Bug #15517
closed
WireGuard not responding to the handshake from the same port
0%
Description
Hello everyone,
I am seeing an issue with WireGuard responding from a different port for the Handshake response. This is causing the source to drop the packet since the handshake response is coming back from a different port.
The destination port in the screenshot below in packet one is UDP/56658. However, Pfsense sends the Handshake response from port UDP/21208. This happens after the pfsense vm reboots.
I changed the port and restarted the WireGuard service. It does function properly after changing the port and restarting the service. Now it is responding from the same port the handshake initiation packet was sent to.
I am running the WireGuard version 0.2.1
This does look odd and that is why I am adding it to the bug tracker.
Files
Updated by Kris Phillips about 1 year ago
- Status changed from New to Incomplete
Which side of this packet capture is the pfSense side and what is on the other side? There isn't enough details in this ticket and the censoring of the source and destination makes this difficult to ascertain what is happening. Wireguard doesn't have a Server/Client relationship, so either end can be an initiator and responder.
Marking redmine as Incomplete until more details can be provided.
Updated by Jim Pingle about 1 year ago
- Status changed from Incomplete to Rejected
This is almost certainly due to a misconfiguration such as applying outbound NAT on traffic generated from the firewall itself. Keep it on the forum until/unless it can be replicated in isolated/lab conditions.