Wireguard is loosing connection for no reason

Alan Graham alan at meshify.app
Mon Jun 27 21:40:36 UTC 2022 

Hi Pavel,

I also have a VM in OCI, albeit with Oracle Linux and not Ubuntu.
It's working without issues.  Your PresharedKeys could be at fault
based on how you obfuscated them.  However, I would look at all the
other iptables rules that Oracle made in the VM.  They are long and
complicated and I believe at some point I just nuked them all.

You might also want to install Wireshark on the client and make a
capture when you're having the problem.  You can also remove the
fd42:42:42:2/128 references and see if that solves the problem.  I can
imagine switching from ipv4 to ipv6 could cause such a hiccup and I
don't actually have ipv6 setup in my config.  I'd also ensure you're
not using Oracle's NAT feature for your VM as theirs is not a NAT you
can run Wireguard behind.  Hopefully one of these suggestions will
help!

Best regards,
Alan



On Mon, Jun 27, 2022 at 4:07 AM Pavel Yegorov <yegorov.p at gmail.com> wrote:
>
> Hey folks!
>
> I really need some advice, cause I just don't know how to deal with my problem.
>
> So, I have a WG "server" on ubuntu 18.04.6 LTS, hosted in the oracle
> free tier. I've installed wireguard using well-known
> https://github.com/angristan/wireguard-install script. Then I've
> generated several configs for my desktops, phones, etc. It connects
> and runs perfectly, but sometimes it just freezes for no reason.
> There's no connectivity issues or something like that. Logs on client
> side says something like that:
>
> 2022-06-21 03:01:01.845: [TUN] [win] Keypair 17 created for peer 1
> 2022-06-21 03:01:01.846: [TUN] [win] Sending keepalive packet to peer
> 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:03:01.822: [TUN] [win] Sending handshake initiation to
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:03:01.884: [TUN] [win] Receiving handshake response from
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:03:01.884: [TUN] [win] Keypair 16 destroyed for peer 1
> 2022-06-21 03:03:01.884: [TUN] [win] Keypair 18 created for peer 1
> 2022-06-21 03:03:01.884: [TUN] [win] Sending keepalive packet to peer
> 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:05:02.058: [TUN] [win] Sending handshake initiation to
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:05:02.106: [TUN] [win] Receiving handshake response from
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:05:02.106: [TUN] [win] Keypair 17 destroyed for peer 1
> 2022-06-21 03:05:02.106: [TUN] [win] Keypair 19 created for peer 1
> 2022-06-21 03:05:02.106: [TUN] [win] Sending keepalive packet to peer
> 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:06:21.302: [TUN] [win] Retrying handshake with peer 1
> (SERVER_IP:SERVER_PORT) because we stopped hearing back after 15
> seconds
> 2022-06-21 03:06:21.302: [TUN] [win] Sending handshake initiation to
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:06:26.423: [TUN] [win] Handshake for peer 1
> (SERVER_IP:SERVER_PORT) did not complete after 5 seconds, retrying
> (try 2)
> 2022-06-21 03:06:26.423: [TUN] [win] Sending handshake initiation to
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:06:31.471: [TUN] [win] Handshake for peer 1
> (SERVER_IP:SERVER_PORT) did not complete after 5 seconds, retrying
> (try 3)
> 2022-06-21 03:06:31.473: [TUN] [win] Sending handshake initiation to
> peer 1 (SERVER_IP:SERVER_PORT)
> 2022-06-21 03:06:36.517: [TUN] [win] Handshake for peer 1
> (SERVER_IP:SERVER_PORT) did not complete after 5 seconds, retrying
> (try 4)
>
> If I reconnect WG client, it immediately connects and everything is ok.
>
> Any advices? I tried to experiment with PersistentKeepAlive param (on
> both sides!) that doesn't change anything.
>
> My server cfg:
>
> [Interface]
> Address = 10.66.66.1/24,fd42:42:42::1/64
> ListenPort = SERVER_PORT
> PrivateKey = M?????Uyg4r3mo=
>
> PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -I
> FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j
> MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A
> POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -I INPUT -i ens3 -p
> udp --dport SERVER_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
> PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D
> FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j
> MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D
> POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -D INPUT -i ens3 -p
> udp --dport SERVER_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
>
> ### Client iphone
> [Peer]
> PublicKey = 0+V???????4HnM=
> PresharedKey = s???????amJCxJyqcE=
> AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
>
> ### Client mac
> [Peer]
> PublicKey = Tet4??????mI=
> PresharedKey = Ld???r8=
> AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128
>
> My client cfg
>
> [Interface]
> PrivateKey = 4Bp????=
> Address = 10.66.66.2/32,fd42:42:42::2/128
> DNS = 8.8.8.8,1.1.1.1
>
> [Peer]
> PublicKey = 5R?????c=
> PresharedKey = sY????E=
> Endpoint = SERVER_IP:SERVER_PORT
> AllowedIPs = 0.0.0.0/0,::/0
>
> some stats
>
> root at oraclevpn:~# wg show all
> interface: wg0
>   public key: 5R?????c=
>   private key: (hidden)
>   listening port: SERVER_PORT
>
> peer: 0+?????nM=
>   preshared key: (hidden)
>   endpoint: 666.666.666.666:11111
>   allowed ips: 10.66.66.2/32, fd42:42:42::2/128
>   latest handshake: 2 minutes, 2 seconds ago
>   transfer: 533.52 MiB received, 5.18 GiB sent
>
>
> --
> Pavel Yegorov

More information about the WireGuard mailing list