WireGuard VPN: Traffic graph shows occasional blips, confirmed by netstat -I, but tcpdump doesn't capture anything
-
I have a permanent site-to site WireGuard VPN connection which is up 24x365. It is working fine.
Often the connection is idle and during these periods the pfSense Traffic Graph for the WGUARD interface (the VPN interface) shows occasional small blips of incoming traffic (nothing outgoing). netstat -I confirms that there was a packet or two received but tcpdump running on the interface (tun_wg1) shows absolutely nothing. When there is genuine traffic tcpdump captures it just fine.
I'm curious to know what these occasional phantom inbound packets might be...
-
Try capturing the encapsulated traffic on the parent interface. You could be seeing traffic that's dropped before it makes it out of the WG interface. I wouldn't expect it to be an issue though.
-
@stephenw10 Thanks. I monitored the WireGuard traffic on the underlying interface at the same time and sure enough every 15 seconds the remote peer sends a 32 byte UDP packet. This ties up with the client's setting 'PersistentKeepalive = 15' so it is just the keep alive traffic. Mystery solved.
