2019. július 24., szerda

Troubleshooting Wireguard VPN on Windows 10, Android and Linux

I have had my share of pain over the compexity / slowness / incompatibilities / vulnerabilities of using Cisco,
To me it seems the primary problem with Wireguard are twofold:
  1. Not having enough experience in the community (blog posts, walk-throughs, how-tos etc.) to set up all kinds of arrangements besides the usual site-to-site and cloud VPN jump-host.
  2. Clients offer less the adequate error messages that could help with debugging / troubleshooting.
  3. Clients across platforms are not consistent.
I am writing this for two reasons:
  • helping fellow users with similar situations
  • and to give feedback to the developers (will try to figure there to submit reports and which of the issues are known already).
Things to fix / disambiguate / document in the various WireGuard components:
  1. The Android client does not have the nice log viewer that is part of the Windows client - and that helped me to see what is (not) happening) 
  2. You can export the  log form the Android client is full of UI related Java messages, unlike the clean log of the Windows client - it really makes it very hard to comprehend what is going on.
  3. The Android client just disappears after a while (even with the PersistentKeepalive set to 25), so suddenly the VPN protection disappears without any notification. This did not happen to the OpenVPN Android client, so probably just have to tell Android not to evict / suspend the VPN software somehow.
  4. The error message "bad address" (Android client, creating configuration from scratch) is misleading or not informative enough: got it for example for 192.168.1.1/24 (should be /32 or 192.168.1.0/24) - could correct it automatically or at least be more informative telling you what is wrong.
  5. It is hard to figure where Wireguard is logging on linux with systemd.
    Is it logging at all?
    - Could not find any trace of the failed connection attempts, so it was really hard to tell, if my DNS, my port forwarding or my Wireguard config is wrong (was the latter).
    - Could not find messages about 192.168.1.2/24 being inaccessible (overridden) if there is a 192.168.1.3/24 peer afterwards, so have to use /32 peers even if the server interface address is communicating on a 192.168.1.1/24 address with both of the clients.
    - systemd startup log did not habve any relevant messages either
What my mistakes and symptoms were:
  1. Accidentally mixed up a private and a public key. Wiregoard just silently fails, does not tell you that there was a connection attempt but the key was wrong. Could have been any network related inaccessibility as well...
  2. Did not know how to configure the peer addresses each for /32 so that they don't interfere but both can communicate with the /24 server interface.
Bejegyezte: SaPE dátum: 7:02 0 megjegyzés
Címkék: , , , , , , , ,
Feliratkozás: Bejegyzések (Atom)

Rendszeres olvasók