Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - relvy

Pages1
#1
Virtual private networks / Re: Wireguard: handshake response has src and dst reverse
December 15, 2025, 05:28:13 PM
It turned out to be a configuration error in the firewall.
I had a pass in rule on the WAN interface with a gateway set. This caused the packet to be rerouted to the gateway *before* it went into the wg interface.
The solution was to remove the gateway.

The route-to case is described here which also warns about the above:
https://docs.opnsense.org/manual/how-tos/multiwan.html#step-4-policy-based-routing

The snippet from dmesg made me think this is a kernel issue, in particular the error code 47:

> wg1: Handshake for peer 1 did not complete after 5 seconds, retrying (retry 15)
> wg1: Sending handshake initiation to peer 1
> wg1: Unable to send packet: 47

#define    EAFNOSUPPORT    47        /* Address family not supported by protocol family */
#2
Virtual private networks / Re: Wireguard: handshake response has src and dst reverse
October 31, 2025, 01:12:02 PM
> Enable debugging on wg1 gives me:
>
> wg1: Handshake for peer 1 did not complete after 5 seconds, retrying (retry 15)
> wg1: Sending handshake initiation to peer 1
> wg1: Unable to send packet: 47
>
> What does 47 mean?

I just looked into the FreeBSD wg(4) driver source code:
https://cgit.freebsd.org/src/tree/sys/dev/wg/if_wg.c?h=stable/14&id=684dd4e8c0085f4e64016a44d4cd699b2fc29681   line 1014 prints "Unable to send packet: "
https://cgit.freebsd.org/src/tree/sys/sys/errno.h?h=stable/14  in line 110  I found this:

#define    EAFNOSUPPORT    47        /* Address family not supported by protocol family */

47 means it cannot handle the address family.
This is weired to me because I use IPv4 only. IPv6 is disabled.
#3
Virtual private networks / [SOLVED] Wireguard: handshake response has src and dst reverse
October 31, 2025, 12:30:10 PM
Hello,

I am on OpnSense 25.7.6.
I got Wireguard working. Then I added CARP interfaces on LAN and WAN side. Then handshake does not complete.

I see this in the pflog0 traffic on VPN initiation:

tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot length 256 bytes
 00:00:00.000000 rule 191/0(match): pass in on igc0: (tos 0x0, ttl 56, id 50850, offset 0, flags [DF], proto UDP (17), length 176)
    a.b.c.d.29106 > 192.168.178.2.51820: UDP, length 148
 00:00:00.000028 rule 137/0(match): pass out on igc0: (tos 0x0, ttl 55, id 50850, offset 0, flags [DF], proto UDP (17), length 176)
    a.b.c.d.29106 > 192.168.178.2.51820: UDP, length 148

a.b.c.d is the public IP address of my peer. 192.168.178.2 is my CARP interface on the WAN side.
The pass in is the handshake initiation from the peer.
The pass out is the response thereof. Notice, the src and dst are reversed. That's why handshake does not complete (if it started at all).

I need help in diving deep and undoing src and dst reversal.

Snippet from netstat -rnfinet
10.251.0.0/16      link#23            U               wg1
10.251.0.1         link#7             UHS             lo0
10.251.0.2         link#23            UHS             wg1
10.251.0.3         link#23            UHS             wg1

Enable debugging on wg1 gives me:

wg1: Handshake for peer 1 did not complete after 5 seconds, retrying (retry 15)
wg1: Sending handshake initiation to peer 1
wg1: Unable to send packet: 47

What does 47 mean?
Pages1