Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WireGuard on iPhone does not transition between wifi and LTE #1385

Closed
moshesiegel opened this issue Apr 3, 2019 · 33 comments · Fixed by #1440

Comments

@moshesiegel
Copy link

commented Apr 3, 2019

Describe the bug
When moving from wifi to LTE either by disabling wifi on the iPhone (XS iOS 12.2) or moving out of wifi range, the VPN tunnel shows connected, but will not pass any traffic. The same is true when moving from LTE to WIFI, no traffic is passed such as DNS or even reaching 1.1.1.1

To Reproduce

Steps to reproduce the behavior:

  1. be on wifi
  2. turn off wifi
  3. no traffic is passed

Expected behavior

Wireguard should support the network transition and maintain or at the very least, quickly as in IPSEC reestablish the VPN connection and allow traffic to pass.

Additional context

If I connect to the VPN, and power down my Lightsail VPN host, WireGuard will still show a connected VPN which is impossible if the Algo host is off.

Transitions are working fine on IPSEC

Full log

Mac:algo-master$ ./algo

PLAY [Ask user for the input] ****************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************
ok: [localhost]
[pause]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Vultr
    5. Microsoft Azure
    6. Google Compute Engine
    7. Scaleway
    8. OpenStack (DreamCompute optimised)
    9. Install to existing Ubuntu 18.04 server (Advanced)
  
Enter the number of your desired provider
:
2

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **********************************************************************************************************************************************
ok: [localhost]
[pause]
Name the vpn server
[algo]
:
arkadia

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:
y

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:
y

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:


TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
n

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
n

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want to install an ad blocking DNS resolver on this VPN server?
[y/N]
:
y

TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:


TASK [pause] *********************************************************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **********************************************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ******************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Mac OS X 10.14.4
ZIP file created: Mar 25 00:55:38 2019
Python 2.7.10
Runtime variables:
    algo_provider "lightsail"
    algo_ondemand_cellular "True"
    algo_ondemand_wifi "True"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_local_dns "True"
    algo_ssh_tunneling "False"
    algo_windows "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ****************************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] **************************************************************************************************************************************************
ok: [localhost -> localhost]

TASK [Generate the SSH private key] **********************************************************************************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] ***********************************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Install requirements] ************************************************************************************************************************************
changed: [localhost]
[cloud-lightsail : pause]
Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md)
 (output is hidden):

TASK [cloud-lightsail : pause] ***************************************************************************************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 (output is hidden):

TASK [cloud-lightsail : pause] ***************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : set_fact] ************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Get regions] *********************************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Set facts about the regions] *****************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Set the default region] **********************************************************************************************************************************
ok: [localhost]
[cloud-lightsail : pause]
What region should the server be located in?
(https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/)
    1.  ap-northeast-1       Tokyo
    2.  ap-northeast-2       Seoul
    3.  ap-south-1           Mumbai
    4.  ap-southeast-1       Singapore
    5.  ap-southeast-2       Sydney
    6.  ca-central-1         Montreal
    7.  eu-central-1         Frankfurt
    8.  eu-west-1            Ireland
    9.  eu-west-2            London
    10. eu-west-3            Paris
    11. us-east-1            Virginia
    12. us-east-2            Ohio
    13. us-west-2            Oregon
  
Enter the number of your desired region
[11]
:
11

TASK [cloud-lightsail : pause] ***************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : set_fact] ************************************************************************************************************************************************
ok: [localhost]

TASK [cloud-lightsail : Create an instance] **************************************************************************************************************************************
changed: [localhost]

TASK [cloud-lightsail : set_fact] ************************************************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as afact] ***********************************************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] **************************************************************************************************************************************
changed: [localhost]

TASK [Additional variables for the server] ***************************************************************************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *******************************************************************************************************************************************
ok: [localhost]

TASK [debug] *********************************************************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "REDACTED"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
Press 'C' to continue the play or 'A' to abort 

TASK [A short pause, in order to be sure the instance is ready] ******************************************************************************************************************
ok: [localhost]

PLAY [Configure the server and install required software] ************************************************************************************************************************

TASK [common : Check the system] *************************************************************************************************************************************************
changed: [REDACTED]

TASK [common : include_tasks] ****************************************************************************************************************************************************
included: /Applications/algo-master/roles/common/tasks/ubuntu.yml for REDACTED

TASK [common : Gather facts] *****************************************************************************************************************************************************
ok: [REDACTED]

TASK [common : Install software updates] *****************************************************************************************************************************************
changed: [REDACTED]

TASK [common : Check if reboot is required] **************************************************************************************************************************************
changed: [REDACTED]

TASK [common : Reboot] ***********************************************************************************************************************************************************
changed: [REDACTED]

TASK [common : Wait until SSH becomes ready...] **********************************************************************************************************************************
ok: [REDACTED -> localhost]

TASK [common : Install unattended-upgrades] **************************************************************************************************************************************
ok: [REDACTED]

TASK [common : Configure unattended-upgrades] ************************************************************************************************************************************
changed: [REDACTED]

TASK [common : Periodic upgrades configured] *************************************************************************************************************************************
changed: [REDACTED]

TASK [common : Unattended reboots configured] ************************************************************************************************************************************
changed: [REDACTED]
changed: [REDACTED] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [REDACTED] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] ***********************************************************************************************************************************

TASK [common : Loopback for services configured] *********************************************************************************************************************************
changed: [REDACTED]
ok: [REDACTED] => (item=systemd-networkd)
ok: [REDACTED] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] *****************************************************************************************************************************

RUNNING HANDLER [common : restart systemd-networkd] ******************************************************************************************************************************
changed: [REDACTED]

TASK [common : Check apparmor support] *******************************************************************************************************************************************
changed: [REDACTED]

TASK [common : set_fact] *********************************************************************************************************************************************************
ok: [REDACTED]

TASK [common : Generate password for the CA key] *********************************************************************************************************************************
changed: [REDACTED -> localhost]

TASK [common : Generate p12 export password] *************************************************************************************************************************************
changed: [REDACTED -> localhost]

TASK [common : Define facts] *****************************************************************************************************************************************************
ok: [REDACTED]

TASK [common : set_fact] *********************************************************************************************************************************************************
ok: [REDACTED]

TASK [common : Set IPv6 support as a fact] ***************************************************************************************************************************************
ok: [REDACTED]

TASK [common : Check size of MTU] ************************************************************************************************************************************************
ok: [REDACTED]

TASK [common : set_fact] *********************************************************************************************************************************************************
ok: [REDACTED]
changed: [REDACTED] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Install tools] ****************************************************************************************************************************************************

TASK [common : Install headers] **************************************************************************************************************************************************
changed: [REDACTED]

TASK [common : include_tasks] ****************************************************************************************************************************************************
included: /Applications/algo-master/roles/common/tasks/iptables.yml for REDACTED
changed: [REDACTED] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [common : Iptables configured] **********************************************************************************************************************************************
changed: [REDACTED] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [REDACTED] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})

RUNNING HANDLER [common : restart iptables] **************************************************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : Include tasks for Ubuntu] *********************************************************************************************************************************
included: /Applications/algo-master/roles/dns_encryption/tasks/ubuntu.yml for REDACTED

TASK [dns_encryption : Add the repository] ***************************************************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : Install dnscrypt-proxy] ***********************************************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : Configure unattended-upgrades] ****************************************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *********************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ******************************************************************************************************
ok: [REDACTED]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ******************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : Ubuntu | Add custom requirements to successfully start the unit] ******************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] *******************************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : dnscrypt-proxy configured] ********************************************************************************************************************************
changed: [REDACTED]

TASK [dns_encryption : dnscrypt-proxy enabled and started] ***********************************************************************************************************************
ok: [REDACTED]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] ************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Dnsmasq installed] ****************************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : The dnsmasq directory created] ****************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : include_tasks] ********************************************************************************************************************************************
included: /Applications/algo-master/roles/dns_adblocking/tasks/ubuntu.yml for REDACTED

TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] *********************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] *************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] *************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***********************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Dnsmasq configured] ***************************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Adblock script created] ***********************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Adblock script added to cron] *****************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Update adblock hosts] *************************************************************************************************************************************
changed: [REDACTED]

RUNNING HANDLER [dns_adblocking : restart dnsmasq] *******************************************************************************************************************************
changed: [REDACTED]

RUNNING HANDLER [strongswan : daemon-reload] *************************************************************************************************************************************
changed: [REDACTED]

TASK [dns_adblocking : Dnsmasq enabled and started] ******************************************************************************************************************************
ok: [REDACTED]
ok: [REDACTED -> localhost] => (item=private)
ok: [REDACTED -> localhost] => (item=public)

TASK [wireguard : Ensure the required directories exist] *************************************************************************************************************************

TASK [wireguard : Include tasks for Ubuntu] **************************************************************************************************************************************
included: /Applications/algo-master/roles/wireguard/tasks/ubuntu.yml for REDACTED

TASK [wireguard : WireGuard repository configured] *******************************************************************************************************************************
changed: [REDACTED]

TASK [wireguard : WireGuard installed] *******************************************************************************************************************************************
changed: [REDACTED]

TASK [wireguard : WireGuard reload-module-on-update] *****************************************************************************************************************************
changed: [REDACTED]

TASK [wireguard : Configure unattended-upgrades] *********************************************************************************************************************************
changed: [REDACTED]

TASK [wireguard : set_fact] ******************************************************************************************************************************************************
ok: [REDACTED]
changed: [REDACTED] => (item=laptop)
changed: [REDACTED] => (item=phone)
changed: [REDACTED] => (item=spare)
changed: [REDACTED] => (item=REDACTED)

TASK [wireguard : Generate private keys] *****************************************************************************************************************************************
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)

TASK [wireguard : Save private keys] *********************************************************************************************************************************************
changed: [REDACTED] => (item=laptop)
changed: [REDACTED] => (item=phone)
changed: [REDACTED] => (item=spare)
changed: [REDACTED] => (item=REDACTED)

TASK [wireguard : Touch the lock file] *******************************************************************************************************************************************
ok: [REDACTED] => (item=laptop)
ok: [REDACTED] => (item=phone)
ok: [REDACTED] => (item=spare)
ok: [REDACTED] => (item=REDACTED)

TASK [wireguard : Generate public keys] ******************************************************************************************************************************************
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)

TASK [wireguard : Save public keys] **********************************************************************************************************************************************
ok: [REDACTED -> localhost] => (item=laptop)
ok: [REDACTED -> localhost] => (item=phone)
ok: [REDACTED -> localhost] => (item=spare)

TASK [wireguard : WireGuard user list updated] ***********************************************************************************************************************************

TASK [wireguard : set_fact] ******************************************************************************************************************************************************
ok: [REDACTED -> localhost]
changed: [REDACTED -> localhost] => (item=(0, u'laptop'))
changed: [REDACTED -> localhost] => (item=(1, u'phone'))
changed: [REDACTED -> localhost] => (item=(2, u'spare'))

TASK [wireguard : WireGuard users config generated] ******************************************************************************************************************************
ok: [REDACTED -> localhost] => (item=(0, u'laptop'))
ok: [REDACTED -> localhost] => (item=(1, u'phone'))
ok: [REDACTED -> localhost] => (item=(2, u'spare'))

TASK [wireguard : Generate QR codes] *********************************************************************************************************************************************

TASK [wireguard : WireGuard configured] ******************************************************************************************************************************************
changed: [REDACTED]

TASK [wireguard : WireGuard enabled and started] *********************************************************************************************************************************
changed: [REDACTED]

RUNNING HANDLER [wireguard : restart wireguard] **********************************************************************************************************************************
changed: [REDACTED]

TASK [strongswan : include_tasks] ************************************************************************************************************************************************
included: /Applications/algo-master/roles/strongswan/tasks/ubuntu.yml for REDACTED

TASK [strongswan : set_fact] *****************************************************************************************************************************************************
ok: [REDACTED]

TASK [strongswan : Ubuntu | Install strongSwan] **********************************************************************************************************************************
changed: [REDACTED]
changed: [REDACTED] => (item=/usr/lib/ipsec/charon)
changed: [REDACTED] => (item=/usr/lib/ipsec/lookip)
changed: [REDACTED] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ***********************************************************************************************************************
ok: [REDACTED] => (item=apparmor)
ok: [REDACTED] => (item=strongswan)
ok: [REDACTED] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Enable services] *************************************************************************************************************************************

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exist] **************************************************************************************************
changed: [REDACTED]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ***************************************************************************************************
changed: [REDACTED]

TASK [strongswan : Ensure that the strongswan user exist] ************************************************************************************************************************
ok: [REDACTED]

TASK [strongswan : Install strongSwan] *******************************************************************************************************************************************
ok: [REDACTED]
changed: [REDACTED] => (item={u'dest': u'strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [REDACTED] => (item={u'dest': u'ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [REDACTED] => (item={u'dest': u'ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [strongswan : Setup the config files from our templates] ********************************************************************************************************************

TASK [strongswan : Get loaded plugins] *******************************************************************************************************************************************
changed: [REDACTED]
changed: [REDACTED] => (item=rc2)
changed: [REDACTED] => (item=gmp)
changed: [REDACTED] => (item=resolve)
changed: [REDACTED] => (item=md4)
changed: [REDACTED] => (item=sha1)
changed: [REDACTED] => (item=sshkey)
changed: [REDACTED] => (item=agent)
changed: [REDACTED] => (item=connmark)
changed: [REDACTED] => (item=updown)
changed: [REDACTED] => (item=dnskey)
changed: [REDACTED] => (item=fips-prf)
changed: [REDACTED] => (item=constraints)
changed: [REDACTED] => (item=mgf1)
changed: [REDACTED] => (item=bypass-lan)
changed: [REDACTED] => (item=counters)
changed: [REDACTED] => (item=xcbc)
changed: [REDACTED] => (item=aesni)
changed: [REDACTED] => (item=attr)
changed: [REDACTED] => (item=md5)
changed: [REDACTED] => (item=xauth-generic)
changed: [REDACTED] => (item=pkcs1)
changed: [REDACTED] => (item=eap-mschapv2)
changed: [REDACTED] => (item=gcm)
changed: [REDACTED] => (item=pgp)
changed: [REDACTED] => (item=socket-default)
changed: [REDACTED] => (item=pem)
changed: [REDACTED] => (item=hmac)
changed: [REDACTED] => (item=pkcs7)
changed: [REDACTED] => (item=aes)
changed: [REDACTED] => (item=stroke)
changed: [REDACTED] => (item=pkcs12)
changed: [REDACTED] => (item=x509)
changed: [REDACTED] => (item=random)
changed: [REDACTED] => (item=pubkey)
changed: [REDACTED] => (item=openssl)
changed: [REDACTED] => (item=nonce)
changed: [REDACTED] => (item=revocation)
changed: [REDACTED] => (item=kernel-netlink)
changed: [REDACTED] => (item=pkcs8)
changed: [REDACTED] => (item=sha2)

TASK [strongswan : Set subjectAltName as a fact] *********************************************************************************************************************************
ok: [REDACTED -> localhost]
changed: [REDACTED -> localhost] => (item=ecparams)
changed: [REDACTED -> localhost] => (item=certs)
ok: [REDACTED -> localhost] => (item=crl)
ok: [REDACTED -> localhost] => (item=newcerts)
changed: [REDACTED -> localhost] => (item=private)
changed: [REDACTED -> localhost] => (item=public)
changed: [REDACTED -> localhost] => (item=reqs)

TASK [strongswan : Ensure the pki directories exist] *****************************************************************************************************************************
changed: [REDACTED -> localhost] => (item=apple)
ok: [REDACTED -> localhost] => (item=windows)
changed: [REDACTED -> localhost] => (item=manual)

TASK [strongswan : Ensure the config directories exist] **************************************************************************************************************************
changed: [REDACTED -> localhost] => (item=.rnd)
changed: [REDACTED -> localhost] => (item=private/.rnd)
changed: [REDACTED -> localhost] => (item=index.txt)
changed: [REDACTED -> localhost] => (item=index.txt.attr)
changed: [REDACTED -> localhost] => (item=serial)

TASK [strongswan : Ensure the files exist] ***************************************************************************************************************************************

TASK [strongswan : Generate the openssl server configs] **************************************************************************************************************************
ok: [REDACTED -> localhost]

TASK [strongswan : Build the CA pair] ********************************************************************************************************************************************
ok: [REDACTED -> localhost]

TASK [strongswan : Copy the CA certificate] **************************************************************************************************************************************
ok: [REDACTED -> localhost]

TASK [strongswan : Generate the serial number] ***********************************************************************************************************************************
ok: [REDACTED -> localhost]

TASK [strongswan : Build the server pair] ****************************************************************************************************************************************
ok: [REDACTED -> localhost]
ok: [REDACTED -> localhost] => (item=laptop)
ok: [REDACTED -> localhost] => (item=phone)
ok: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Build the client's pair] **************************************************************************************************************************************
ok: [REDACTED -> localhost] => (item=laptop)
ok: [REDACTED -> localhost] => (item=phone)
ok: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Build openssh public keys] ************************************************************************************************************************************
changed: [REDACTED -> localhost] => (item=laptop)
changed: [REDACTED -> localhost] => (item=phone)
changed: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Build the client's p12] ***************************************************************************************************************************************
changed: [REDACTED -> localhost] => (item=laptop)
changed: [REDACTED -> localhost] => (item=phone)
changed: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Copy the p12 certificates] ************************************************************************************************************************************

TASK [strongswan : Get active users] *********************************************************************************************************************************************
changed: [REDACTED -> localhost]
changed: [REDACTED] => (item={u'dest': u'cacerts/ca.crt', u'src': u'cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [REDACTED] => (item={u'dest': u'certs/REDACTED.crt', u'src': u'certs/REDACTED.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [REDACTED] => (item={u'dest': u'private/REDACTED.key', u'src': u'private/REDACTED.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [strongswan : Copy the keys to the strongswan directory] ********************************************************************************************************************
changed: [REDACTED -> localhost] => (item=laptop)
changed: [REDACTED -> localhost] => (item=phone)
changed: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Register p12 PayloadContent] **********************************************************************************************************************************

TASK [strongswan : Set facts for mobileconfigs] **********************************************************************************************************************************
ok: [REDACTED -> localhost]
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)
changed: [REDACTED] => (item=None)

TASK [strongswan : Build the mobileconfigs] **************************************************************************************************************************************
changed: [REDACTED -> localhost] => (item=laptop)
changed: [REDACTED -> localhost] => (item=phone)
changed: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Build the client ipsec config file] ***************************************************************************************************************************
changed: [REDACTED -> localhost] => (item=laptop)
changed: [REDACTED -> localhost] => (item=phone)
changed: [REDACTED -> localhost] => (item=spare)

TASK [strongswan : Build the client ipsec secret file] ***************************************************************************************************************************

TASK [strongswan : Restrict permissions for the local private directories] *******************************************************************************************************
ok: [REDACTED -> localhost]

TASK [strongswan : strongSwan started] *******************************************************************************************************************************************
ok: [REDACTED]

RUNNING HANDLER [dns_adblocking : restart apparmor] ******************************************************************************************************************************
changed: [REDACTED]

RUNNING HANDLER [strongswan : restart strongswan] ********************************************************************************************************************************
changed: [REDACTED]

RUNNING HANDLER [strongswan : daemon-reload] *************************************************************************************************************************************
changed: [REDACTED]

TASK [Delete the CA key] *********************************************************************************************************************************************************
ok: [REDACTED-> localhost]

TASK [Dump the configuration] ****************************************************************************************************************************************************
ok: [REDACTED -> localhost]

TASK [debug] *********************************************************************************************************************************************************************
ok: [REDACTED] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 172.16.0.1                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is REDACTED       #\"\n", 
        "    ", 
        "    \"#      Shell access: ssh -i configs/algo.pem ubuntu@REDACTED        #\"\n"
    ]
}

PLAY RECAP ***********************************************************************************************************************************************************************
REDACTED                : ok=116  changed=73   unreachable=0    failed=0   
localhost                  : ok=34   changed=5    unreachable=0    failed=0   
@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2019

Addressing your "additional context": So I'm not an expert on Wireguard at all, or on iPhones. But I believe the behavior of the iPhone w/r/t the "VPN" symbol with Wireguard is different from other VPNs (including the built-in IKEv2 client). Because Wireguard is an interface, as soon as you enable it, the iPhone is listening on the Wireguard interface. Therefore the "VPN" symbol comes on right away. Doesn't matter if the server is down, or if the iPhone is underwater, on a plane, on the moon, wherever. The "VPN" symbol will be on. (I've verified the first three situations, but not the last one.)

On the other hand, IKEv2 doesn't show the "VPN" sign until the connection is actually established with the server. This usually happens within a second, but in cases of poor connections, or Wi-Fi networks with captive portals, sometimes you'll see the symbols alternate between Wi-Fi and LTE.

As far as your actual issue, I personally haven't had a problem switching between LTE <-> Wi-Fi while connected to Wireguard. The general instructions for debugging seems to be to try to reproduce the behavior, then get a log: go to the Wireguard app and select "Export log file" from the Settings menu in the top left corner, which you can view in Notes or download to your Mac to read on a bigger screen. You can post the relevant log here, or you can join the Wireguard mailing list and try asking for help there.

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 5, 2019

@davidemyers

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

Note that turning Wi-Fi on and off from Control Center is different than doing it from Settings. In Control Center Wi-Fi doesn't actually turn off, it just disconnects from the current network. So you should be explicit about which way you're doing it as it might be relevant.

But having said that, I see that your log is full of IPv6 connection errors but Lightsail doesn't support IPv6 (at least it didn't the last time I checked). Please post the Address = line from the client .conf file you're using.

@davidemyers

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

Something that might be worth trying: In the WireGuard app, edit your tunnel and remove ::/0 from Allowed IPs.

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 5, 2019

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 5, 2019

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

You're seeing the IPv6 address on the actual status screen in the Wireguard app, or in the iPhone Settings app, or in the log? Screenshot please?

@davidemyers I'm on Lightsail myself, and can confirm no IPv6 support. I did a local install (after setting a static IP, as Algo still doesn't have Lightsail set up for static IP addresses) and it properly installed without IPv6 options such as ip6tables overwriting. However, my Wireguard app also has "::/0" listed as an available IP. I haven't run into any problems transitioning LTE <-> WiFi, but I'm only on iOS 12.1.4. Maybe I'll upgrade and see what happens. Or, the problem could have to do with the Lightsail scripts, as I see that @moshesiegel cloud installed directly to Lightsail.

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 5, 2019

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

T-mobile may be another thread to pursue, as that's an IPV6-only network. I remember seeing something about T-mobile support on the Wireguard readme, and found this link: https://support.t-mobile.com/thread/146854 which led to this link about how to set up an IPV4-only APN for T-mobile on your Android. But that won't help you.

Bottom line, if it's working, then good, but there might be an issue with either the Algo scripts, or iOS 12.2, or the Wireguard app. Keep us posted.

@davidemyers

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

@TC1977 So your year of EC2 Free Tier expired too, I guess. 😃

I think the Ansible Lightsail module is still missing the ability to configure a static address, which is a shame. Though personally I'm too stubborn to use a provider that doesn't have IPv6 yet.

Wherever this bug lies it should be easy enough for Algo to leave IPv6 out of Allowed IPs when it's unavailable.

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 5, 2019

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 5, 2019

@TC1977 So your year of EC2 Free Tier expired too, I guess. 😃

Yes, and being too lazy to learn a completely new cloud provider platform, I simply switched to Lightsail. And since dnsmasq adblocking depends on IPv4, I don't miss IPv6.

Wherever this bug lies it should be easy enough for Algo to leave IPv6 out of Allowed IPs when it's unavailable.

Looks like it would require adding the 'ipv6_support' fact here. Scared to do it myself though.

@davidemyers

This comment has been minimized.

Copy link
Contributor

commented Apr 6, 2019

Thanks, Jack!

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 6, 2019

As a coda to this, I just upgraded my iPhone to 12.2, and running Wireguard with ::/0 in Allowed IPs, with Lightsail as cloud provider, I have no problems switching back and forth between AT&T LTE and Wi-Fi. Wireguard complained about being unable to bind to v6 socket, but then went on with the connection. Here's a log of a switch to LTE (pdp_ip0) after turning off Wi-Fi (en0) via the Control Center:

2019-04-06 10:31:35.127164: [NET] peer(Svjv…HcAA) - Failed to send data packet write udp4 0.0.0.0:63864->[redacted]:51820: sendto: network is unreachable
2019-04-06 10:31:35.261150: [NET] peer(Svjv…HcAA) - Failed to send data packet write udp4 0.0.0.0:63864->[redacted]:51820: sendto: network is unreachable
2019-04-06 10:31:35.490536: [NET] peer(Svjv…HcAA) - Failed to send data packet write udp4 0.0.0.0:63864->[redacted]:51820: sendto: network is unreachable
2019-04-06 10:31:35.652868: [NET] peer(Svjv…HcAA) - Failed to send data packet write udp4 0.0.0.0:63864->[redacted]:51820: sendto: network is unreachable
2019-04-06 10:31:35.794482: [NET] Network change detected with satisfied route and interface order [pdp_ip0, utun2]
2019-04-06 10:31:35.795793: [NET] DNS64: mapped [redacted] to itself.
2019-04-06 10:31:35.796463: [NET] UAPI: Transition to peer configuration
2019-04-06 10:31:35.796813: [NET] peer(Svjv…HcAA) - UAPI: Updating endpoint
2019-04-06 10:31:35.797006: [NET] Binding sockets to interface 4
2019-04-06 10:31:35.797153: [NET] Unable to bind v6 socket to interface:%!(EXTRA syscall.Errno=invalid argument)
2019-04-06 10:31:53.083816: [NET] Network change detected with satisfied route and interface order [pdp_ip0, utun2]
2019-04-06 10:31:53.086495: [NET] DNS64: mapped [redacted] to itself.
2019-04-06 10:31:53.098674: [NET] UAPI: Transition to peer configuration
2019-04-06 10:31:53.099050: [NET] peer(Svjv…HcAA) - UAPI: Updating endpoint
2019-04-06 10:31:53.109446: [NET] Binding sockets to interface 4
2019-04-06 10:31:53.109746: [NET] Unable to bind v6 socket to interface:%!(EXTRA syscall.Errno=invalid argument)

So I think @moshesiegel's problem occurs only with IPv6-disabled servers, and only with Wireguard .conf files that allow ::/0, and only when switching to T-mobile or similar IPv6-only LTE network. And it should now be fixed, anyway.

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 6, 2019

I spoke too soon, it’s not resolved, rather intermittent. While I haven’t installed the updated version from today, I’ve removed IPv6 ::/0 from the WG interface config which should be the same.

What’s interesting is even with IPV6 removed it’s still connecting to my Lightsail server and showing the IPV6 in the WG app and theissue isn’t that the VPN doesn’t work at all on T-Mobile LTE but rather on the initial transition to LTE it dies but if I force restart the tunnel I can connect.

My guess is that T-Mobile has an IPv4 - V6 NAT function which isn’t working right.

I should be able to spin up an EC2 IPv6 instance tonight and validate

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 7, 2019

If you've removed the ::/0 from the AllowedIPs, then it shouldn't give you any IPv6 address in the Wireguard app. Care to post some logs and/or screenshots?

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 7, 2019

attached

IMG_0004

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

I can replicate this on Digital Ocean, Vultr and EC2. Anyone else using T-Mobile? Since the WG IOS app hasn’t changed in 3 weeks, I’m thinking it’s a T-Mobile NAT issue, but would like another datapoint.

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Apr 9, 2019

No idea why WG is listing an IPv6 endpoint when you don't have ::/0 listed as an Allowed IP, and no idea from from ipv6 lookup tool who that IPv6 belongs to, T-Mobile or Lightsail.

At this point I'm convinced it's a T-Mobile/WG/iOS 12.2 interaction. I searched the WG mailing list archives but couldn't find anything about T-mobile specifically, other than that @zx2c4 asked for data on mobile-WiFi transitions with T-mobile when the WG iOS client was released. Perhaps it's time to go to the Wireguard mailing list for more help.

@moshesiegel

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

@jackivanov

This comment has been minimized.

Copy link
Collaborator

commented Apr 13, 2019

Closing it for now. Let's document the issue when you have more information from T-Mobile. Thanks!

@leearmstrong

This comment has been minimized.

Copy link

commented May 13, 2019

I can replicate this issue every time I leave my home!

My 4G connection is EE and my Wireguard peer is an explicitly set IPv4 address. I do not have any IPv6 at all on or around the server end.

I can "fix" the issue by disconnecting and reconnecting the client. No traffic passes when I leave the Wifi connection to the 4G.

It looks like the 4G connection is possibly IPv6 and so it has trouble?

2019-05-13 12:24:42.229106: [APP] startActivation: Entering (tunnel: TestConn)
2019-05-13 12:24:42.230826: [APP] startActivation: Starting tunnel
2019-05-13 12:24:42.235129: [APP] startActivation: Success
2019-05-13 12:24:42.238202: [APP] Tunnel 'TestConn' connection status changed to 'connecting'
2019-05-13 12:24:43.413444: [NET] App version: 0.0.20190409 (7); Go backend version: 0.0.20190409
2019-05-13 12:24:43.414159: [NET] Starting tunnel from the app
2019-05-13 12:24:43.770148: [NET] Tunnel interface is utun3
2019-05-13 12:24:43.776002: [NET] DNS64: mapped 62.104.100.11 to itself.
2019-05-13 12:24:43.778679: [NET] Attaching to interface
2019-05-13 12:24:43.781928: [NET] Routine: encryption worker - started
2019-05-13 12:24:43.782111: [NET] Routine: decryption worker - started
2019-05-13 12:24:43.782183: [NET] Routine: handshake worker - started
2019-05-13 12:24:43.782286: [NET] Routine: handshake worker - started
2019-05-13 12:24:43.782376: [NET] Routine: encryption worker - started
2019-05-13 12:24:43.782473: [NET] Routine: decryption worker - started
2019-05-13 12:24:43.782577: [NET] Routine: handshake worker - started
2019-05-13 12:24:43.782667: [NET] Routine: encryption worker - started
2019-05-13 12:24:43.782761: [NET] Routine: decryption worker - started
2019-05-13 12:24:43.782857: [NET] Routine: encryption worker - started
2019-05-13 12:24:43.782945: [NET] Routine: encryption worker - started
2019-05-13 12:24:43.783041: [NET] Routine: decryption worker - started
2019-05-13 12:24:43.783135: [NET] Routine: handshake worker - started
2019-05-13 12:24:43.783229: [NET] Routine: event worker - started
2019-05-13 12:24:43.783642: [NET] Routine: decryption worker - started
2019-05-13 12:24:43.783726: [NET] Routine: TUN reader - started
2019-05-13 12:24:43.783870: [NET] Routine: decryption worker - started
2019-05-13 12:24:43.783972: [NET] Routine: handshake worker - started
2019-05-13 12:24:43.784058: [NET] Routine: handshake worker - started
2019-05-13 12:24:43.784152: [NET] Routine: encryption worker - started
2019-05-13 12:24:43.784306: [NET] UAPI: Updating private key
2019-05-13 12:24:43.784953: [NET] UAPI: Removing all peers
2019-05-13 12:24:43.785057: [NET] UAPI: Transition to peer configuration
2019-05-13 12:24:43.785846: [NET] peer(Qnh3…UrXQ) - UAPI: Created
2019-05-13 12:24:43.786036: [NET] peer(Qnh3…UrXQ) - UAPI: Updating endpoint
2019-05-13 12:24:43.788516: [NET] peer(Qnh3…UrXQ) - UAPI: Updating persistent keepalive interval
2019-05-13 12:24:43.788679: [NET] peer(Qnh3…UrXQ) - UAPI: Removing all allowedips
2019-05-13 12:24:43.788753: [NET] peer(Qnh3…UrXQ) - UAPI: Adding allowedip
2019-05-13 12:24:43.789532: [NET] Routine: receive incoming IPv4 - started
2019-05-13 12:24:43.789772: [NET] Routine: receive incoming IPv6 - started
2019-05-13 12:24:43.789956: [NET] UDP bind has been updated
2019-05-13 12:24:43.790085: [NET] peer(Qnh3…UrXQ) - Starting...
2019-05-13 12:24:43.790323: [NET] peer(Qnh3…UrXQ) - Routine: sequential receiver - started
2019-05-13 12:24:43.790486: [NET] peer(Qnh3…UrXQ) - Routine: sequential sender - started
2019-05-13 12:24:43.790600: [NET] peer(Qnh3…UrXQ) - Routine: nonce worker - started
2019-05-13 12:24:43.790603: [NET] Device started
2019-05-13 12:24:43.793367: [APP] Tunnel 'TestConn' connection status changed to 'connected'
2019-05-13 12:24:44.128026: [NET] peer(Qnh3…UrXQ) - Sending handshake initiation
2019-05-13 12:24:44.138655: [NET] peer(Qnh3…UrXQ) - Awaiting keypair
2019-05-13 12:24:44.159824: [NET] peer(Qnh3…UrXQ) - Received handshake response
2019-05-13 12:24:44.160059: [NET] peer(Qnh3…UrXQ) - Obtained awaited keypair
2019-05-13 12:24:44.377010: [NET] Network change detected with satisfied route and interface order [en0, utun3, pdp_ip0]
2019-05-13 12:24:44.378040: [NET] DNS64: mapped 62.104.100.11 to itself.
2019-05-13 12:24:44.378301: [NET] UAPI: Transition to peer configuration
2019-05-13 12:24:44.378475: [NET] peer(Qnh3…UrXQ) - UAPI: Updating endpoint
2019-05-13 12:24:44.383378: [NET] Binding sockets to interface 8
2019-05-13 12:24:44.384493: [NET] Unable to bind v6 socket to interface:%!(EXTRA syscall.Errno=invalid argument)
2019-05-13 12:24:47.232067: [APP] Status update notification timeout for tunnel 'TestConn'. Tunnel status is now 'connected'.
2019-05-13 12:25:46.131112: [NET] peer(Qnh3…UrXQ) - Receiving keepalive packet
2019-05-13 12:26:50.168227: [NET] peer(Qnh3…UrXQ) - Sending handshake initiation
2019-05-13 12:26:50.196525: [NET] peer(Qnh3…UrXQ) - Received handshake response
2019-05-13 12:26:50.197070: [NET] peer(Qnh3…UrXQ) - Sending keepalive packet
2019-05-13 12:27:00.350659: [NET] peer(Qnh3…UrXQ) - Receiving keepalive packet
2019-05-13 12:27:18.105095: [NET] peer(Qnh3…UrXQ) - Sending keepalive packet
2019-05-13 12:27:29.807486: [NET] peer(Qnh3…UrXQ) - Receiving keepalive packet
2019-05-13 12:27:56.076785: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.163107: [NET] Network change detected with requiresConnection route and interface order [en0, utun3, pdp_ip0, pdp_ip0]
2019-05-13 12:27:56.171330: [NET] DNS64: mapped 62.104.100.11 to itself.
2019-05-13 12:27:56.171665: [NET] UAPI: Transition to peer configuration
2019-05-13 12:27:56.171826: [NET] peer(Qnh3…UrXQ) - UAPI: Updating endpoint
2019-05-13 12:27:56.171972: [NET] Binding sockets to interface 8
2019-05-13 12:27:56.172077: [NET] Unable to bind v6 socket to interface:%!(EXTRA syscall.Errno=invalid argument)
2019-05-13 12:27:56.173054: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.173339: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.173533: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.182074: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.206681: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.439642: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.585089: [NET] Network change detected with satisfied route and interface order [pdp_ip0, utun3]
2019-05-13 12:27:56.638070: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp4 0.0.0.0:64489->62.104.100.11:51380: sendto: network is unreachable
2019-05-13 12:27:56.645764: [NET] DNS64: mapped 62.104.100.11 to 64:ff9b::5245:2a81
2019-05-13 12:27:56.647319: [NET] UAPI: Transition to peer configuration
2019-05-13 12:27:56.647473: [NET] peer(Qnh3…UrXQ) - UAPI: Updating endpoint
2019-05-13 12:27:56.647611: [NET] Binding sockets to interface 2
2019-05-13 12:27:56.647700: [NET] Unable to bind v6 socket to interface:%!(EXTRA syscall.Errno=invalid argument)
2019-05-13 12:27:56.677805: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:56.718402: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:56.837868: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.082195: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.152094: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.176023: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.176614: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.176943: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.277409: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:57.283220: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:58.185401: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:58.211614: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:58.282593: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:58.284085: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:59.083467: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:59.178718: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:59.178894: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:27:59.179040: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:00.284416: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:00.285685: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:00.443507: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:00.638702: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:00.721553: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:00.839780: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:01.153928: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:01.417203: [NET] peer(Qnh3…UrXQ) - Retrying handshake because we stopped hearing back after 15 seconds
2019-05-13 12:28:01.417430: [NET] peer(Qnh3…UrXQ) - Sending handshake initiation
2019-05-13 12:28:01.420234: [NET] peer(Qnh3…UrXQ) - Failed to send handshake initiation write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:02.188291: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:02.215792: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:03.088226: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:03.179535: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:03.179843: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:03.180388: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:04.288627: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:04.289062: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:05.179990: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:06.185407: [NET] peer(Qnh3…UrXQ) - Failed to send data packet write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
2019-05-13 12:28:06.701495: [NET] peer(Qnh3…UrXQ) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-05-13 12:28:06.702023: [NET] peer(Qnh3…UrXQ) - Sending handshake initiation
2019-05-13 12:28:06.707183: [NET] peer(Qnh3…UrXQ) - Failed to send handshake initiation write udp6 [::]:64489->[64:ff9b::5245:2a81]:51380: sendto: no route to host
@jackivanov

This comment has been minimized.

Copy link
Collaborator

commented May 13, 2019

@leearmstrong Can you go to the APN settings, change the protocol to IPv4 only, and test it out?

@jackivanov jackivanov reopened this May 13, 2019
@leearmstrong

This comment has been minimized.

Copy link

commented May 13, 2019

This is on an iPhone and I can't seem to force IPv4 for the APN

@jackivanov

This comment has been minimized.

Copy link
Collaborator

commented May 13, 2019

It's definitely related to DNS64, and there was a solution for EE.
We need someone to reproduce it and update the docs

@leearmstrong

This comment has been minimized.

Copy link

commented May 13, 2019

Ok thanks, weird though that I can disconnect the VPN and reconnect and it still works.

I'll try and force IPv4 for now though

@moshesiegel

This comment has been minimized.

Copy link
Author

commented May 13, 2019

@jackivanov

This comment has been minimized.

Copy link
Collaborator

commented May 13, 2019

@moshesiegel Thanks for figuring this out!

@jackivanov jackivanov added the needs_pr label May 13, 2019
@jackivanov jackivanov added this to To Do in Algo Development via automation May 13, 2019
@jackivanov jackivanov added this to the 1.1 milestone May 13, 2019
@moshesiegel

This comment has been minimized.

Copy link
Author

commented May 13, 2019

@TC1977 TC1977 referenced this issue May 18, 2019
2 of 2 tasks complete
Algo Development automation moved this from To Do to Done May 20, 2019
@moshesiegel

This comment has been minimized.

Copy link
Author

commented Jun 26, 2019

FWIW I’ve been running IOS 13beta 2 for about a week with the T-Mobile IPv4 profile removed and I’ve had no issues with WiFi ->LTE transitions. We may never know if TMO made any changes but if anyone on stock IOS 12 with the profile wants to remove it and test it would be a good datapoint towards the issues being resolved in IOS 13(obviously several beta revisions still to go)

iPhone XS
T-Mobile
Running this fork with pi-hole https://github.com/rodeodomino/algo-pihole
Lightsail VPS

@TC1977

This comment has been minimized.

Copy link
Contributor

commented Jun 26, 2019

@moshesiegel Try it with vanilla Algo?

@zx2c4

This comment has been minimized.

Copy link

commented Jun 26, 2019

Are there still actually problems with the latest version? Things should generally be fixed, independent of iOS13.

@jkpe

This comment has been minimized.

Copy link

commented Jul 16, 2019

I'm still experiencing this issue on EE UK. iOS 13 Beta 3, Wireguard v0.0.20190702, exact same symptoms as @leearmstrong .. only happens when I leave my house (disconnect wifi) and toggling the VPN triggers a successful connection.

Others do appear to be experiencing similar issues on EE

Here's a .mobileconfig that forces IPv4 on EE, I am testing and will report back in a few days.

Edit: yup, forcing the APN to IPv4 only appears to have fixed the problem. Admittedly not a problem with Algo seeing as @zx2c4 I thought it was worth posting about.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
7 participants
You can’t perform that action at this time.