Wireguard: handshake response has src and dst reverse

Started by relvy, October 31, 2025, 12:30:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 31, 2025, 12:30:10 PM
Hello,

I am on OpnSense 25.7.6.
I got Wireguard working. Then I added CARP interfaces on LAN and WAN side. Then handshake does not complete.

I see this in the pflog0 traffic on VPN initiation:

tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot length 256 bytes
 00:00:00.000000 rule 191/0(match): pass in on igc0: (tos 0x0, ttl 56, id 50850, offset 0, flags [DF], proto UDP (17), length 176)
    a.b.c.d.29106 > 192.168.178.2.51820: UDP, length 148
 00:00:00.000028 rule 137/0(match): pass out on igc0: (tos 0x0, ttl 55, id 50850, offset 0, flags [DF], proto UDP (17), length 176)
    a.b.c.d.29106 > 192.168.178.2.51820: UDP, length 148

a.b.c.d is the public IP address of my peer. 192.168.178.2 is my CARP interface on the WAN side.
The pass in is the handshake initiation from the peer.
The pass out is the response thereof. Notice, the src and dst are reversed. That's why handshake does not complete (if it started at all).

I need help in diving deep and undoing src and dst reversal.

Snippet from netstat -rnfinet
10.251.0.0/16      link#23            U               wg1
10.251.0.1         link#7             UHS             lo0
10.251.0.2         link#23            UHS             wg1
10.251.0.3         link#23            UHS             wg1

Enable debugging on wg1 gives me:

wg1: Handshake for peer 1 did not complete after 5 seconds, retrying (retry 15)
wg1: Sending handshake initiation to peer 1
wg1: Unable to send packet: 47

What does 47 mean?
October 31, 2025, 01:12:02 PM #1
> Enable debugging on wg1 gives me:
>
> wg1: Handshake for peer 1 did not complete after 5 seconds, retrying (retry 15)
> wg1: Sending handshake initiation to peer 1
> wg1: Unable to send packet: 47
>
> What does 47 mean?

I just looked into the FreeBSD wg(4) driver source code:
https://cgit.freebsd.org/src/tree/sys/dev/wg/if_wg.c?h=stable/14&id=684dd4e8c0085f4e64016a44d4cd699b2fc29681   line 1014 prints "Unable to send packet: "
https://cgit.freebsd.org/src/tree/sys/sys/errno.h?h=stable/14  in line 110  I found this:

#define    EAFNOSUPPORT    47        /* Address family not supported by protocol family */

47 means it cannot handle the address family.
This is weired to me because I use IPv4 only. IPv6 is disabled.
Print
Go Up Pages1
User actions