Re: snapshot 0.0.20170628 broken?
Just to be sure, you can replace wg-quick for 0.0.20170628 with 0.0.20170613 wg-quick version from https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick.bash?h=0.0.20170613 and try it out. On Thu, Jun 29, 2017, at 17:23, Reuben Martin wrote: > On Thursday, June 29, 2017 11:39:33 AM CDT Jason A. Donenfeld wrote: > > Hey Reuben, > > > > I'm unable to reproduce these results. How sure are you about this > > situation? Have you tried to reproduce more than once? What are you > > using to configure the peers? > > > > Jason > > Yes, I can consistantly reproduce when I move all 3 computers to the > newer > snapshot. This is Gentoo system using (gasp) systemd. I configure the > peers > using the wg-quick@wg0 service unit. I use a post-up and pre-down in the > config to setup a vxlan overlayed on top of the VPN connections, but I > don’t > think that should matter since this is just using the wg0 interface > directly. I > can provide that setup info if you think it might be relevant. > > tshark capture of a simple wget from the computer that can’t connect. > > > 5 7.615139647 192.168.100.12 → 192.168.100.1 TCP 60 54134 → 80 [SYN] > Seq=0 Win=27600 Len=0 MSS=1380 SACK_PERM=1 TSval=3852526353 TSecr=0 > WS=128 > 6 7.684940917 192.168.100.1 → 192.168.100.12 TCP 60 80 → 54134 [SYN, > ACK] Seq=0 Ack=1 Win=27360 Len=0 MSS=1380 SACK_PERM=1 > TSval=3308550712 TSecr=3852526353 WS=128 > 7 7.684956294 192.168.100.12 → 192.168.100.1 TCP 52 54134 → 80 [ACK] > Seq=1 Ack=1 Win=27648 Len=0 TSval=3852526423 TSecr=3308550712 > 8 7.685008715 192.168.100.12 → 192.168.100.1 HTTP 202 GET /index.html > HTTP/1.1 > 9 7.754723388 192.168.100.1 → 192.168.100.12 TCP 52 80 → 54134 [ACK] > Seq=1 Ack=151 Win=28544 Len=0 TSval=3308550782 TSecr=3852526423 >10 7.998440304 a6:67:de:b7:51:27 → Spanning-tree-(for-bridges)_00 STP >88 Conf. Root = 0/0/8a:46:93:88:40:8b Cost = 0 Port = 0x8003 >11 9.982462221 a6:67:de:b7:51:27 → Spanning-tree-(for-bridges)_00 STP >88 Conf. Root = 0/0/8a:46:93:88:40:8b Cost = 0 Port = 0x8003 >12 10.321889091 192.168.100.12 → 192.168.100.1 TCP 52 54134 → 80 [FIN, >ACK] Seq=151 Ack=1 Win=27648 Len=0 TSval=3852529060 TSecr=3308550782 >13 10.392081110 192.168.100.1 → 192.168.100.12 TCP 52 [TCP Previous >segment not captured] 80 → 54134 [FIN, ACK] Seq=1010 Ack=152 Win=28544 >Len=0 TSval=3308553420 TSecr=3852529060 >14 10.392097109 192.168.100.12 → 192.168.100.1 TCP 40 54134 → 80 [RST] >Seq=152 Win=0 Len=0 > > > -Reuben > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: snapshot 0.0.20170628 broken?
Hello Reuben, I've tried several things to try to reproduce this, in different network configurations, and I'm entirely unable to. Could you provide more details? Like the output of: wg ip link ip addr cat /proc/cpuinfo cat /proc/version lspci lsusb lshw lsmod lsb_release -a cat /sys/module/wireguard/version dmesg nping --tcp wireguard.io -p 80 -c 1 -vv For each of the three systems? Thanks, Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: snapshot 0.0.20170628 broken?
On Thursday, June 29, 2017 11:39:33 AM CDT Jason A. Donenfeld wrote: > Hey Reuben, > > I'm unable to reproduce these results. How sure are you about this > situation? Have you tried to reproduce more than once? What are you > using to configure the peers? > > Jason Yes, I can consistantly reproduce when I move all 3 computers to the newer snapshot. This is Gentoo system using (gasp) systemd. I configure the peers using the wg-quick@wg0 service unit. I use a post-up and pre-down in the config to setup a vxlan overlayed on top of the VPN connections, but I don’t think that should matter since this is just using the wg0 interface directly. I can provide that setup info if you think it might be relevant. tshark capture of a simple wget from the computer that can’t connect. 5 7.615139647 192.168.100.12 → 192.168.100.1 TCP 60 54134 → 80 [SYN] Seq=0 Win=27600 Len=0 MSS=1380 SACK_PERM=1 TSval=3852526353 TSecr=0 WS=128 6 7.684940917 192.168.100.1 → 192.168.100.12 TCP 60 80 → 54134 [SYN, ACK] Seq=0 Ack=1 Win=27360 Len=0 MSS=1380 SACK_PERM=1 TSval=3308550712 TSecr=3852526353 WS=128 7 7.684956294 192.168.100.12 → 192.168.100.1 TCP 52 54134 → 80 [ACK] Seq=1 Ack=1 Win=27648 Len=0 TSval=3852526423 TSecr=3308550712 8 7.685008715 192.168.100.12 → 192.168.100.1 HTTP 202 GET /index.html HTTP/1.1 9 7.754723388 192.168.100.1 → 192.168.100.12 TCP 52 80 → 54134 [ACK] Seq=1 Ack=151 Win=28544 Len=0 TSval=3308550782 TSecr=3852526423 10 7.998440304 a6:67:de:b7:51:27 → Spanning-tree-(for-bridges)_00 STP 88 Conf. Root = 0/0/8a:46:93:88:40:8b Cost = 0 Port = 0x8003 11 9.982462221 a6:67:de:b7:51:27 → Spanning-tree-(for-bridges)_00 STP 88 Conf. Root = 0/0/8a:46:93:88:40:8b Cost = 0 Port = 0x8003 12 10.321889091 192.168.100.12 → 192.168.100.1 TCP 52 54134 → 80 [FIN, ACK] Seq=151 Ack=1 Win=27648 Len=0 TSval=3852529060 TSecr=3308550782 13 10.392081110 192.168.100.1 → 192.168.100.12 TCP 52 [TCP Previous segment not captured] 80 → 54134 [FIN, ACK] Seq=1010 Ack=152 Win=28544 Len=0 TSval=3308553420 TSecr=3852529060 14 10.392097109 192.168.100.12 → 192.168.100.1 TCP 40 54134 → 80 [RST] Seq=152 Win=0 Len=0 -Reuben ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: snapshot 0.0.20170628 broken?
On Thu, Jun 29, 2017 at 6:42 PM, Jason A. Donenfeldwrote: > He said already: 20170613 Ooops! Sorry about the noise, time for evening coffee it seems ;-/ Kalin. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: snapshot 0.0.20170628 broken?
Hello Reuben, And what was the last good version that was working in this same setup? Kalin. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: snapshot 0.0.20170628 broken?
On Thursday, June 29, 2017 11:14:01 AM CDT HDA wrote: > Did you use same snapshot version across all machines? yes. > Should we postpone snapshot update in Ubuntu PPA? > > On Thu, Jun 29, 2017, at 15:47, Reuben Martin wrote: > > Something is off with this latest snapshot: > > > > - Computer-X sitting in the cloud accepting incomming connections. > > > > - Computer-A sits behind a masquerade NAT or a remote network. Computer-A > > can > > connect to Computer-X, and then create a TCP session with services on > > Computer-X directly over the wg0 interface. > > > > - Computer-B is behind the same NAT as Computer-A. It can also create a > > connection with Computer-X. It gets a response pinging Computer-X on it’s > > wg0 > > address, but it cannont create a TCP session with services on Computer-X > > over > > the wg0 interface. > > > > The only thing I have found that might be relevant is that A was the > > first to > > connect, so the NAT port assigned is the same as the port that wireguard > > on X > > is listening to. Where-as B gets assigned a random port on the NAT side. > > That > > may just be coincidental though. Downgrading to 20170613 and TCP sessions > > work > > from all connections again. > > > > -Reuben > > ___ > > WireGuard mailing list > > WireGuard@lists.zx2c4.com > > https://lists.zx2c4.com/mailman/listinfo/wireguard > > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: snapshot 0.0.20170628 broken?
Did you use same snapshot version across all machines? Should we postpone snapshot update in Ubuntu PPA? On Thu, Jun 29, 2017, at 15:47, Reuben Martin wrote: > Something is off with this latest snapshot: > > - Computer-X sitting in the cloud accepting incomming connections. > > - Computer-A sits behind a masquerade NAT or a remote network. Computer-A > can > connect to Computer-X, and then create a TCP session with services on > Computer-X directly over the wg0 interface. > > - Computer-B is behind the same NAT as Computer-A. It can also create a > connection with Computer-X. It gets a response pinging Computer-X on it’s > wg0 > address, but it cannont create a TCP session with services on Computer-X > over > the wg0 interface. > > The only thing I have found that might be relevant is that A was the > first to > connect, so the NAT port assigned is the same as the port that wireguard > on X > is listening to. Where-as B gets assigned a random port on the NAT side. > That > may just be coincidental though. Downgrading to 20170613 and TCP sessions > work > from all connections again. > > -Reuben > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard