You are here

Wireguard tunnels keep failing

8 posts / 0 new
Last post
nc8q
nc8q's picture
Wireguard tunnels keep failing
Edit 20240322 noonish
ISP technician repaired my modem.
My 2 former Wireguard clients now have blue clouds.
So, no issue with Wireguard/AREDNI set up.
Thanks to all for the offered assistance.

73, Chuck

2 regular-node to regular-node tunnel clients.
I get the 'blue cloud' then later the tunnels fail.
Is anyone else experiencing this?

73, Chuck


 
K6CCC
K6CCC's picture
Absolutely rock solid.  I
Absolutely rock solid.  I have four where my hAPac3 is the server end and one where my hAPac3 is the client end.
 
w6bi
w6bi's picture
Wireguard tunnels
Chuck, our county tunnel server has 22 active Wireguard tunnels, and is very stable.   It's running on an ac2, if that makes any difference.

Orv W6BI
 
KC1IZC
Is this a possible reason, KeepAlives needed?


NAT and Firewall Traversal Persistence


FYI, This is from the wireguard forum.   I've had such issues in the past with Sonicwall firewalls & VPN tunnels dropping when they get too quiet.  I haven't yet tested the nightly builds as I'm looking to get a couple more nodes for the lab.  

[By default, WireGuard tries to be as silent as possible when not being used; it is not a chatty protocol. For the most part, it only transmits data when a peer wishes to send packets. When it's not being asked to send packets, it stops sending packets until it is asked again. In the majority of configurations, this works well. However, when a peer is behind NAT or a firewall, it might wish to be able to receive incoming packets even when it is not sending any packets. Because NAT and stateful firewalls keep track of "connections", if a peer behind NAT or a firewall wishes to receive incoming packets, he must keep the NAT/firewall mapping valid, by periodically sending keepalive packets. This is called persistent keepalives. When this option is enabled, a keepalive packet is sent to the server endpoint once every interval seconds. A sensible interval that works with a wide variety of firewalls is 25 seconds. Setting it to 0 turns the feature off, which is the default, since most users will not need this, and it makes WireGuard slightly more chatty. This feature may be specified by adding the PersistentKeepalive = field to a peer in the configuration file, or setting persistent-keepalive at the command line. If you don't need this feature, don't enable it. But if you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent, this option will keep the "connection" open in the eyes of NAT.]

w6bi
w6bi's picture
Keepalive
Great info, Mike - thanks!

Orv W6BI
 
nc8q
nc8q's picture
AT&T technician scheduled to repair internet access modem errors
Likely not a Wireguard issue.
Sorry.
Thanks folks for this place to ask for assistance.
3s, Chuck

 
k9bdh
help on wire guard
I have updated my nodes so I can use wire guard and I am struggling on where /how to put in the client credientals on node "2" to be able to conenct to node "1" that is set up as the wire guard server etc.   Any help would be great.  I must not be seeing something and having a mental block. 
K6CCC
K6CCC's picture
Very little different than a
Very little different than a legacy tunnel as far as the client end.  The password will be massively longer, and the network IP will include the port - for example: 172.31.147.102:5526
 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer