search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
486 stars 27 forks source link

Unstable network causes wag logout #83

Closed uplight-dev closed 6 months ago

uplight-dev commented 7 months ago

I'm reiterating on a previous Issue which resurfaced even with Firefox browser.

There is some random event which causes WAG to kick out the user afterwhich the hardware key is required to login again. It seems to happen now after few hours of using it with Firefox so it is very hard to debug. I've tried with a vanilla Wireguard and there are some hickups(2-3 seconds delay sometimes) but connection is automatically recreated, while with WAG after 2-3 seconds the logout occurs.

I know we've discussed on it but I'd like to know,

when a Wireguard connectivity issue appears, why does WAG kick-out the user instead of just allowing Wireguard to recover and recreate the connection? which (other) factors can cause the logout to occur?

Thanks a lot for helping out!

NHAS commented 7 months ago

It does seem like you're having networking issues rather than wag specific issues if your wireguard connections also fail for a period of time.

Calling wag unstable in an issue is kind of a misnomer....

That said, have you checked the wag logs to see if the source ip/port tuple is changing? As that's how wag associates a user key to a "live" session.

NHAS commented 7 months ago

As wireguard has no real way to apply Mfa, wag effectively just tracks a users real ip address and src port, to prevent wireguard key reuse.

It has nothing to do with the browser that you're using its all done at layer 3

NHAS commented 6 months ago

As there hasnt been any activity on this issue for 2 weeks Im going to close it for now with the final remark that if your network NAT information changes for your clients wag has to log you out as thats the only good way to attach MFA to a wireguard connection.

I have for quite a while thought of adding both a lower security mode that just takes IP address as the "session" and/or a websockets connection on the login page to keep sessions alive as long as the browser is authenticated.

uplight-dev commented 6 months ago

yes, it'd be nice to have that lower security mode especially with websockets, as the IP can also change if you're on WiFi and there's a fixed timeout in-place(as it is in some restaurants).