You are not logged in.

#1 2021-04-24 23:57:50

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,933
Website

[ISP PROBLEM] WireGuard handshake problem on one specific route

For some weeks we encounter the following problem in our office.
When trying to connect to our Intranet via WireGuard to our VPN server, the handshake response packets, which are sent back by the server are not being received by the client.
From the WireGuard debug logs I can see that the handshake responses are sent back to the correct address and NAT-Port.
Even if I use direct port forwarding on the client-side office DSL connection to my workstation with a static listen address the problem persists.
The server sends back the responses but they do not reach the client.
The packets are sent over the correct interface on the server; the routes are ok.

Now comes the "funny" part.
1) If I use the very same client (my laptop) from any other DSL, even within the same city by the same Internet provider (tested at one of our partner companies) I can connect via WireGuard and use it without any issues.
2) If I copy the exact same server configuration from our server to my home server, I can connect from the office and use the WireGuard VPN without any problems whatsoever.
3) If I use WireGuard on my phone via our office WiFi and hence its DSL, I cannot connect either. The handshake fails in the exact same manner.
4) If I disable WiFi on my phone and connect via LTE, the connection gets established just fine.
Buckle your seatbelts:
5) If I then activate WiFi again to use the office WiFi and hence DSL, I can see that the WireGuard connection seamlessly floats from the LTE connection to the DSL connection of our office.

What. The. Fuck.

So the issue affects only
1) Handshake response packets from the server to the client.
2) Only on the route from our server to our office.

I ran traceroute on all aforementioned server -> client routes and found out that there is one and only one router from our ISP on the route from our server to our office, that does not show up on any other routes.
I messaged our ISP with all the information above and am currently awaiting a response.
Am I on the right track that the issue must persist on the internet routers on that particular route or am I missing something obvious?
What else could cause this issue.
I am at a loss.

P.S.: Due to COVID-19 I am currently working from home 99% of the time. Needless to say, that I can connect to our server fine from my private DSL from home, too.

Solution
After two inquiries, the first one of which was immediately dismissed by our ISP, I finally got the issue through to the technical support, who are currently still working on fixing this issue.
Since everything indicates that this is an issue on our ISP's network, there's nothing that I can do about this. The next step, if they cannot fix it, is to terminate the contract and look for another ISP.

Last edited by schard (2022-02-18 09:49:19)

Offline

#2 2021-12-26 19:59:04

oofnik
Member
Registered: 2020-03-08
Posts: 8

Re: [ISP PROBLEM] WireGuard handshake problem on one specific route

Did you ever achieve a solution with your ISP for this issue? I'm encountering something very similar with one particular WireGuard endpoint. If I redeploy the WireGuard server on a different public IP, it works for a bit, then all of a sudden return packets are black-holed, never to re-appear. The connection works fine from any other internet connection. Also, all other WireGuard connections work without issue from my home ISP - it's only one particular combination of home ISP and WireGuard server in a particular AWS region that's causing issues.

Offline

#3 2021-12-26 23:03:26

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,933
Website

Re: [ISP PROBLEM] WireGuard handshake problem on one specific route

I was not able to solve it. Our ISP did not respond any longer after repeatedly reporting the issue and providing debug infomation (trceroute, PCAP).
We terminated the contract with said ISP.

Offline

#4 2021-12-27 09:07:54

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [ISP PROBLEM] WireGuard handshake problem on one specific route

Not sure whether you face the same situation as shard, but that smells like a timeout issue
https://wiki.archlinux.org/title/WireGu … /_firewall
or maybe MTU
https://wiki.archlinux.org/title/WireGuard#Low_MTU
since you're principally able to complete the handshake, right?

@schard, the V or the T ISP?

Offline

#5 2021-12-29 14:31:43

oofnik
Member
Registered: 2020-03-08
Posts: 8

Re: [ISP PROBLEM] WireGuard handshake problem on one specific route

Thanks both. In my case it was indeed an ISP problem. It was resolved by assigning a new IP address to my home equipment.

Offline

Board footer

Powered by FluxBB