Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISSUE: Wiresock tunnel stopping unintentionally #230

Open
Ned-2600 opened this issue Oct 18, 2024 · 11 comments
Open

ISSUE: Wiresock tunnel stopping unintentionally #230

Ned-2600 opened this issue Oct 18, 2024 · 11 comments
Labels
bug Something isn't working

Comments

@Ned-2600
Copy link

Describe the issue
Made a couple of different Wireguard VPN server with their profiles on my Unifi UDM-SE in different subnets and with different firewall rules.
Further in the TunnelTo application I have only allowed the applications Firefox and PuTTY to use the VPN connection, other apps are ignored.

Although when I actively use the VPN tunnel everything is working fine, but as soon as the VPN tunnel doesn't generate any network traffic the VPN tunnel keeps getting disconnects for multiple times, even though I have set the Persistent Keep-Alive timer at 20 seconds and handshake from the UDM-SE VPN server every 3 minutes.

To Reproduce
Steps to reproduce the behavior:

  1. Start the TunnlTo application, PC connected on a Layer 2 switch > connected to ISP router, with no exceptional setting that could disturb the VPN tunnel.
  2. Click on Specific Tunnel config, which one doesn't make a difference all VPN profile experience the same.
  3. Click on Enable and let the VPN tunnel idle for some time, in most cases it starts happening after 30-45 minutes, sometimes less.
  4. The Unifi VPN logging is getting flooded with VPN client disconnects and reconnects happening multiple times, even when set the Persistent Keep-Alive timer at 20 seconds on both client and server side with the test VPN server I made (again other VPN servers are also affected).

Expected behavior
Expected behavior: Client stays connected over the VPN tunnel towards my Unifi UDM-SE VPN server, even when having low network usage, due to the Persistent Keep-Alive timer at 20 seconds, which tries to keep the NAT tables at both side updated.

Tested on official WireGuard client
Are you experiencing the same issue using the official Windows WireGuard client? No, because my PC is always generating network traffic and therefor VPN tunnel are being held connected.

Tested on different VPN servers
Are you experiencing the issue on multiple VPN servers? Yes, multiple VPN servers, config might differeniate

Screenshots and GIF's
2024-10-19_00-13-11
2024-10-19_00-14-09

Tunnel Config
2024-10-19_00-16-57

Logs
In Settings, change the "WireSock Log Level" to "Show All Logs". Copy/paste the logs here with any identifying information removed.
TunnlTo VPN disconnect test with full logs (19-10-24 between 0.20AM and 1.33AM.txt
chrome_2024-10-19_01-38-28

Starting WireSock directly << No done yet I can do this later if needed, first look into the current given and attached information please.

Instructions
If possible, follow the instructions below and comment on the outcome:

  1. Open TunnlTo and Enable the tunnel (this will save the config file to disk)
  2. Disable the tunnel and close TunnlTo
  3. Open a command prompt and issue the following commands:
cd "C:\Program Files\WireSock VPN Client\bin"

// Ensure you alter the <YOUR USERNAME> component of the path
wiresock-client.exe run -config C:\Users\<YOUR USERNAME>\AppData\Local\TunnlTo\tunnel.conf -log-level all

Instructions
@Ned-2600 Ned-2600 added the bug Something isn't working label Oct 18, 2024
@brendanosborne
Copy link
Contributor

brendanosborne commented Oct 19, 2024
edited
Loading

Thanks for putting effort into the details.

Could you try the official Wireguard client with allowed IP's set to an offline endpoint so that no traffic is sent through, potentially triggering the same issue? That may rule out a lot of variables.

It is probably unrelated to this issue, but I don't believe you need to specify the 19.2.168... addresses as the 0.0.0.0/0 covers them.

@Ned-2600
Copy link
Author

Ned-2600 commented Oct 20, 2024 via email

@brendanosborne
Copy link
Contributor

After this I made the requested change to set the allowed IP's to an
offline endpoint that didn't exist in order to cause the same issue, but sadly
enough as expected the VPN tunnel stayed up since there is continuous
network traffic over the tunnel saturating and keeping the interface online
(please see the attached screenshots and logging).

There shouldn't be any traffic on the tunnel if you've set the AllowedIp's to a non-existent or offline endpoint. Just to clarify, you need to do this test with the official WireGuard Client. Your config should look something like:

[Interface]
PrivateKey = [private-key]
Address = 192.168.70.2/32
DNS = 192.168.70.1

[Peer]
PublicKey = [public-key]
Endpoint = [endpoint]
PersistentKeepalive = 20
AllowedIPs = 192.0.2.0/24

Actually I'm not even sure if you need the AllowedIPs - if you leave it out the tunnel should connect but nothing is routed. Either way, the tunnel will be up but nothing should be routing over it. Once that is established, we can determine if the issue is related to Wiresock or something else.

Furthermore, during my research when removing both the legit IP endpoints
and the 0.0.0.0/0, I found out removing the latter IP range (0.0.0.0/0)
does kill the VPN tunnel to set up a connection.
NOTE: For further notice these endpoints in the config are automatically
generated by my Unifi UDM-SE gateway when creating a new Wiregaurd VPN
profile and normally shouldn't need any modifications.

You need to leave 0.0.0.0/0 in (not during the test though). What I meant was that for normal operation, listing 192.168.70.1/32 and 192.168.70.2/32 is not required if you also have 0.0.0.0/0.
0.0.0.0: This is a special address that signifies "all IP addresses" in the context of routing.

@Ned-2600
Copy link
Author

Ned-2600 commented Oct 22, 2024 via email

@Ned-2600
Copy link
Author

Ned-2600 commented Nov 6, 2024 via email

@brendanosborne
Copy link
Contributor

brendanosborne commented Nov 7, 2024
edited
Loading

Hi, yes I forgot to get back to this one.

I'm not sure if the issue is related to persistent keepalive.

Original logs:

Tunnel Disabled. Wiresock process stopped

2024-10-19 01:32:31 [FILTER]: Skipping C:\Program Files\Google\Chrome\Application\chrome.exe : UDP : 192.168.178.80:55596 -> 172.217.23.195:443

2024-10-19 01:32:29 [TUN]: keep_alive_thread: Sending Keepalive packet to WireGuard Server success

2024-10-19 01:32:26 [FILTER]: Skipping C:\Users\Vyasa Span\AppData\Local\Discord\app-1.0.9166\Discord.exe : UDP : 192.168.178.80:56676 -> 162.159.129.232:443

2024-10-19 01:32:26 [TUN]: DNS response from 192.168.70.1 translated as from 1.1.1.1

2024-10-19 01:32:26 [TUN]: DNS request to 1.1.1.1 forwarded to 192.168.70.1

Unfortunately there is no timestamp on the Tunnel Disabled line so we can't tell how much time passes between the most recent activity on the tunnel and it stopping. You could look at the server logs to get more information on what is happening.

TunnlTo appears to be doing its job of setting up and running Wiresock but something may be happening at the Wiresock level causing the tunnel to disable. I can help with configs and basic troubleshooting but there is not much else I can think of to diagnose at this point. I'll have a new version of TunnlTo out in a few weeks which uses Wiresock in service mode and will be a lot more robust.

@wiresock may be able to assist if he has time, otherwise another option is to follow up on the Wiresock support forums.

@Ned-2600
Copy link
Author

Ned-2600 commented Nov 7, 2024 via email

@brendanosborne
Copy link
Contributor

Another thing to try is to run Wiresock directly (with TunnlTo closed).

  • Open TunnlTo and Enable the tunnel (this will save the config file to disk)
  • Disable the tunnel and close TunnlTo
  • Open a command prompt and issue the following commands:
cd "C:\Program Files\WireSock VPN Client\bin"

// Ensure you alter the <YOUR USERNAME> component of the path
wiresock-client.exe run -config C:\Users\<YOUR USERNAME>\AppData\Local\TunnlTo\tunnel.conf -log-level all

That will at least rule out TunnlTo being a factor.

@brendanosborne brendanosborne changed the title ISSUE: Persistent Keep-Alive doesn't work properly, VPN to UDM-SE keeps disconnecting ISSUE: Wiresock tunnel stopping unintentionally Nov 8, 2024
@Ned-2600
Copy link
Author

Ned-2600 commented Nov 21, 2024 via email

@brendanosborne
Copy link
Contributor

Try wrapping the config path in commas:

wiresock-client.exe run -config
"C:\Users\Vyasa Span\AppData\Local\TunnlTo\tunnel.conf" -log-level all

@Ned-2600
Copy link
Author

Ned-2600 commented Nov 30, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brendanosborne @Ned-2600