Firmware 4.2.3 / Wireguard Handshake...?

MeWhy · July 13, 2023, 4:07pm

I just updated two routers to the latest 4.2.3 firmware one of which is the AX1800 Flint.

On both routers I lost the ability to view the Wireguard key rotation schedule in the Kernel logs…

Are these still happening and why are they hidden if they are.

Regards,

Me

hansome · July 14, 2023, 3:56am

That is removed due to it will fill the log.
You can uncomment the following line by editing/etc/hotplug.d/wireguard/ifup.sh file

# logger -t wireguard-debug `env`

MeWhy · July 14, 2023, 2:29pm

Thank you hansome.

I will edit the file and make the mod. Thanks again!

MeWhy · November 10, 2023, 3:13am

Just a follow up. Obviously I can’t see the key rotation from Wireguard happening anymore, key rotation which happens every two minutes since I did not modify the defaults. What would happen if the router stopped rotating the keys every two minutes? Would the Wireguard server allow such thing to happen or would my connection drop?

bring.fringe18 · November 10, 2023, 11:33am

After a handshake is completed, with a message from initiator to responder and then responder back to initiator, the initiator may then send encrypted session packets, but the responder cannot. The responder must wait to use the new session until it has recieved one encrypted session packet from the initiator, in order to provide key confirmation. Thus, until the responder receives that first packet using the newly established session, it must either queue up packets to be sent later, or use the previous session, if one exists and is valid. Therefore, after the initiator receives the response from the responder, if it has no data packets immediately queued up to send, it should send an empty packet, so as to provide this confirmation.

Source:

MeWhy · November 10, 2023, 1:07pm

Ok thank you for the reply. Can you confirm the key rotation on Wireguard on GL.inet routers happens every two minutes or so? The way I understand this is, if either the initiator or responder fail to re-establish a new handshake after two minutes, basically no encrypted data can be exchanged by either the initiator or responder which would be evident by a loss of internet connection of ones device. Is this correct?

Thank you.

bring.fringe18 · November 10, 2023, 1:09pm

“Or so” is correct. It’s a stateless protocol so it’ll just pick up the new keys in the next exchange of packets. It’s a bit of ‘best practice’ to include a KeepAlive directive in the settings of 25 seconds for just this sort of thing on both endpoints… & WG is handled at the kernel level. You’re fine.

root@flint:~# lsmod | grep wireguard
ip6_udp_tunnel          1834  1 wireguard
udp_tunnel              2070  1 wireguard
wireguard             137652  0

root@flint:~# wg show
interface: wgserver
  public key: [redacted]
  private key: (hidden)
  listening port: 51820
  fwmark: 0x80000

peer: [redacted]=
  preshared key: (hidden)
  endpoint: 192.168.21.173:39331
  allowed ips: 10.0.0.2/32, 192.168.25.0/24
  latest handshake: 8 seconds ago
  transfer: 1.36 GiB received, 8.46 GiB sent
  persistent keepalive: every 25 seconds

firmware 4.4.6-release1

hansome · November 13, 2023, 4:32am

If rotating the keys stops, it’s seen as offline and will trigger a hotplug event to reconnect.