You are not logged in.

#1 2021-04-24 23:57:50

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,148
Website

WireGuard handshake problem on one specific route

For some weeks we encounter the following problem in our office.
When trying to connect to our Intranet via WireGuard to our VPN server, the handshake response packets, which are sent back by the server are not being received by the client.
From the WireGuard debug logs I can see that the handshake responses are sent back to the correct address and NAT-Port.
Even if I use direct port forwarding on the client-side office DSL connection to my workstation with a static listen address the problem persists.
The server sends back the responses but they do not reach the client.
The packets are sent over the correct interface on the server; the routes are ok.

Now comes the "funny" part.
1) If I use the very same client (my laptop) from any other DSL, even within the same city by the same Internet provider (tested at one of our partner companies) I can connect via WireGuard and use it without any issues.
2) If I copy the exact same server configuration from our server to my home server, I can connect from the office and use the WireGuard VPN without any problems either.
3) If I use WireGuard on my phone via our office WiFi and hence its DSL, I cannot connect either. The handshake fails in the exact same manner.
4) If I disable WiFi on my phone and connect via LTE, the connection gets established just fine.
Buckle your seatbelts:
5) If I then activate WiFi again to use the office WiFi and hence DSL, I can see that the WireGuard connection seamlessly floats from the LTE connection to the DSL connection of our office.

What. The. Fuck.

So the issue affects only
1) Handshake response packets from the server to the client.
2) Only on the route from our server to our office.

I ran traceroute on all aforementioned server -> client routes and found out that there is one and only one router from our ISP on the route from our server to our office, that does not show up on any other routes.
I messaged our ISP with all the information above and am currently awaiting a response.
Am I on the right track that the issue must persist on the internet routers on that particular route or am I missing something obvious?
What else could cause this issue.
I am at a loss.

P.S.: Due to COVID-19 I am currently working from home 99% of the time. Needless to say, that I can connect to our server fine from my private DSL from home, too.

Last edited by schard (2021-04-25 00:03:18)

Offline

Board footer

Powered by FluxBB