Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: don't send keep-alives as responder without session #16

Merged
merged 2 commits into from
Oct 24, 2024
Merged

fix: don't send keep-alives as responder without session #16

merged 2 commits into from
Oct 24, 2024

Conversation

thomaseizinger
Copy link
Member

In WireGuard, sessions expire after 180s. In case data has been sent through the tunnel already, WireGuard will initiate a re-key after 120s. Otherwise, the tunnel will expire. Here is the catch: If both sides have a persistent keep-alive configured, attempting to send the next keep-alive with an expired tunnel will initiate a new handshake. This results in both parties sending handshake initiations to each other, effectively fighting over being the initiator of the new handshake. Here are some logs from a test run that demonstrates this:

 73.680s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
 73.680s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
102.750s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
102.750s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
130.900s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
130.900s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
159.970s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
159.970s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
188.080s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
188.080s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
217.150s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
217.150s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
231.220s DEBUG client: boringtun::noise::timers: SESSION_EXPIRED(REJECT_AFTER_TIME) session=1941345281
231.220s DEBUG server: boringtun::noise::timers: SESSION_EXPIRED(REJECT_AFTER_TIME) session=1507565313
246.220s DEBUG client: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
246.220s DEBUG client: boringtun::noise: Sending handshake_initiation
246.220s DEBUG server: boringtun::noise::timers: KEEPALIVE(PERSISTENT_KEEPALIVE)
246.220s DEBUG server: boringtun::noise: Sending handshake_initiation
246.490s DEBUG client: boringtun::noise: Received handshake_initiation remote_idx=1507565314
246.490s DEBUG client: boringtun::noise: Sending handshake_response local_idx=1941345283
246.490s DEBUG client: boringtun::noise: Sending handshake_initiation
246.490s DEBUG server: boringtun::noise: Received handshake_initiation remote_idx=1941345282
246.490s DEBUG server: boringtun::noise: Sending handshake_response local_idx=1507565315
246.490s DEBUG server: boringtun::noise: Sending handshake_initiation
246.760s DEBUG client: boringtun::noise: Received handshake_initiation remote_idx=1507565316
246.760s DEBUG client: boringtun::noise: Sending handshake_response local_idx=1941345285
246.760s DEBUG client: boringtun::noise: Sending handshake_initiation
246.760s DEBUG client: boringtun::noise: Received handshake_response local_idx=1941345282 remote_idx=1507565315
246.760s DEBUG client: Failed to decapsulate incoming packet error=Failed to decapsulate: UnexpectedPacket local=[2001:db80::]:6526 num_bytes=92
246.760s DEBUG server: boringtun::noise: Received handshake_initiation remote_idx=1941345284
246.760s DEBUG server: boringtun::noise: Sending handshake_response local_idx=1507565317
246.760s DEBUG server: boringtun::noise: Sending handshake_initiation
246.760s DEBUG server: boringtun::noise: Received handshake_response local_idx=1507565314 remote_idx=1941345283
246.760s DEBUG server: Failed to decapsulate incoming packet error=Failed to decapsulate: UnexpectedPacket from=[2001:db80::]:6526 num_bytes=92
247.030s DEBUG client: boringtun::noise: Received handshake_initiation remote_idx=1507565318
247.030s DEBUG client: boringtun::noise: Sending handshake_response local_idx=1941345287
247.030s DEBUG client: boringtun::noise: Sending handshake_initiation
247.030s DEBUG client: boringtun::noise: Received handshake_response local_idx=1941345284 remote_idx=1507565317
247.030s DEBUG client: Failed to decapsulate incoming packet error=Failed to decapsulate: UnexpectedPacket local=[2001:db80::]:6526 num_bytes=92
247.030s DEBUG server: boringtun::noise: Received handshake_initiation remote_idx=1941345286
247.030s DEBUG server: boringtun::noise: Sending handshake_response local_idx=1507565319
247.030s DEBUG server: boringtun::noise: Sending handshake_initiation
247.030s DEBUG server: boringtun::noise: Received handshake_response local_idx=1507565316 remote_idx=1941345285
247.030s DEBUG server: Failed to decapsulate incoming packet error=Failed to decapsulate: UnexpectedPacket from=[2001:db80::]:6526 num_bytes=92
247.300s DEBUG client: boringtun::noise: Received handshake_initiation remote_idx=1507565320
247.300s DEBUG client: boringtun::noise: Sending handshake_response local_idx=1941345289
247.300s DEBUG client: boringtun::noise: Received handshake_response local_idx=1941345286 remote_idx=1507565319
247.300s DEBUG client: Failed to decapsulate incoming packet error=Failed to decapsulate: UnexpectedPacket local=[2001:db80::]:6526 num_bytes=92
247.300s DEBUG server: boringtun::noise: Received handshake_initiation remote_idx=1941345288
247.300s DEBUG server: boringtun::noise: Sending handshake_response local_idx=1507565321
247.300s DEBUG server: boringtun::noise: Received handshake_response local_idx=1507565318 remote_idx=1941345287
247.300s DEBUG server: Failed to decapsulate incoming packet error=Failed to decapsulate: UnexpectedPacket from=[2001:db80::]:6526 num_bytes=92
247.570s DEBUG client: boringtun::noise: Received handshake_response local_idx=1941345288 remote_idx=1507565321
247.570s DEBUG client: boringtun::noise: New session session=1941345288
247.570s DEBUG client: boringtun::noise: Sending keepalive
247.570s DEBUG server: boringtun::noise: Received handshake_response local_idx=1507565320 remote_idx=1941345289
247.570s DEBUG server: boringtun::noise: New session session=1507565320
247.570s DEBUG server: boringtun::noise: Sending keepalive

We can mitigate this by adding an additional condition to the keepalive_required condition:

  • Either we must have an active session
  • Or we were the initiator of the previous handshake

@thomaseizinger thomaseizinger added this pull request to the merge queue Oct 24, 2024
Merged via the queue into master with commit 04a9655 Oct 24, 2024
5 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@thomaseizinger