Stale WG session ?
-
@cmcdonald said in Stale WG session ?:
@chudak Try the latest package version 0.1.5_3, which includes a pretty significant fix that impacts handshakes.
Thanks
But I will wait for it to be in stable release
Any clues for its eta?@cmcdonald said in Stale WG session ?:
@chudak Try the latest package version 0.1.5_3, which includes a pretty significant fix that impacts handshakes.
-
@chudak Should in all stable branches now.
-
@cmcdonald said in Stale WG session ?:
@chudak Should in all stable branches now.
Installed it, but so far not sure if this issue was fixed.
Have you been able to reproduce it?
Why do you think it’s fixed?Thx
-
Actually, I left my iPhone on 5G network and WG connected and so far after > 3 hours, I see no problems.
:)
-
@chudak Thanks for the feedback! Much appreciated.
-
@cmcdonald said in Stale WG session ?:
@chudak Thanks for the feedback! Much appreciated.
I don't see a stale state as often as I used to, but it's not completely fixed AFAICS
I will be paying more attention and see if other users provide more data points.
@Lakitu78 You saw the same problem, can you see if it's better/same/worse on the latest release?
-
This problem is not fixed and is very annoying :(
It's very simple to test - connect WG on an iPhone and see if you can use the phone for a whole day.
The iPhone becomes unresponsive and no DNS names get resolved until WG I disable and then activate again.Please take a look at it!
-
@chudak I have not been able to replicate this issue as of yet. I have several devices that maintain connections all the time without issue. Can you upgrade to 2.6.0-RC and give v0.1.6 a test?
-
@cmcdonald said in Stale WG session ?:
@chudak I have not been able to replicate this issue as of yet. I have several devices that maintain connections all the time without issue. Can you upgrade to 2.6.0-RC and give v0.1.6 a test?
I want to wait till 2.6.0 is released.
The devices that you maintain connected to WG all the time, do you turn them off or they are on all the time?
-
Just chiming in that I've seen the same issue with the official wireguard app on Android. The symptoms are the same with an always-on VPN connection that stays on for a day or more but eventually goes stale with no connectivity. A reconnect will fix the issue but it will return occasionally once every 1-3 days. I've noticed it most on first use in the morning after the phone has been idle during the night.
-
The frequency of this problem I see on iPhone is 1-3 hours
-
@chudak said in Stale WG session ?:
The frequency of this problem I see on iPhone is 1-3 hours
So this is an issue on iOS with the latest WireGuard app?
-
@eirikrcoquere
Yes in my case
And i saw somebody saying it's the same problem on Android
-
@chudak said in Stale WG session ?:
@eirikrcoquere
Yes in my case
And i saw somebody saying it's the same problem on Android
I need to give it a try. Are there any good up-to-date tutorials for setting things up in pfSense and iPhone? Last time I tried the handshake went well but I had no internet.
-
@eirikrcoquere After monitoring this for a few more days I think the stale connection in my case may be related to transitions between the home network that is behind the firewall and external mobile/wifi networks. The official WG client on my Android phone is configured with an always-on VPN connection to pfsense on the home network, using a dynamic DNS address that maps to the WAN IP.
When I move from the home network to an external network there is typically no issue, but when connecting back to the home wifi the WG session often goes stale. Sometimes it's immediate, other times it is after some hours. Disabling/enabling the interface within the wireguard client fixes the issue so I'm not sure if it is an underlying issue with the way the home network is configured (pure NAT), or whether there is something in the handoff between networks that goes amiss under certain conditions. It does not seem related to e.g. changes in the IP address on the WAN interface because that typically remains stable for months on end. I don't think I've encountered any stale WG sessions when connected to outside networks.
-
@hvbakel said in Stale WG session ?:
@eirikrcoquere After monitoring this for a few more days I think the stale connection in my case may be related to transitions between the home network that is behind the firewall and external mobile/wifi networks. The official WG client on my Android phone is configured with an always-on VPN connection to pfsense on the home network, using a dynamic DNS address that maps to the WAN IP.
When I move from the home network to an external network there is typically no issue, but when connecting back to the home wifi the WG session often goes stale. Sometimes it's immediate, other times it is after some hours. Disabling/enabling the interface within the wireguard client fixes the issue so I'm not sure if it is an underlying issue with the way the home network is configured (pure NAT), or whether there is something in the handoff between networks that goes amiss under certain conditions. It does not seem related to e.g. changes in the IP address on the WAN interface because that typically remains stable for months on end. I don't think I've encountered any stale WG sessions when connected to outside networks.
I will keep an eye on this use case. Off top of my head, I've seen it while being on my home network or T-Mobile cellular, but not 100% sure yet.
Thx
-
Obviously my lab is rebooted quite often as part of the normal daily development cycle. However, my kit has been up for 21 days without reboot thanks to some timing with some traveling and remote work over the past few weeks. All my tunnels to Mullvad, IVPN, etc have persisted this entire time. So, this might be a clue that there is something funky with the WireGuard Go implementation, which is what provides WG support for iOS and Android. I don't have the tooling currently setup to work on the iOS/Android ports, but I'm going to reach out to some people that do and see what they think. There was an issue that was identified by Kyle Evans a few months ago with the FreeBSD kernel implementation that could lead to a stale WG state...but right now it's really hard to tell where the problem lies.
-
@cmcdonald I've tried to do some additional troubleshooting at times when the WG session has gone stale. When this happens, the android client shows repeated log messages stating that the "Handshake did not complete after 5 seconds, retrying". If I do nothing, the handshake process typically completes eventually after maybe ~5 mins.
In my case, the issue only seems to occur (at least I've only noticed it) when the phone connected to my IOT WiFi network that is behind the firewall. When looking at the state of the WG port at the time the handshake issue occurs, I see the following:
IOT udp <WAN_IP>:51420 -> <LAN_IP>:39844 MULTIPLE:SINGLE 33 / 270 4 KiB / 34 KiBIf I kill this state, the next handshake will succeed and the state then changes to:
IOT udp <WAN_IP>:51420 -> <LAN_IP>:39844 MULTIPLE:MULTIPLE 246 / 212 47 KiB / 46 KiBI'm not sure if any of this helps shed any light on the issue and I'm no expert, but I wonder if there is perhaps an underlying issue in NAT reflection for the WAN address?
-
@hvbakel I switched to using a split DNS setup with a host override for the dynamic DNS name to point to the internal firewall address rather than the WAN address. Cautiously optimistic that this may have resolved the handshake issues I was seeing when connected to the internal network, as I've not encountered any since switching. I will keep monitoring.
-
@hvbakel Cheered too soon I'm afraid and the split-DNS solution also does not solve the periodic issue with handshake failures and sessions going stale. The issue also persists after upgrading to the recently released 2.6/22.01 version of pfSense.
