Hi folks,
if I turn on debugging for wg0, then I get a lot of lines
in /var/log/messages like
:
Oct 20 10:23:50 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 11)
Oct 20 10:23:51 wggate /bsd: wg0: Receiving keepalive packet from peer 8
Oct 20 10:23:55 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 12)
Oct 20 10:23:55 wggate /bsd: wg0: Sending handshake initiation to peer 5
Oct 20 10:24:00 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 13)
Oct 20 10:24:05 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 14)
Oct 20 10:24:05 wggate /bsd: wg0: Sending handshake initiation to peer 5
Oct 20 10:24:06 wggate /bsd: wg0: Receiving handshake initiation from peer 8
Oct 20 10:24:06 wggate /bsd: wg0: Sending handshake response to peer 8
Oct 20 10:24:06 wggate /bsd: wg0: Receiving keepalive packet from peer 8
Oct 20 10:24:06 wggate /bsd: wg0: Sending keepalive packet to peer 8
Oct 20 10:24:10 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 15)
Oct 20 10:24:10 wggate /bsd: wg0: Sending handshake initiation to peer 5
Oct 20 10:24:16 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 16)
Oct 20 10:24:16 wggate /bsd: wg0: Sending keepalive packet to peer 8
Oct 20 10:24:18 wggate /bsd: wg0: Receiving handshake initiation from peer 1
Oct 20 10:24:18 wggate /bsd: wg0: Sending handshake response to peer 1
Oct 20 10:24:21 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 17)
Oct 20 10:24:21 wggate /bsd: wg0: Sending handshake initiation to peer 5
Oct 20 10:24:22 wggate /bsd: wg0: Receiving handshake initiation from peer 1
Oct 20 10:24:22 wggate /bsd: wg0: Sending handshake response to peer 1
Oct 20 10:24:22 wggate /bsd: wg0: Receiving keepalive packet from peer 1
Oct 20 10:24:22 wggate /bsd: wg0: Sending keepalive packet to peer 1
Oct 20 10:24:26 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 18)
Oct 20 10:24:26 wggate /bsd: wg0: Sending handshake initiation to peer 5
Oct 20 10:24:31 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 19)
Oct 20 10:24:31 wggate /bsd: wg0: Sending handshake initiation to peer 5
Oct 20 10:24:36 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5
seconds, retrying (try 20)
Oct 20 10:24:36 wggate /bsd: wg0: Sending handshake initiation to
Oct 20 10:24:41 wggate /bsd: wg0: Receiving keepalive packet from peer 5
Oct 20 10:24:41 wggate /bsd: wg0: Receiving handshake initiation from peer 5
Oct 20 10:24:41 wggate /bsd: wg0: Sending handshake response to peer 5
Oct 20 10:24:41 wggate /bsd: wg0: Receiving keepalive packet from peer 5
Oct 20 10:24:41 wggate /bsd: wg0: Sending keepalive packet to peer 5
Oct 20 10:24:41 wggate /bsd: wg0: Sending keepalive packet to peer 8
Oct 20 10:24:58 wggate /bsd: wg0: Receiving keepalive packet from peer 8
Oct 20 10:24:59 wggate /bsd: wg0: Receiving keepalive packet from peer 1
Oct 20 10:25:12 wggate /bsd: wg0: Receiving keepalive packet from peer 8
Oct 20 10:25:22 wggate /bsd: wg0: Receiving handshake initiation from peer 14
Oct 20 10:25:22 wggate /bsd: wg0: Sending handshake response to peer 14
Oct 20 10:25:22 wggate /bsd: wg0: Receiving keepalive packet from peer 14
Oct 20 10:25:22 wggate /bsd: wg0: Sending keepalive packet to peer 14
Oct 20 10:25:37 wggate /bsd: wg0: Receiving keepalive packet from peer 8
Oct 20 10:25:54 wggate /bsd: wg0: Receiving keepalive packet from peer 8
Oct 20 10:25:57 wggate /bsd: wg0: Receiving keepalive packet from peer 1
:
Sorry to say, but this is pretty much useless, esp on a wireguard VPN
gateway. wireguard itself appears to be rock-solid. If there is something
to debug, then its either the key pair, or the network connection to the
road-warrior, but without remote IP address/port number this is really
challenging.
Would it be possible to replace
Oct 20 10:24:59 wggate /bsd: wg0: Receiving keepalive packet from peer 1
by
Oct 20 10:24:59 wggate /bsd: wg0: [<ip>:<port>] Receiving keepalive
packet from peer 1
in the DPRINTF macro (if_wg.c)?
My favorite would be some extended monitoring for wireguard, showing a
short hash of the peer's public key next to the ip address/port number
with some information like "connection established", "disconnected",
"no keepalive", "reconnecting from a different IP", etc. Something that
could help to support and monitor a VPN gateway for (lets say) >100 road-
warriors.
Thank you very much in advance
Harri
