Continuous "keepalive" traffic from server after client terminates connection

[mxmartins]

In my client configuration, I have persistent-keepalive = 25... I am able to connect to the server just fine, everything works as advertised.

Hours after the client terminates the WG connection, I see continued traffic hitting the client firewall, coming from the WG server towards the WG client.

Why is the server still trying to reach out to the client well after the client has terminated the WG connection. It seems like the server never realizes the connection is terminated. Is this normal behavior?

[FossoresLP]

AFAIK WireGuard does not really tear down connections. This means that the server most likely never realizes that the other peer disconnected.

[mxmartins]

Does that logic make sense? Should it not terminate a connection after a given amount of time where the server/peer is no longer able to reach the other peer? To continue to reach out to a peer in perpetuity does not make sense... Am I wrong?

[Lochnair]

IIRC WireGuard only sends encrypted packets, handshakes and keepalives (if you've configured that). It doesn't care about connection states, and it doesn't need to. That's also part of the reason it roams so well.

[mxmartins]

IIRC WireGuard only sends encrypted packets, handshakes and keepalives (if you've configured that). It doesn't care about connection states, and it doesn't need to. That's also part of the reason it roams so well.

Understood... In this case, the Peer (client) has keepalives configured.... But after the Peer (client) terminates the connection to the WG server, why is the WG server still sending encrypted traffic back to the peer?

[FossoresLP]

I'm not sure why the server continues sending packets. WireGuard does refresh session keys from time to time but that should only happen when there is actual traffic. Could it be that some protocol on the server side is configured to send traffic on the wg interface? Are both peers on EdgeOS / UGW or which WireGuard implementation do they use?

[mxmartins]

I'm not sure why the server continues sending packets. WireGuard does refresh session keys from time to time but that should only happen when there is actual traffic. Could it be that some protocol on the server side is configured to send traffic on the wg interface? Are both peers on EdgeOS / UGW or which WireGuard implementation do they use?

The WG server is a UGW4 running the most current version of WG. And the client is my Windows 10 laptop.

For example, the last time I connected to the WG server was yesterday, over 24 hours ago, and in my firewall, I'm still seeing connection attempts by the WG server (UGW4) right now....

So, I fail to understand why the WG server never stops its attempts to connect to a peer that has been gone for over 24 hours.

[FossoresLP]

WireGuard does not keep track of connections, so if my guess is right and something on the server side is sending messages to the peer, WireGuard will try to reach it on the last known address forever. There is no such thing as a peer that's gone for WireGuard, because you told it the peer would be there in the config and it has an address that the peer was reachable trough at some point. So in case there is data to send to that peer, WireGuard will do exactly that.

[mxmartins]

WireGuard does not keep track of connections, so if my guess is right and something on the server side is sending messages to the peer, WireGuard will try to reach it on the last known address forever. There is no such thing as a peer that's gone for WireGuard, because you told it the peer would be there in the config and it has an address that the peer was reachable trough at some point. So in case there is data to send to that peer, WireGuard will do exactly that.

Understood.... In that case, it is operating as designed. Thanks for clarifying.