: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:15.256276: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:20.306876: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:20.306876: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:25.360741: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:30.456636: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:35.550305: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:35.550305: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:40.717410: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:40.717410: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:45.811015: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:45.811015: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:50.841745: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:50.841745: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:25:55.892066: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:25:55.892066: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:00.948477: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:00.948477: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:05.985441: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:11.078884: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:11.078884: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:16.122457: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:16.122457: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:21.137967: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:21.137967: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:26.200877: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:26:26.200877: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:31.278505: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:31.278505: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:36.341006: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:26:36.341006: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:41.496712: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:41.496712: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:46.574227: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:46.574227: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:51.589239: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:51.589239: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:26:56.619832: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:26:56.619832: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:01.760262: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:01.760262: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:06.927052: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:06.927052: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:11.941974: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:27:11.941974: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:17.020159: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:17.020159: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:22.082256: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:22.082256: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:27.222183: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:27.222183: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:32.252304: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:32.252304: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:37.285347: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:42.378426: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:47.406412: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:52.453311: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:27:57.548086: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:27:57.548086: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:02.641632: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:07.698914: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:07.698914: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:12.729505: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:12.729505: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:17.760171: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:17.760171: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:22.793040: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:22.793040: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:27.808584: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:27.808584: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:32.834312: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:28:32.834312: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:37.937890: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:28:37.937890: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:43.094185: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:43.094185: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:48.187983: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:48.187983: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:53.296806: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:28:58.312326: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:28:58.312326: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:03.484087: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:03.484087: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:08.494686: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:29:08.494686: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:13.569414: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:13.569414: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:18.704620: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:18.704620: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:23.829009: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:28.891430: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:28.891430: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:33.948270: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:33.948270: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:38.994638: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:38.994638: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:44.025734: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:44.025734: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:49.181860: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:49.181860: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:54.223948: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:29:54.223948: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:29:59.271685: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:29:59.271685: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:04.289482: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:30:04.289482: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:09.395006: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:30:09.395006: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:14.550688: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:30:14.550688: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:19.706355: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:30:19.706355: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:24.817699: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:30:24.817699: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:29.848896: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:30:29.848896: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:34.890490: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:30:34.890490: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:40.030591: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:30:40.030591: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:45.136174: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:30:45.136174: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:50.260569: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:30:50.260569: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:30:55.275784: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:30:55.275784: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:00.302612: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:00.302612: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:05.333764: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:10.438376: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:10.438376: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:15.500584: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:15.500584: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:20.558574: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:25.573974: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:25.573974: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:30.631349: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:30.631349: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:35.709182: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:35.709182: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:40.755438: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:40.755438: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:45.833475: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:50.895937: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:31:50.895937: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:31:55.957885: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:31:55.957885: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:01.024574: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:32:01.024574: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:06.175349: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:32:06.175349: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:11.341269: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:11.341269: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:16.418801: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:16.418801: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:21.558823: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:21.558823: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:26.683730: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:26.683730: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:31.746695: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:31.746695: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:36.793106: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:32:36.793106: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:41.886248: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:41.886248: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:47.026291: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:47.026291: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:52.041541: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:52.041541: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:32:57.119041: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:32:57.119041: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:02.212154: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:02.212154: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:07.285373: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:07.285373: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:12.409436: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:12.409436: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:17.531604: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:17.531604: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:22.544115: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:27.586527: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:32.725586: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:32.725586: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:37.765553: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:37.765553: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:42.832578: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:47.848055: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:52.969598: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:52.969598: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:33:57.996791: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:33:57.996791: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:03.015533: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:03.015533: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:08.135508: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:08.135508: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:13.161620: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:13.161620: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:18.192314: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:18.192314: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:23.223503: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:28.333104: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:33.348718: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:33.348718: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:38.453886: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:38.453886: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:43.578287: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:43.578287: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:48.593340: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:48.593340: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:53.634605: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:53.634605: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:34:58.724905: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:34:58.724905: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:03.849818: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:35:03.849818: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:08.907972: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:08.907972: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:13.954633: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:13.954633: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:19.059021: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:19.059021: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:24.214601: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:24.214601: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:29.339025: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:34.494894: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:34.494894: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:39.521148: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:39.521148: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:44.631024: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:44.631024: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:49.693359: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:54.833930: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:54.833930: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:35:59.911450: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:35:59.911450: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:04.976155: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:36:04.976155: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:10.083989: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:36:10.083989: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:15.203796: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:36:15.203796: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:20.307864: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:36:20.307864: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:25.401012: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:36:25.401012: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:30.413285: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:36:30.413285: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:35.545551: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:40.639798: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:45.657091: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:50.730599: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:36:55.743809: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:00.784053: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:00.784053: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:05.810935: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:10.946746: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:10.946746: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:15.962404: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:20.995029: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:20.995029: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:26.010078: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:26.010078: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:31.040754: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:36.055900: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:36.055900: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:41.149016: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:41.149016: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:46.227060: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:46.227060: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:51.273847: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:37:51.273847: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:37:56.336313: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:01.414009: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:01.414009: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:06.523134: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:06.523134: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:11.626447: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:11.626447: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:16.663207: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:16.663207: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:21.837757: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:21.837757: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:26.854778: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:26.854778: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:31.995296: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:31.995296: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:37.037219: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:37.037219: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:42.074355: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:42.074355: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:47.114754: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:52.259370: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:52.259370: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:38:57.290079: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:38:57.290079: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:02.445075: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:02.445075: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:07.449992: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:12.452213: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:17.469999: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:17.469999: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:22.594501: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:22.594501: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:27.766316: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:27.766316: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:32.859645: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:37.900421: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:37.900421: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:43.035408: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:43.035408: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:48.050589: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:48.050589: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:53.066716: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:53.066716: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:39:58.160350: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:39:58.160350: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:03.228031: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:03.228031: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:08.271205: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:08.271205: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:13.337058: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:18.352247: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:18.352247: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:23.524132: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:23.524132: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:28.664222: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:28.664222: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:33.835954: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:33.835954: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:38.882740: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:38.882740: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:44.022575: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:44.022575: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:49.173421: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:40:49.173421: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:54.329166: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:40:59.341597: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:04.454680: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:04.454680: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:09.499242: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:09.499242: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:14.505102: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:14.505102: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:19.546816: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:19.546816: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:24.684379: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:24.684379: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:29.793666: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:29.793666: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:34.886846: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:34.886846: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:39.964480: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:39.964480: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:45.104520: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:45.104520: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:50.260825: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:50.260825: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:41:55.292573: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:41:55.292573: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:00.308089: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:00.308089: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:05.380927: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:42:05.380927: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:10.460780: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:10.460780: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:15.508934: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:15.508934: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:20.518969: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:20.518969: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:25.549593: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:42:25.549593: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:30.595892: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 4)
2022-01-21 13:42:30.595892: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:35.715854: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 5)
2022-01-21 13:42:35.715854: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:40.810111: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 6)
2022-01-21 13:42:40.810111: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:45.887673: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:45.887673: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:50.965214: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:50.965214: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:42:56.120913: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:42:56.120913: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:43:01.292211: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:43:01.292211: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:43:06.320331: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:43:11.453129: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:43:11.453129: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:43:53.153122: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:43:58.249069: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:03.333263: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:08.377868: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:13.439246: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:13.439326: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:18.483981: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:18.483981: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:23.500372: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:28.649378: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:28.649378: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:33.661137: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:33.661137: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:38.731131: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:38.731131: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:43.800914: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:43.800914: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:48.815794: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:48.815794: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:53.903919: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:53.903919: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:44:59.003471: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:44:59.003471: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:04.120893: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:04.120939: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:09.263152: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:09.263152: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:14.331333: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:19.376347: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:19.376347: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:24.477516: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 3)
2022-01-21 13:45:24.477516: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:29.623417: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:29.623417: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:34.654947: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:34.654947: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:39.698940: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:44.830688: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:44.830688: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:49.958446: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:49.958446: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:45:54.983599: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:45:54.983599: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:00.048773: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:00.048773: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:05.102612: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:05.102612: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:10.144179: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:10.144179: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:15.160281: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:15.160281: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:20.257682: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:20.257682: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:25.411845: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:25.411845: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:30.572259: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:30.572259: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:46:35.644297: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:46:35.644297: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:49:40.378596: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:49:45.417651: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:49:45.417651: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:49:50.447555: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:49:50.447555: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:49:55.535020: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:00.546694: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:00.546694: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:05.572794: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:10.580728: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:15.584181: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:20.708629: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:20.708629: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:25.750867: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:25.750867: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:30.778990: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:35.803259: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:35.803259: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:40.838508: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:45.931758: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:45.931758: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:51.051043: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:51.051043: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:50:56.134950: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:50:56.134950: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:01.188905: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:01.188905: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:06.271887: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:06.271887: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:11.331315: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:11.331315: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:16.335062: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:21.439757: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:21.439757: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:26.581624: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:26.581624: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:31.674091: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:31.674091: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:36.687384: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:41.838362: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:41.838362: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:46.878508: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:46.878508: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:52.023036: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:52.023036: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:51:57.063438: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:51:57.063438: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:02.160510: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:02.160510: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:07.221922: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:07.221922: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:12.308428: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:12.308428: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:17.441103: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:17.441103: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:22.525922: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:22.525922: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:27.622028: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:27.622028: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:32.726590: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:32.726590: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:37.739041: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:42.827133: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:47.828903: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:52.968006: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:52.968006: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:52:57.998751: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:52:57.998751: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:03.052924: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:03.052937: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:08.135242: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:08.135242: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:13.312863: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:13.312863: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:18.337560: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:23.339707: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:28.398740: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:28.398740: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:33.421215: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:38.572262: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:38.572262: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:43.644793: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:48.823407: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:48.823439: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:53.918664: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:53.918664: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:53:59.059961: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:53:59.059961: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:04.127891: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:04.127891: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:09.170911: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:09.170911: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:14.340016: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:14.340016: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:19.382059: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:24.402897: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:24.402897: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:29.429606: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:29.429606: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:34.469382: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:34.469382: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:39.513481: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:39.513481: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:44.525963: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:44.525963: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:47.473947: [MGR] Starting UI process for user ?admin at NETBIOS? for session 6
2022-01-21 13:54:49.599296: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:49.599296: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:54.754166: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:54.754166: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:54:59.802065: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:54:59.802065: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:04.839528: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:04.839528: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:09.912812: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:09.912949: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:14.960576: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:14.960576: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:20.117522: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:20.117522: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:25.227467: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:25.227467: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:30.242084: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:30.242084: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:35.297539: [TUN] [vpn.domain.com] Handshake for peer 1 (192.168.99.1:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:55:35.297539: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (192.168.99.1:51820)
2022-01-21 13:55:38.291070: [TUN] [vpn.domain.com] Shutting down
2022-01-21 13:55:38.292119: [MGR] [vpn.domain.com] Tunnel service tracker finished
2022-01-21 13:55:38.577899: [TUN] [vpn.domain.com] Starting WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 13:55:38.577899: [TUN] [vpn.domain.com] Watching network interfaces
2022-01-21 13:55:38.579447: [TUN] [vpn.domain.com] Resolving DNS names
2022-01-21 13:55:38.624843: [TUN] [vpn.domain.com] Creating network adapter
2022-01-21 13:55:38.761194: [TUN] [vpn.domain.com] Using existing driver 0.10
2022-01-21 13:55:38.765332: [TUN] [vpn.domain.com] Creating adapter
2022-01-21 13:55:38.973483: [TUN] [vpn.domain.com] Using WireGuardNT/0.10
2022-01-21 13:55:38.973483: [TUN] [vpn.domain.com] Enabling firewall rules
2022-01-21 13:55:38.921855: [TUN] [vpn.domain.com] Interface created
2022-01-21 13:55:38.975021: [TUN] [vpn.domain.com] Dropping privileges
2022-01-21 13:55:38.975021: [TUN] [vpn.domain.com] Setting interface configuration
2022-01-21 13:55:38.975533: [TUN] [vpn.domain.com] Peer 1 created
2022-01-21 13:55:38.977610: [TUN] [vpn.domain.com] Monitoring MTU of default v4 routes
2022-01-21 13:55:38.976559: [TUN] [vpn.domain.com] Interface up
2022-01-21 13:55:38.977610: [TUN] [vpn.domain.com] Setting device v4 addresses
2022-01-21 13:55:38.977610: [TUN] [vpn.domain.com] Monitoring MTU of default v6 routes
2022-01-21 13:55:38.982387: [TUN] [vpn.domain.com] Setting device v6 addresses
2022-01-21 13:55:38.982387: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:55:38.990223: [TUN] [vpn.domain.com] Startup complete
2022-01-21 13:55:39.001868: [MGR] Failed to connect to adapter interface \\?\SWD#WireGuard#{CAD5864D-13F2-398B-A075-EB510CB633B3}#{cac88484-7515-4c03-82e6-71a87abac361}: The system cannot find the file specified. (Code 0x00000002)
2022-01-21 13:55:39.024763: [TUN] [vpn.domain.com] Receiving handshake response from peer 1 (x.x.x.x:51820)
2022-01-21 13:55:39.025269: [TUN] [vpn.domain.com] Keypair 1 created for peer 1
2022-01-21 13:56:11.075383: [MGR] Exited UI process for user 'admin at NETBIOS' for session 6 with status 40010004
2022-01-21 13:56:12.080661: [MGR] Starting UI process for user ?admin at NETBIOS? for session 6
2022-01-21 13:56:12.473288: [MGR] Exited UI process for user 'admin at NETBIOS' for session 6 with status 40010004
2022-01-21 13:56:13.484727: [MGR] Starting UI process for user ?admin at NETBIOS? for session 6
2022-01-21 13:56:13.484727: [MGR] Unable to start manager UI process for user 'admin at NETBIOS' for session 6: Session has logged out
2022-01-21 13:56:13.962039: [TUN] [vpn.domain.com] Shutting down
2022-01-21 13:56:13.972922: [MGR] [vpn.domain.com] Tunnel service tracker finished
2022-01-21 13:56:42.419777: [MGR] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 13:56:42.424691: [TUN] [vpn.domain.com] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 13:56:42.426469: [TUN] [vpn.domain.com] SCM locked for 1s by .\NT Service Control Manager, marking service as started
2022-01-21 13:56:42.430189: [TUN] [vpn.domain.com] Watching network interfaces
2022-01-21 13:56:42.432208: [TUN] [vpn.domain.com] Resolving DNS names
2022-01-21 13:56:42.535795: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 13:56:46.569993: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 13:56:50.585189: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 13:56:54.604338: [TUN] [vpn.domain.com] Creating network adapter
2022-01-21 13:56:54.747140: [TUN] [vpn.domain.com] Using existing driver 0.10
2022-01-21 13:56:54.754287: [TUN] [vpn.domain.com] Creating adapter
2022-01-21 13:56:54.931104: [TUN] [vpn.domain.com] Using WireGuardNT/0.10
2022-01-21 13:56:54.931104: [TUN] [vpn.domain.com] Enabling firewall rules
2022-01-21 13:56:54.883789: [TUN] [vpn.domain.com] Interface created
2022-01-21 13:56:54.934363: [TUN] [vpn.domain.com] Dropping privileges
2022-01-21 13:56:54.934874: [TUN] [vpn.domain.com] Setting interface configuration
2022-01-21 13:56:54.935165: [TUN] [vpn.domain.com] Peer 1 created
2022-01-21 13:56:54.935676: [TUN] [vpn.domain.com] Monitoring MTU of default v4 routes
2022-01-21 13:56:54.935676: [TUN] [vpn.domain.com] Interface up
2022-01-21 13:56:54.948226: [TUN] [vpn.domain.com] Setting device v4 addresses
2022-01-21 13:56:54.951579: [TUN] [vpn.domain.com] Monitoring MTU of default v6 routes
2022-01-21 13:56:54.952082: [TUN] [vpn.domain.com] Setting device v6 addresses
2022-01-21 13:56:54.971047: [TUN] [vpn.domain.com] Startup complete
2022-01-21 13:56:54.972047: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:56:55.023239: [TUN] [vpn.domain.com] Receiving handshake response from peer 1 (x.x.x.x:51820)
2022-01-21 13:56:55.023239: [TUN] [vpn.domain.com] Keypair 1 created for peer 1
2022-01-21 13:58:50.423986: [TUN] [vpn.domain.com] Retrying handshake with peer 1 (x.x.x.x:51820) because we stopped hearing back after 15 seconds
2022-01-21 13:58:50.423986: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:58:55.455506: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:00.480385: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:05.490983: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:05.490983: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:10.504756: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:10.504756: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:15.604778: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:20.634382: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:20.634382: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:25.707137: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:25.707137: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:30.855850: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:30.855850: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:35.949600: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:35.949600: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:40.990745: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:40.990745: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:46.077722: [TUN] [vpn.domain.com] Handshake for peer 1 (x.x.x.x:51820) did not complete after 5 seconds, retrying (try 2)
2022-01-21 13:59:46.077722: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:51.130991: [TUN] [vpn.domain.com] Sending handshake initiation to peer 1 (x.x.x.x:51820)
2022-01-21 13:59:54.666728: [TUN] [vpn.domain.com] Shutting down
2022-01-21 13:59:54.666728: [MGR] [vpn.domain.com] Tunnel service tracker finished
2022-01-21 14:00:25.385109: [MGR] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 14:00:25.385617: [TUN] [vpn.domain.com] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 14:00:25.392357: [TUN] [vpn.domain.com] SCM locked for 1s by .\NT Service Control Manager, marking service as started
2022-01-21 14:00:25.397054: [TUN] [vpn.domain.com] Watching network interfaces
2022-01-21 14:00:25.399865: [TUN] [vpn.domain.com] Resolving DNS names
2022-01-21 14:00:25.640575: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:29.648660: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:33.657345: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:37.672796: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:41.682472: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:45.683318: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:49.696304: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:53.706665: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:00:57.722719: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:01.725050: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:05.741561: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:09.742016: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:13.742214: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:17.753757: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:21.754324: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:25.754991: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:29.762106: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:33.762738: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:37.763279: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:41.771324: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:45.772269: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:49.777344: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:53.781627: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:01:57.783379: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:01.784236: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:05.790570: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:09.806000: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:13.811052: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:17.827451: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:21.838263: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:25.839227: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:29.853433: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:33.792594: [MGR] Update checker: The server name or address could not be resolved
2022-01-21 14:02:33.855521: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:37.861237: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:41.863892: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:45.871248: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:49.877167: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:02:53.884177: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:20.324752: [TUN] [vpn.domain.com] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 14:03:20.325969: [MGR] Starting at boot WireGuard/0.5.3 (Windows 10.0.19043; amd64)
2022-01-21 14:03:20.331512: [TUN] [vpn.domain.com] Watching network interfaces
2022-01-21 14:03:20.384779: [TUN] [vpn.domain.com] Resolving DNS names
2022-01-21 14:03:20.503593: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:24.517787: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:28.531690: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:32.547531: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:36.558960: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:40.571316: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:44.584276: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:48.589629: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:52.601176: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:03:56.601326: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:00.604469: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:04.604609: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:08.604685: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:12.611113: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:16.623467: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:20.626082: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:24.637405: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:28.643856: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:32.654152: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:36.661979: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:40.665121: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:44.682742: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:48.698311: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:52.705238: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:04:56.719339: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:00.729435: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:04.736110: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:08.740339: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:12.743209: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:16.758777: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:20.766557: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:24.775715: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:28.781491: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:32.796664: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:36.799755: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:40.809000: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:44.820797: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:48.823036: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:52.825687: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:56.826425: [TUN] [vpn.domain.com] Host not found when resolving vpn.xxxx.org, but no Internet connection available, sleeping for 4 seconds
2022-01-21 14:05:56.832612: [TUN] [vpn.domain.com] Unable to resolve one or more DNS hostname endpoints: No such host is known.
2022-01-21 14:05:56.832612: [TUN] [vpn.domain.com] Shutting down
2022-01-21 14:05:56.833634: [MGR] [vpn.domain.com] Tunnel service tracker finished
2022-01-21 14:15:52.797687: [MGR] Starting UI process for user ?admin at NETBIOS? for session 2


-----------------------------

Tony Pros - Owner
tony at tpro.tech
615 656 3543

T-Pro Tech LLC
Audio & IT Consulting

??????? Original Message ???????

On Monday, January 17th, 2022 at 4:51 AM, Simon Rozman <simon at rozman.si> wrote:

> Hi,
>
> > I believe there's a bug in the Windows service implementation, if this
> >
> > issue is by design, it's problematic.
> >
> > I have non-admin users were when I initially set them up with wireguard,
> >
> > I configured it to use the service, using the command:
> >
> > wireguard /installtunnelservice "C:\Program
> >
> > Files\WireGuard\Data\Configurations\vpn.domain.org.conf.dpapi"
> >
> > The tunnel worked fine the first time. Then the user reboots the laptop,
> >
> > or closes it or leaves whatever coffee shop they were at and get
> >
> > disconnected from the wireless network they were using. When this
> >
> > happens, for some reason, the wireguard service then gets torn down
> >
> > never to come back again until I issue the command from my admin account
> >
> > again.
>
> Can you do the wireguard /dumplog > wireguard.log and investigate.
>
> > There was an issue with some users initial configuration in that they
> >
> > could not query hostname via DNS, so that entering the command to
> >
> > installservice would not even create the service.
>
> WireGuard services start early on boot - sometimes even before the DNSCache (DNS Client). If the service can't resolve hostnames used in the config file, it will stop. But it will log this. Resolution to this problem is:
>
> -   Use IPs rather than hostnames.
> -   Add hostnames you use in your .conf file to C:\Windows\system32\drivers\etc\hosts.
> -   Add DNSCache dependency to the WireGuardTunnel$<your tunnel name> service.
>
> I personally would pick one of the first two options above. Don't like the idea my laptop is asking a coffee shop's DNS what is my VPN endpoint IP address.
>
> > Here's a few notes that might help with understanding.
> >
> > -   Users must have the VPN established before they log into the active
> >
> >     directory servers on the remote network so that they can get all of
> >
> >     their GPO directives.
> > -   Wireguard Service should stay up so that any time a users connects to
> >
> >     any network, the VPN is established immediately after that.
> > -   The Wireguard service should also stay because non-admin users cannot
> >
> >     create a new service
>
> I understand. That is exactly how we use WireGuard in our company.
>
> > If this issue is how things will stay, and this is not considered a bug,
> >
> > how would you configure windows non-admin users to tunnel to an
> >
> > enterprise network before login via WireGuard and to continuously try to
> >
> > establish the tunnel while the user is not connected to a network?
>
> Let me assure you, the behavior you are expecting is definitely pathological. Please investigate the log file why the tunnel service does not persist as it should.
>
> Best regards,
>
> Simon

From simonmcnair at gmail.com  Mon Jan 24 09:59:55 2022
From: simonmcnair at gmail.com (Simon McNair)
Date: Mon, 24 Jan 2022 09:59:55 +0000
Subject: apologies if this DNS conditional forwarding query is a daft question
Message-ID: <c0520a00-cd2b-db1d-b678-4134593e7206@gmail.com>

Hi,
Again apologies if this is networking newb question
I have just spent the weekend laboriously learning about wireguard 
windows and finally powershell & internet connection sharing. My usage 
case is supporting a parents network and/or sharing resources in a small 
site(s) to site(s) network.
My question is this.? Without buying any extra commodity hardware, or 
installing any more software is it possible to set up conditional DNS 
forwarding per peer for DNS ?? I would like each subnets DNS server (in 
this case isp router) to handle DNS for that subnet.

i.e. if the dns request is for a subnet on peer A use DNS server 
192.168.100.254 defined in peer A config
 ??? ?? if the dns request is made a subnet on peer B use DNS server 
192.168.110.254 defined in peer B config

Similar to this:
[Interface]
PrivateKey = pkhere
ListenPort = 12345
Address = 10.250.250.4/24

[PeerA]
PublicKey = peerpkhere
AllowedIPs = 192.168.100.0/24, 10.250.250.0/24
Endpoint = my.ddnsalias.net:5678
DNS = 192.168.100.254

[PeerB]
PublicKey = peerpkhere
AllowedIPs = 192.168.110.0/24, 10.250.250.0/24
Endpoint = my.ddnsalias.net:5678
DNS = 192.168.110.254

I know we already have the Interface level DNS option but that would 
fail for peers unless conditional forwarding was configured which isn't 
possible on most home routers.? I know I can fix this with dnsmasq or a 
pihole but that requires another machine on all the time.? I was just 
wondering if anything clever could easily be done within wireguard.? I 
know it's a big ask but it would be appreciated as an enhancement request.

Likewise, for the windows version of wireguard it would be cool if there 
was an option to enable internet connection sharing on the client.? I 
have done this successfully (I am happy to share the steps if required) 
although it was a huge pita and required dangerousscripts enabling which 
I'm not keen on.
Thanks again for all the hard work Jason, I love the app, and it is 
running happily on my ER-X and making my life better.

Regards
Simon


From frank at carmickle.com  Mon Jan 24 13:28:20 2022
From: frank at carmickle.com (Frank Carmickle)
Date: Mon, 24 Jan 2022 08:28:20 -0500
Subject: apologies if this DNS conditional forwarding query is a daft
 question
In-Reply-To: <c0520a00-cd2b-db1d-b678-4134593e7206@gmail.com>
References: <c0520a00-cd2b-db1d-b678-4134593e7206@gmail.com>
Message-ID: <E8EC188A-7643-4843-8289-473D4ACBCE7E@carmickle.com>

Greetings Simon,

> On Jan 24, 2022, at 4:59 AM, Simon McNair <simonmcnair at gmail.com> wrote:
> 
> Hi,
> Again apologies if this is networking newb question
> I have just spent the weekend laboriously learning about wireguard windows and finally powershell & internet connection sharing. My usage case is supporting a parents network and/or sharing resources in a small site(s) to site(s) network.
> My question is this.  Without buying any extra commodity hardware, or installing any more software is it possible to set up conditional DNS forwarding per peer for DNS ?  I would like each subnets DNS server (in this case isp router) to handle DNS for that subnet.
> 
> i.e. if the dns request is for a subnet on peer A use DNS server 192.168.100.254 defined in peer A config
>        if the dns request is made a subnet on peer B use DNS server 192.168.110.254 defined in peer B config

I'm not totally understanding the topology you are implementing, internet sharing and site to site, that usually means that both sites have internet service. It does seem as though you can accomplish having systems in each subnet use there own DNS by not configuring a DNS directive in the wireguard config at all.

HTH,
--FC


> 
> Similar to this:
> [Interface]
> PrivateKey = pkhere
> ListenPort = 12345
> Address = 10.250.250.4/24
> 
> [PeerA]
> PublicKey = peerpkhere
> AllowedIPs = 192.168.100.0/24, 10.250.250.0/24
> Endpoint = my.ddnsalias.net:5678
> DNS = 192.168.100.254
> 
> [PeerB]
> PublicKey = peerpkhere
> AllowedIPs = 192.168.110.0/24, 10.250.250.0/24
> Endpoint = my.ddnsalias.net:5678
> DNS = 192.168.110.254
> 
> I know we already have the Interface level DNS option but that would fail for peers unless conditional forwarding was configured which isn't possible on most home routers.  I know I can fix this with dnsmasq or a pihole but that requires another machine on all the time.  I was just wondering if anything clever could easily be done within wireguard.  I know it's a big ask but it would be appreciated as an enhancement request.
> 
> Likewise, for the windows version of wireguard it would be cool if there was an option to enable internet connection sharing on the client.  I have done this successfully (I am happy to share the steps if required) although it was a huge pita and required dangerousscripts enabling which I'm not keen on.
> Thanks again for all the hard work Jason, I love the app, and it is running happily on my ER-X and making my life better.
> 
> Regards
> Simon
> 


From simon at rozman.si  Mon Jan 24 14:47:03 2022
From: simon at rozman.si (Simon Rozman)
Date: Mon, 24 Jan 2022 14:47:03 +0000
Subject: Wireguard Windows Service Issues
In-Reply-To: <9-M1j7GQozeUMiB1Qm-kk17KUFZ_tE4h4oF-n0QEGEXh0IYS-sv3PDvecqKRPasw5Kw_60Do1VAMBuWQymyiQ79wnej1AOl8KsvWwVZ3mlE=@tpro.tech>
References: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
 <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
 <9-M1j7GQozeUMiB1Qm-kk17KUFZ_tE4h4oF-n0QEGEXh0IYS-sv3PDvecqKRPasw5Kw_60Do1VAMBuWQymyiQ79wnej1AOl8KsvWwVZ3mlE=@tpro.tech>
Message-ID: <4fcaa402dbcb47609db707aabb5ccbdd@rozman.si>

Hi,

> The problem still is occurring, the service seems to get torn down never
> to come back again once the user comes back to the office and connects
> back into the main network with ethernet. When the user is on the main
> network the VPN host address will not get resolved by DNS by design. We
> do not want the user to be on the VPN when they are already on the
> internal network. If there's a better way to handle the VPN not
> connecting when the non-admin user is on the internal network I'm open
> to that too. We use a hostname for VPN server resolution because we use
> both IPv4 and IPv6 for host connectivity.

When your laptop is connected to the "main network" and boots, the tunnel service will give up on the DNS resolution failure after a few minutes and exit. The manager service will notice that the service is dead and will clean it up. Hence your tunnel service ceases to exist and doesn't get started on the next boot any more.

Split DNS is not the right way to prevent WireGuard tunneling of the on-link traffic.

On my devices, I keep the VPN tunnel active all the time. Regardless the network the device is physically connected to. You are not using the IP addresses from your main network subnet for WireGuard clients. So, when you connect your laptop physically into the main network, the NICs' on-link route should be preferred over the route added by WireGuards' AllowedIPs. This makes the local network traffic flow directly.

But - and very important for seamless roaming - schedule periodic elevated calls of `wg.exe set vpn.domain.com peer <your VPN peer Base64-encoded pubkey> endpoint vpn.xxxx.org:51820`. It's cheap and can be scheduled to trigger every 2 minutes (and immediately after scheduled time is missed). If your laptop is connected on your main network, WireGuard roaming will learn 192.168.99.1 as the peer endpoint. Then you put your laptop to sleep and wake it up at home in a different network. It will continue to use 192.168.99.1 as peer endpoint, but that's no longer correct. Periodic reset of peer endpoint fixes this.

> 2022-01-21 14:00:25.385109: [MGR] Starting at boot WireGuard/0.5.3
> (Windows 10.0.19043; amd64)
> 2022-01-21 14:00:25.385617: [TUN] [vpn.domain.com] Starting at boot
> WireGuard/0.5.3 (Windows 10.0.19043; amd64)
> 2022-01-21 14:00:25.392357: [TUN] [vpn.domain.com] SCM locked for 1s by
> .\NT Service Control Manager, marking service as started
> 2022-01-21 14:00:25.397054: [TUN] [vpn.domain.com] Watching network
> interfaces
> 2022-01-21 14:00:25.399865: [TUN] [vpn.domain.com] Resolving DNS names
> 2022-01-21 14:00:25.640575: [TUN] [vpn.domain.com] Host not found when
> resolving vpn.xxxx.org, but no Internet connection available, sleeping
> for 4 seconds
> 2022-01-21 14:00:29.648660: [TUN] [vpn.domain.com] Host not found when
> resolving vpn.xxxx.org, but no Internet connection available, sleeping
> for 4 seconds
> 2022-01-21 14:00:33.657345: [TUN] [vpn.domain.com] Host not found when
> resolving vpn.xxxx.org, but no Internet connection available, sleeping
> for 4 seconds
> 2022-01-21 14:00:37.672796: [TUN] [vpn.domain.com] Host not found when
> resolving vpn.xxxx.org, but no Internet connection available, sleeping
> for 4 seconds
> 2022-01-21 14:00:41.682472: [TUN] [vpn.domain.com] Host not found when
> resolving vpn.xxxx.org, but no Internet connection available, sleeping
> for 4 seconds

The on-boot connectivity detection was unreliable and was removed in https://git.zx2c4.com/wireguard-windows/commit/?id=b75cc38c60e36e1117bb40fd4ac78c44f1aae1f6. If SCM started the tunnel service before Dnscache and other networking services, WireGuard couldn't tell from the Windows DNS resolving response whether the resolve failure is transient or not.
This fix has not yet been published, but it will not help your tunnel deactivation on split DNS issue.

Best regards,
Simon


From simonmcnair at gmail.com  Mon Jan 24 18:17:58 2022
From: simonmcnair at gmail.com (Simon McNair)
Date: Mon, 24 Jan 2022 18:17:58 +0000
Subject: Wireguard Windows Service Issues
In-Reply-To: <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
References: <M95S0K3OLlWrjbBpofGUvTbVG6o7H8pKclgaVy8bSYAIklVksUf0PfyKeTYWPtt9QUBcrGlmQXnKvvndSWIntkZ-_pWfIG9vGbjeyv7H1jQ=@tpro.tech>
 <e48d98ba2ad34d2f86fb34e5c95aebaf@rozman.si>
Message-ID: <154d5705-2445-6297-cade-2103738a0667@gmail.com>

just to insert my 2p.

Provided the service manager is installed whilst the tunnel will not 
appear in the list of tunnels you can view the logfile which will assist 
with diagnosis.

 From my perspective I set up exactly the same set-up myself at the 
weekend and it is behaving as advertised (except not on wifi).

The part of this that makes me curious though is the fact that the 
connection is via wifi so the adapter will stay visible but the 
underlying connection will drop and the ip addresses, DNS etc will 
change behind the scenes with each wireless network they connect to.? I 
would think wireguard would handle this, but the log file would 
certainly be worth of scrutiny.

Also worth thinking around powers aving and the closing of the laptop 
lid putting the adapter in to power saving and dropping the underlying 
connection.

Simon


On 17/01/2022 10:51, Simon Rozman wrote:
> Hi,
>
>> I believe there's a bug in the Windows service implementation, if this
>> issue is by design, it's problematic.
>>
>> I have non-admin users were when I initially set them up with wireguard,
>> I configured it to use the service, using the command:
>>
>> wireguard /installtunnelservice "C:\Program
>> Files\WireGuard\Data\Configurations\vpn.domain.org.conf.dpapi"
>>
>> The tunnel worked fine the first time. Then the user reboots the laptop,
>> or closes it or leaves whatever coffee shop they were at and get
>> disconnected from the wireless network they were using. When this
>> happens, for some reason, the wireguard service then gets torn down
>> never to come back again until I issue the command from my admin account
>> again.
> Can you do the wireguard /dumplog > wireguard.log and investigate.
>
>> There was an issue with some users initial configuration in that they
>> could not query hostname via DNS, so that entering the command to
>> installservice would not even create the service.
> WireGuard services start early on boot - sometimes even before the DNSCache (DNS Client). If the service can't resolve hostnames used in the config file, it will stop. But it will log this. Resolution to this problem is:
> - Use IPs rather than hostnames.
> - Add hostnames you use in your .conf file to C:\Windows\system32\drivers\etc\hosts.
> - Add DNSCache dependency to the WireGuardTunnel$<your tunnel name> service.
>
> I personally would pick one of the first two options above. Don't like the idea my laptop is asking a coffee shop's DNS what is my VPN endpoint IP address.
>
>> Here's a few notes that might help with understanding.
>> - Users must have the VPN established before they log into the active
>> directory servers on the remote network so that they can get all of
>> their GPO directives.
>> - Wireguard Service should stay up so that any time a users connects to
>> any network, the VPN is established immediately after that.
>> - The Wireguard service should also stay because non-admin users cannot
>> create a new service
> I understand. That is exactly how we use WireGuard in our company.
>
>> If this issue is how things will stay, and this is not considered a bug,
>> how would you configure windows non-admin users to tunnel to an
>> enterprise network before login via WireGuard and to continuously try to
>> establish the tunnel while the user is not connected to a network?
> Let me assure you, the behavior you are expecting is definitely pathological. Please investigate the log file why the tunnel service does not persist as it should.
>
> Best regards,
> Simon

From simonmcnair at gmail.com  Mon Jan 24 18:26:54 2022
From: simonmcnair at gmail.com (Simon McNair)
Date: Mon, 24 Jan 2022 18:26:54 +0000
Subject: apologies if this DNS conditional forwarding query is a daft
 question
In-Reply-To: <E8EC188A-7643-4843-8289-473D4ACBCE7E@carmickle.com>
References: <c0520a00-cd2b-db1d-b678-4134593e7206@gmail.com>
 <E8EC188A-7643-4843-8289-473D4ACBCE7E@carmickle.com>
Message-ID: <7886ff22-03eb-148a-3e2d-1f968bbfa59b@gmail.com>

Hi Frank,

Thanks for responding.

My implementation is a mixture of point to point and site to site.

I have laptops and mobile phones which connect directly in, but I also 
have entire class c subnets routing traffic (the only real difference 
being enabling ip routing/bridgining the networks vs no routing and only 
being able to see the single device).

The windows implementation of wireshark only allows a point to point 
connection as windows does not enable routing (in a similar way that I 
don't believe linux does by default).? This can be worked around in 
windows by selecting the adapter and 'sharing' it with the wireshark 
connection (internet connection sharing or ICS).? This means that 
wireshark can see the entire private class c network changing a point 
connection to a site.

My desired result is that each sites class C subnet maintains it's own 
dhcp leases and reverse dns of the same (using the ISP router).? For 
each class C subnet I can configure, per peer, that name resolution 
should go to the appropriate dns server.

In summary each house has an ISP router which does DHCP and DNS, I would 
like to configure each peer to connect via IP to the peers ISP router in 
order to resolve DNS.

I hope that makes sense.

Regards

Simon


On 24/01/2022 13:28, Frank Carmickle wrote:
> Greetings Simon,
>
>> On Jan 24, 2022, at 4:59 AM, Simon McNair <simonmcnair at gmail.com> wrote:
>>
>> Hi,
>> Again apologies if this is networking newb question
>> I have just spent the weekend laboriously learning about wireguard windows and finally powershell & internet connection sharing. My usage case is supporting a parents network and/or sharing resources in a small site(s) to site(s) network.
>> My question is this.  Without buying any extra commodity hardware, or installing any more software is it possible to set up conditional DNS forwarding per peer for DNS ?  I would like each subnets DNS server (in this case isp router) to handle DNS for that subnet.
>>
>> i.e. if the dns request is for a subnet on peer A use DNS server 192.168.100.254 defined in peer A config
>>         if the dns request is made a subnet on peer B use DNS server 192.168.110.254 defined in peer B config
> I'm not totally understanding the topology you are implementing, internet sharing and site to site, that usually means that both sites have internet service. It does seem as though you can accomplish having systems in each subnet use there own DNS by not configuring a DNS directive in the wireguard config at all.
>
> HTH,
> --FC
>
>
>> Similar to this:
>> [Interface]
>> PrivateKey = pkhere
>> ListenPort = 12345
>> Address = 10.250.250.4/24
>>
>> [PeerA]
>> PublicKey = peerpkhere
>> AllowedIPs = 192.168.100.0/24, 10.250.250.0/24
>> Endpoint = my.ddnsalias.net:5678
>> DNS = 192.168.100.254
>>
>> [PeerB]
>> PublicKey = peerpkhere
>> AllowedIPs = 192.168.110.0/24, 10.250.250.0/24
>> Endpoint = my.ddnsalias.net:5678
>> DNS = 192.168.110.254
>>
>> I know we already have the Interface level DNS option but that would fail for peers unless conditional forwarding was configured which isn't possible on most home routers.  I know I can fix this with dnsmasq or a pihole but that requires another machine on all the time.  I was just wondering if anything clever could easily be done within wireguard.  I know it's a big ask but it would be appreciated as an enhancement request.
>>
>> Likewise, for the windows version of wireguard it would be cool if there was an option to enable internet connection sharing on the client.  I have done this successfully (I am happy to share the steps if required) although it was a huge pita and required dangerousscripts enabling which I'm not keen on.
>> Thanks again for all the hard work Jason, I love the app, and it is running happily on my ER-X and making my life better.
>>
>> Regards
>> Simon
>>

From alessio.nossa+list at gmail.com  Tue Jan 25 14:16:06 2022
From: alessio.nossa+list at gmail.com (Alessio Nossa)
Date: Tue, 25 Jan 2022 15:16:06 +0100
Subject: Contributing to iOS app
Message-ID: <CAMTfdYou8TjP0TikezEjSWG-Rxtb8JzpPLcKOyOmE8B9sQpi8Q@mail.gmail.com>

Hello,
I?d like to contribute to wireguard-apple with Shortcuts integration
for the iOS app (this is a feature in the todo-list too).
The implementation is almost complete, I?d like to be allowed to merge
my contribution with the main app (or to have information on how I can
submit my contributions).

Kind regards,
Alessio Nossa

From Jason at zx2c4.com  Tue Jan 25 14:55:52 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 25 Jan 2022 15:55:52 +0100
Subject: Contributing to iOS app
In-Reply-To: <CAMTfdYou8TjP0TikezEjSWG-Rxtb8JzpPLcKOyOmE8B9sQpi8Q@mail.gmail.com>
References: <CAMTfdYou8TjP0TikezEjSWG-Rxtb8JzpPLcKOyOmE8B9sQpi8Q@mail.gmail.com>
Message-ID: <CAHmME9oPom008GYkORba_99g75Sti0WA+is2azvtONw3CnU_iQ@mail.gmail.com>

You can send them to the mailing list, or I can give you commit access
to prefixed branches. I'll contact you offlist for the latter
mechanics.

From alessio.nossa+list at gmail.com  Tue Jan 25 15:45:34 2022
From: alessio.nossa+list at gmail.com (Alessio Nossa)
Date: Tue, 25 Jan 2022 16:45:34 +0100
Subject: Contributing to iOS app
In-Reply-To: <CABBZOs=1po1VvKY+Rq6i1AOybXQHar+k+mzDFH9hAdd3uRc8fg@mail.gmail.com>
References: <CAMTfdYou8TjP0TikezEjSWG-Rxtb8JzpPLcKOyOmE8B9sQpi8Q@mail.gmail.com>
 <CABBZOs=1po1VvKY+Rq6i1AOybXQHar+k+mzDFH9hAdd3uRc8fg@mail.gmail.com>
Message-ID: <CAMTfdYp19s=AefZvK-eDAmGSodSCxmrBa_61G7fpGqOaPMUnWw@mail.gmail.com>

I am aware of the bug reported by Houman. To get around this problem I
have implemented a workaround: when the action needs to make changes
to the configuration, the main app is launched and the user can then
specify in Shortcut's action a URL to open when the action is
completed (default will be "shortcuts://"). This workaround has been
used by other apps like Working Copy [1] (in "Clone repository from"
action) for actions that need to be executed by the main app.
With this solution you cannot return results of the operation to
Shortcuts, but you can successfully get the work done and if something
went wrong, there is Wireguard's log to check.

One thing I had to change in the app to accomplish this is to move
TunnelsManager initialization from MainViewController to AppDelegate.
It will not slow down app startup since it is an asynchronous action
and I think it is fine to initialize the main component of the app's
logic, outside the view hierarchy.

Hopefully, one day the bug will be fixed and moving the action logic
to Intents Extension will be straightforward.

Regards,
Alessio

[1]: https://workingcopyapp.com/

Il giorno mar 25 gen 2022 alle ore 15:52 Houman <houmie at gmail.com> ha scritto:
>
> Shortcut integration for Wireguard on iOS would be amazing. But did you actually get it working?
>
> I think due to this Apple bug that has been open for years: https://developer.apple.com/forums/thread/96020, it is not possible to work with Siri shortcuts on the network extension.
> But if your solution works, it would be amazing!!
>
> Regards,
> Houman
>
> On Tue, 25 Jan 2022 at 14:20, Alessio Nossa <alessio.nossa+list at gmail.com> wrote:
>>
>> Hello,
>> I?d like to contribute to wireguard-apple with Shortcuts integration
>> for the iOS app (this is a feature in the todo-list too).
>> The implementation is almost complete, I?d like to be allowed to merge
>> my contribution with the main app (or to have information on how I can
>> submit my contributions).
>>
>> Kind regards,
>> Alessio Nossa

From richard at netcore.se  Mon Jan 17 19:49:53 2022
From: richard at netcore.se (Richard Werner)
Date: Mon, 17 Jan 2022 19:49:53 +0000
Subject: [macOS] possible bug
Message-ID: <948FB3D5-2990-48E1-B27F-FDA699AEAF24@netcore.se>

Hi everyone.
We found a strange issue regarding macOS client and hope this is a proper way to start (and get some help debugging) a possible bug.
I?ve not been able to capture the actual error message shown to the user, but I have the a log file.

What seem to happen is something like this:
1. Have a working configuration.
2. Some unknown event happens (still investigating).
3. An error message is shown (something along the lines of "unable to read config?).
4. Orphaned configs are removed, but there seems to be more going on which we can?t identify.
5. No WG VPN's will work regardless of removing configs, keychains, etc.

Even if all tunnels are removed and added again, no traffic leaves the client. It effectively enters a state of not being able to use any wireguards vpns on the client.


Some entries from the log that shows going from working to not functioning will follow.
More complete log at https://pastebin.com/m2MqHhPF

-Working:
2022-01-17 17:55:59.292781: [NET] peer(ZY6x?1ZBc) - Sending handshake initiation
2022-01-17 17:55:59.337042: [NET] peer(ZY6x?1ZBc) - Received handshake response
2022-01-17 17:59:22.007634: [NET] peer(ZY6x?1ZBc) - Receiving keepalive packet

-Error message is shown:
2022-01-17 18:35:29.081737: [APP] App version: 1.0.15 (26)
2022-01-17 18:36:22.662281: [APP] startActivation: Entering (tunnel: VPN X)
2022-01-17 18:36:23.490825: [APP] Unable to open config from keychain: -25300
2022-01-17 18:36:23.491058: [APP] startActivation: Starting tunnel
2022-01-17 18:36:23.491288: [APP] startActivation: Success
2022-01-17 18:36:23.497349: [APP] Tunnel 'VPN X' connection status changed to 'connecting'
2022-01-17 18:36:23.582298: [APP] Unable to open config from keychain: -25300
2022-01-17 18:36:28.491285: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connecting'.
2022-01-17 18:36:29.517132: [APP] Unable to open config from keychain: -25300

-Tunnel config is removed:
2022-01-17 18:38:47.127836: [APP] App version: 1.0.15 (26)
2022-01-17 18:38:47.337355: [APP] Removing orphaned tunnel with non-verifying keychain entry: VPN X

-Tunnel now fails with same config (imported or manually entered)
2022-01-17 18:39:51.924221: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connected'.
2022-01-17 18:39:52.248987: [NET] peer(ZY6x?1ZBc) - Sending handshake initiation
2022-01-17 18:39:57.410547: [NET] peer(ZY6x?1ZBc) - Handshake did not complete after 5 seconds, retrying (try 2)
2022-01-17 18:39:57.410877: [NET] peer(ZY6x?1ZBc) - Sending handshake initiation
2022-01-17 18:39:57.411226: [NET] peer(ZY6x?1ZBc) - Failed to send handshake initiation: write udp4 0.0.0.0:52982-><server ip>:443: sendto: broken pipe
[?]
2022-01-17 18:40:00.396146: [APP] Tunnel 'VPN X' connection status changed to 'disconnected'
2022-01-17 18:41:27.735004: [APP] Tunnel 'VPN X' connection status changed to ?invalid'


?Richard


From herbert at gondor.apana.org.au  Tue Jan 18 06:42:28 2022
From: herbert at gondor.apana.org.au (Herbert Xu)
Date: Tue, 18 Jan 2022 17:42:28 +1100
Subject: [PATCH crypto v3 0/2] reduce code size from blake2s on m68k and
 other small platforms
In-Reply-To: <CAHmME9rxdksVZkN4DF_GabsEPrSDrKbo1cVQs77B_s-e2jZ64A@mail.gmail.com>
Message-ID: <YeZhVGczxcBl0sI9@gondor.apana.org.au>

Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Excellent, thanks for the breakdown. So this shaves off ~4k, which was
> about what we were shooting for here, so I think indeed this series
> accomplishes its goal of counteracting the addition of BLAKE2s.
> Hopefully Herbert will apply this series for 5.17.

As the patches that triggered this weren't part of the crypto
tree, this will have to go through the random tree if you want
them for 5.17.

Otherwise if you're happy to wait then I can pull them through
cryptodev.

Cheers,
-- 
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

From michal.murin at jamf.com  Wed Jan 19 08:28:57 2022
From: michal.murin at jamf.com (Michal Murin)
Date: Wed, 19 Jan 2022 09:28:57 +0100
Subject: [PATCH] Fixed the failing BadConfigExceptionTest unit test
Message-ID: <20220119082857.64215-1-michal.murin@jamf.com>

Fixed the test by changing the DNS to a string with an invalid char in the `invalid-value.conf` test configuration file. Also removed the `getParsingClass()` condition from the `parseDnsServers()` method as the condition can be never met - the `InetAddresses.parse(dnsServer)` method always throws the `ParseException` with the `parsingClass` set to `InetAddress.class`.
---
 tunnel/src/main/java/com/wireguard/config/Interface.java | 2 +-
 tunnel/src/test/resources/invalid-value.conf             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tunnel/src/main/java/com/wireguard/config/Interface.java b/tunnel/src/main/java/com/wireguard/config/Interface.java
index 694f313..5bd4da7 100644
--- a/tunnel/src/main/java/com/wireguard/config/Interface.java
+++ b/tunnel/src/main/java/com/wireguard/config/Interface.java
@@ -356,7 +356,7 @@ public final class Interface {
                     try {
                         addDnsServer(InetAddresses.parse(dnsServer));
                     } catch (final ParseException e) {
-                        if (e.getParsingClass() != InetAddress.class || !InetAddresses.isHostname(dnsServer))
+                        if (!InetAddresses.isHostname(dnsServer))
                             throw e;
                         addDnsSearchDomain(dnsServer);
                     }
diff --git a/tunnel/src/test/resources/invalid-value.conf b/tunnel/src/test/resources/invalid-value.conf
index 2889111..6a1e3b6 100644
--- a/tunnel/src/test/resources/invalid-value.conf
+++ b/tunnel/src/test/resources/invalid-value.conf
@@ -1,6 +1,6 @@
 [Interface]
 Address = 192.0.2.2/32,2001:db8:ffff:ffff:ffff:ffff:ffff:ffff/128
-DNS = 192.0.2.0,yes
+DNS = 192.0.2.0,invalid_value
 PrivateKey = TFlmmEUC7V7VtiDYLKsbP5rySTKLIZq1yn8lMqK83wo=
 [Peer]
 AllowedIPs = 0.0.0.0/0, ::0/0
-- 
2.30.1 (Apple Git-130)


From me at msfjarvis.dev  Wed Jan 26 15:02:32 2022
From: me at msfjarvis.dev (Harsh Shandilya)
Date: Wed, 26 Jan 2022 20:32:32 +0530
Subject: [PATCH] Fixed the failing BadConfigExceptionTest unit test
In-Reply-To: <20220119082857.64215-1-michal.murin@jamf.com>
References: <20220119082857.64215-1-michal.murin@jamf.com>
Message-ID: <EDD252CD-C22D-4712-B891-E057026A6AA1@getmailspring.com>


Hey Michal,

On Jan 19 2022, at 1:58 pm, Michal Murin <michal.murin at jamf.com> wrote:

> Fixed the test by changing the DNS to a string with an invalid char in
> the `invalid-value.conf` test configuration file. Also removed the
> `getParsingClass()` condition from the `parseDnsServers()` method as
> the condition can be never met - the `InetAddresses.parse(dnsServer)`
> method always throws the `ParseException` with the `parsingClass` set
> to `InetAddress.class`.
> ---
> tunnel/src/main/java/com/wireguard/config/Interface.java | 2 +-
> tunnel/src/test/resources/invalid-value.conf             | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tunnel/src/main/java/com/wireguard/config/Interface.java b/tunnel/src/main/java/com/wireguard/config/Interface.java
> index 694f313..5bd4da7 100644
> --- a/tunnel/src/main/java/com/wireguard/config/Interface.java
> +++ b/tunnel/src/main/java/com/wireguard/config/Interface.java
> @@ -356,7 +356,7 @@ public final class Interface {
>                     try {
>                         addDnsServer(InetAddresses.parse(dnsServer));
>                     } catch (final ParseException e) {
> -                        if (e.getParsingClass() != InetAddress.class
> || !InetAddresses.isHostname(dnsServer))
> +                        if (!InetAddresses.isHostname(dnsServer))
>                             throw e;
>                         addDnsSearchDomain(dnsServer);
>                     }
> diff --git a/tunnel/src/test/resources/invalid-value.conf b/tunnel/src/test/resources/invalid-value.conf
> index 2889111..6a1e3b6 100644
> --- a/tunnel/src/test/resources/invalid-value.conf
> +++ b/tunnel/src/test/resources/invalid-value.conf
> @@ -1,6 +1,6 @@
> [Interface]
> Address = 192.0.2.2/32,2001:db8:ffff:ffff:ffff:ffff:ffff:ffff/128
> -DNS = 192.0.2.0,yes
> +DNS = 192.0.2.0,invalid_value
> PrivateKey = TFlmmEUC7V7VtiDYLKsbP5rySTKLIZq1yn8lMqK83wo=
> [Peer]
> AllowedIPs = 0.0.0.0/0, ::0/0
> -- 
> 2.30.1 (Apple Git-130)
> 
> 

Thanks! The patch looks good, if you can send a v2 with a Signed-off-by
line I'd be happy to apply this.

Cheers,
Harsh Shandilya

From Jason at zx2c4.com  Wed Jan 26 18:25:44 2022
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 26 Jan 2022 19:25:44 +0100
Subject: [PATCH] Fixed the failing BadConfigExceptionTest unit test
In-Reply-To: <20220119082857.64215-1-michal.murin@jamf.com>
References: <20220119082857.64215-1-michal.murin@jamf.com>
Message-ID: <CAHmME9oQ_SiXW-DG4HAm0k0GH17m0210U1Rb6Syuief98+w4kQ@mail.gmail.com>

On Tue, Jan 25, 2022 at 5:12 PM Michal Murin <michal.murin at jamf.com> wrote:
> Also removed the `getParsingClass()` condition from the `parseDnsServers()` method as the condition can be never met - the `InetAddresses.parse(dnsServer)` method always throws the `ParseException` with the `parsingClass` set to `InetAddress.class`.

Until one day it doesn't, and then we have to remember this subtle
behavior. On the contrary, what's there now means that the code is
correct regardless of changes.

> -                        if (e.getParsingClass() != InetAddress.class || !InetAddresses.isHostname(dnsServer))
> +                        if (!InetAddresses.isHostname(dnsServer))

Please drop this snippet from v2.

As Harsh said, we need your sign off line. It would also be
appreciated if you'd wrap your commit message and adjust your commit
subject to match what the project uses conventionally.

Thanks,
Jason

From stephen at slarew.net  Fri Jan 28 05:23:29 2022
From: stephen at slarew.net (Stephen Larew)
Date: Thu, 27 Jan 2022 21:23:29 -0800
Subject: Split DNS for macOS
In-Reply-To: <20211028071638.88001-1-stephen@slarew.net>
References: <20211028071638.88001-1-stephen@slarew.net>
Message-ID: <16E7589D-F36A-4CCD-A388-EA435C8A8D95@slarew.net>

> On Oct 28, 2021, at 00:16, Stephen Larew <stephen at slarew.net> wrote:
> 
> For many months now, I have been running a patched WireGuard macOS app
> that enables a split DNS configuration. I would like to try to upstream
> my patches for split DNS.
> 
> There has been some interest in this patch:
> - "Mac APP DNS Search Domain" thread from July and August 2021 [1]
> - A commenter on my GitHub fork of wireguard-apple.
> 
> What is split DNS? It allows sending DNS queries to a specific server
> based on the domain name. Systemd-resolved calls it a routing domain.
> Apple's Network Extension framework calls it a match domain.  Split DNS
> is especially useful for internal DNS servers.
> 
> For example, if corp.example.com is a routing domain for the DNS server
> at 192.0.2.1 (only accessible over WireGuard), then
> server.corp.example.com is resolved using 192.0.2.1 while
> www.example.com is resolved using some other DNS resolver (depending on
> the other network settings in macOS).
> 
> The proposed patch adds new syntax to the wg-quick DNS= line.
> Specifically, a tilde prefixed domain is treated as a routing domain.
> Multiple routing domains can be added.
> 
> Limitations:
> - Needs modifications to iOS UI to work on iOS.
> - Only matching routing domains are sent to the DNS servers specified in
>  the DNS= config line.  No separate fallback catch-all DNS server can
>  be set.
> - Routing/match domains are also included in the list of search domains.
>  This could be changed with the matchDomainsNoSearch API, but lacking
>  more UI or config file changes to expose this option to the user, I
>  went with the default.
> 
> [1] https://lore.kernel.org/wireguard/20210810074232.aah5ktq5yzysaaey at SvensMacBookAir-2.local/T/
> [2] https://github.com/slarew/wireguard-apple/commit/6ebc356d9e11ab91443e06de5e89f1af57fcdff8

Thanks everyone for your opinions and feedback. Here?s my summary:

- DNS configuration is nuanced, fragmented, and platform dependent.

- Split DNS can be accomplished in several ways:
  - Via the native macOS DNS resolution machinery (NEDNSSettings.matchDomains in my patch)
  - Via a local or upstream non-platform-native DNS resolver

- Demand for split DNS exists. Other VPN apps (e.g. Tailscale and DNSCloak) allow setting split DNS.

--

I would appreciate some feedback from the WireGuard maintainers on next steps. Thanks ahead.

I?ll address some feedback below.

> On Nov 3, 2021, at 02:15, Harald Dunkel <harald.dunkel at aixigo.com> wrote:
> 
> Hi folks,
> 
> I really like this patch. Currently DNS on MacOS is unable to resolve
> both my local DNS names and the domain in the office in parallel, if
> Wireguard is enabled. I have to use somehost.local to fall back to
> zeroconf for my LAN as a workaround, which is pretty annoying.
> 
> My suggestion would be to set SupplementalMatchDomains instead(!) of
> SearchDomains, using the current config file syntax without '~'. Since
> SupplementalMatchDomainsNoSearch is disabled by default, setting
> SupplementalMatchDomains is sufficient to configure both lists. See
> 
> https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
> 
> This has to be verified, of course.
> 
> Regards
> Harri


Harri, it sounds to me like SupplementalMatchDomains is functionally the same as NEDNSSettings.matchDomains. The difference is that SupplementalMatchDomains is specified in Apple?s configuration profiles instead of thru the NEDNSSettings.matchDomains API (by way of a wg-quick syntax extension in my patch). If the WireGuard macOS app supported Apple?s configuration profiles (I don?t believe it does but I may be mistaken), then a configuration profile would conveniently avoid the extended wg-quick syntax in my patch. However, I think configuration profiles are less accessible to the average user.

> On Nov 3, 2021, at 14:34, Andrew Fried <afried at spamteq.com> wrote:
> 
> Basically, what I'm suggesting is that DNS servers handle DNS and wireguard handle routing/transport.  Adding VPN functionality to a nameserver or dns capabilities to Wireguard adds complexities that can be better handled elsewhere.
> 
> What makes Wireguard so good is that it does one thing and does it really, really well.
> 
> Andrew

Andrew, to your point, alternative DNS solutions exist and can be deployed in many ways.  WireGuard itself is not a DNS solution.  That said, wg-quick style configuration (used by the WireGuard macOS app) already does basic DNS configuration.  My patch adds a small extension to wg-quick syntax (tilde prefixed domains) to make certain split DNS scenarios possible.

Crucially, my patch actually integrates directly into macOS?s DNS machinery. No third party software or external network DNS servers need apply.

> On Nov 5, 2021, at 21:54, David Anderson <dave at natulte.net> wrote:
> 
> Hi, Tailscale person here.

Dave, your technical details sound right based on what I remember from my own experimentation.

-Stephen


From harald.dunkel at aixigo.com  Fri Jan 28 09:02:46 2022
From: harald.dunkel at aixigo.com (Harald Dunkel)
Date: Fri, 28 Jan 2022 10:02:46 +0100
Subject: Split DNS for macOS
In-Reply-To: <16E7589D-F36A-4CCD-A388-EA435C8A8D95@slarew.net>
References: <20211028071638.88001-1-stephen@slarew.net>
 <16E7589D-F36A-4CCD-A388-EA435C8A8D95@slarew.net>
Message-ID: <5210b28a-2912-d1ec-457b-7fd88f480241@aixigo.com>

On 2022-01-28 06:23:29, Stephen Larew wrote:
> 
> I would appreciate some feedback from the WireGuard maintainers on next steps. Thanks ahead.
> 

Metoo. Testers wanted?


Regards
Harri

From perry at cynic.org  Tue Jan 25 16:47:42 2022
From: perry at cynic.org (Perry The Cynic)
Date: Tue, 25 Jan 2022 16:47:42 -0000
Subject: [macOS] possible bug
In-Reply-To: <948FB3D5-2990-48E1-B27F-FDA699AEAF24@netcore.se>
References: <948FB3D5-2990-48E1-B27F-FDA699AEAF24@netcore.se>
Message-ID: <05FC8CC3-BCE1-420A-ACFD-AA6F7B06D218@cynic.org>

FWIW, -25300 is errSecItemNotFound (keychain item not found). The MacOS keychain environment is much more complex than on iOS (in fact, there?s an iOS port inside it). Check whether the affected environments have multiple keychains (which can confuse the ?exists? issue), and look (with Keychain Access.app) for broken items that keep the code from recreating good items with a particular primary key. The "Removing orphaned tunnel with non-verifying keychain entry? message points that way.

See if you can reproduce with a fresh user account (which comes with a fresh keychain configuration); if resetting the keychain environment cures the problem, you?re very likely looking at a broken item and/or broken cleanup code.

Cheers
  ? perry


> On Jan 17, 2022, at 11:49 AM, Richard Werner <richard at netcore.se> wrote:
> 
> Hi everyone.
> We found a strange issue regarding macOS client and hope this is a proper way to start (and get some help debugging) a possible bug.
> I?ve not been able to capture the actual error message shown to the user, but I have the a log file.
> 
> What seem to happen is something like this:
> 1. Have a working configuration.
> 2. Some unknown event happens (still investigating).
> 3. An error message is shown (something along the lines of "unable to read config?).
> 4. Orphaned configs are removed, but there seems to be more going on which we can?t identify.
> 5. No WG VPN's will work regardless of removing configs, keychains, etc.
> 
> Even if all tunnels are removed and added again, no traffic leaves the client. It effectively enters a state of not being able to use any wireguards vpns on the client.
> 
> 
> Some entries from the log that shows going from working to not functioning will follow.
> More complete log at https://pastebin.com/m2MqHhPF
> 
> -Working:
> 2022-01-17 17:55:59.292781: [NET] peer(ZY6x?1ZBc) - Sending handshake initiation
> 2022-01-17 17:55:59.337042: [NET] peer(ZY6x?1ZBc) - Received handshake response
> 2022-01-17 17:59:22.007634: [NET] peer(ZY6x?1ZBc) - Receiving keepalive packet
> 
> -Error message is shown:
> 2022-01-17 18:35:29.081737: [APP] App version: 1.0.15 (26)
> 2022-01-17 18:36:22.662281: [APP] startActivation: Entering (tunnel: VPN X)
> 2022-01-17 18:36:23.490825: [APP] Unable to open config from keychain: -25300
> 2022-01-17 18:36:23.491058: [APP] startActivation: Starting tunnel
> 2022-01-17 18:36:23.491288: [APP] startActivation: Success
> 2022-01-17 18:36:23.497349: [APP] Tunnel 'VPN X' connection status changed to 'connecting'
> 2022-01-17 18:36:23.582298: [APP] Unable to open config from keychain: -25300
> 2022-01-17 18:36:28.491285: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connecting'.
> 2022-01-17 18:36:29.517132: [APP] Unable to open config from keychain: -25300
> 
> -Tunnel config is removed:
> 2022-01-17 18:38:47.127836: [APP] App version: 1.0.15 (26)
> 2022-01-17 18:38:47.337355: [APP] Removing orphaned tunnel with non-verifying keychain entry: VPN X
> 
> -Tunnel now fails with same config (imported or manually entered)
> 2022-01-17 18:39:51.924221: [APP] Status update notification timeout for tunnel 'VPN X'. Tunnel status is now 'connected'.
> 2022-01-17 18:39:52.248987: [NET] peer(ZY6x?1ZBc) - Sending handshake initiation
> 2022-01-17 18:39:57.410547: [NET] peer(ZY6x?1ZBc) - Handshake did not complete after 5 seconds, retrying (try 2)
> 2022-01-17 18:39:57.410877: [NET] peer(ZY6x?1ZBc) - Sending handshake initiation
> 2022-01-17 18:39:57.411226: [NET] peer(ZY6x?1ZBc) - Failed to send handshake initiation: write udp4 0.0.0.0:52982-><server ip>:443: sendto: broken pipe
> [?]
> 2022-01-17 18:40:00.396146: [APP] Tunnel 'VPN X' connection status changed to 'disconnected'
> 2022-01-17 18:41:27.735004: [APP] Tunnel 'VPN X' connection status changed to ?invalid'
> 
> 
> ?Richard
> 


From intikaa at gmail.com  Mon Jan 31 07:05:32 2022
From: intikaa at gmail.com (Ali Intika)
Date: Mon, 31 Jan 2022 08:05:32 +0100
Subject: wg-quick and iptables race condition bug
Message-ID: <CACsPCPxuYN3+O-1ytksHX6tkCw5sUurHdnX4v6z-EX5dog0Hwg@mail.gmail.com>

Hi,

First thanks for this amazing piece of code :)

The bug: iptables rules can not be applied in parallel, thus iptables
have the "-w" option (--wait, maximum wait to acquire xtables lock
before giving up) to circumvent this; the "-w" parameter is not used
in wireguard-tools which lead to a racing condition on some systems.

When using wg-quick on a system that do handle often the iptables
rules, especially if we are using wg-quick for a long manipulation (eg
turn up/down multiple interfaces), the command just fail if an other
iptables manipulation is going on, on the system. replacing "iptables"
with "iptables -w 10" on the Wireguard's script/c app (for android)
will solve the issue.

eg where the issue occur
- server handling iptables rules dynamically
- server/client where iptables is often manipulated

Personally I am mainly having this issue on android where the script
is a binary and not as easily editable as an sh file.

Thanks for your consideration
:)