WireGuard InvalidAeadTag error

[Small-Ku]

While connecting Cloudflare WARP with reserved bits is fine, connecting Windscribe servers get failed to decapsulate packet: InvalidAeadTag forever. Same profile from Windscribe is working on sing-box or official WireGuard implementation on windows/linux, but connecting to different servers of Windscribe with clash-rs all lead to this error.

Config

# config.yaml
---
socks-port: 18888
ipv6: true
mode: rule
log-level: debug

dns:
  enable: true
  ipv6: true

  default-nameserver:
    - 1.1.1.1
  
  nameserver:
    - 1.1.1.1

proxies:
  - name: "WS-JP-OUT"
    type: wireguard
    server: hnd-148-wg.whiskergalaxy.com
    port: 443
    private-key: <erased>
    public-key: <erased>
    pre-shared-key: <erased>
    ip: 100.116.42.153/32
    allowed-ips:
      - 0.0.0.0/0
      - ::/0
    mtu: 1280
    udp: true

rules:
  - MATCH, WS-JP-OUT

In the following log, I started clash-rs with config above and tried to connect it with Invoke-WebRequest -Uri "https://1.1.1.1/cdn-cgi/trace" -Proxy "socks5://127.0.0.1:18888" -UseBasicParsing. And I stopped it manually at the end.

clash-rs log

# console log

PS D:\dev\router-conf\clash-rs> clash-rs
25-11-07 16:21:20:0371318 DEBUG clash-lib\src\lib.rs:407: initializing cache store
25-11-07 16:21:20:0375444 DEBUG clash-lib\src\app\dns\resolver\system.rs:19: creating system resolver with ipv6=true
25-11-07 16:21:20:0376512 DEBUG clash-lib\src\lib.rs:418: initializing bootstrap outbounds
25-11-07 16:21:20:0378318 DEBUG clash-lib\src\lib.rs:434: initializing mmdb
25-11-07 16:21:20:0379171 DEBUG clash-lib\src\lib.rs:448: country mmdb not set, skipping
25-11-07 16:21:20:0380114 DEBUG clash-lib\src\lib.rs:452: initializing dns resolver
25-11-07 16:21:20:0381209 DEBUG clash-lib\src\app\dns\helper.rs:26: building nameserver: UDP://1.1.1.1:53#None
25-11-07 16:21:20:0382678 DEBUG clash-lib\src\app\dns\helper.rs:26: building nameserver: UDP://1.1.1.1:53#None
25-11-07 16:21:20:0384438 DEBUG clash-lib\src\lib.rs:469: initializing outbound manager
25-11-07 16:21:20:0385425 DEBUG clash-lib\src\app\outbound\manager.rs:107: initializing proxy providers
25-11-07 16:21:20:0386366 DEBUG clash-lib\src\app\outbound\manager.rs:111: initializing handlers
25-11-07 16:21:20:0387571 DEBUG clash-lib\src\app\outbound\manager.rs:115: initializing connectors
25-11-07 16:21:20:038848 DEBUG clash-lib\src\lib.rs:490: initializing geosite
25-11-07 16:21:20:0389412 DEBUG clash-lib\src\lib.rs:504: geosite not set, skipping
25-11-07 16:21:20:0390324 DEBUG clash-lib\src\lib.rs:508: initializing country asn mmdb
25-11-07 16:21:20:0391155 DEBUG clash-lib\src\lib.rs:522: ASN mmdb not found and not configured for download, skipping
25-11-07 16:21:20:03921 DEBUG clash-lib\src\lib.rs:526: initializing router
25-11-07 16:21:20:0393255 DEBUG clash-lib\src\lib.rs:542: initializing dispatcher
25-11-07 16:21:20:0394265 DEBUG clash-lib\src\lib.rs:552: initializing authenticator
25-11-07 16:21:20:0395209 DEBUG clash-lib\src\lib.rs:555: initializing inbound manager
25-11-07 16:21:23:8101445  INFO handle_tcp:dispatch_stream:connect_stream: clash-lib\src\app\dns\dns_client.rs:532: initializing dns client: UDP: 1.1.1.1:53 via proxy: DIRECT outbound_name="WS-JP-OUT"
25-11-07 16:21:23:8103003 DEBUG handle_tcp:dispatch_stream:connect_stream: clash-lib\src\app\dns\resolver\system.rs:19: creating system resolver with ipv6=false outbound_name="WS-JP-OUT"
25-11-07 16:21:23:8106686 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-JP-OUT" src=Some(0.0.0.0:0) iface=None family_hint=Some(1.1.1.1:53)
25-11-07 16:21:23:8109646 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-JP-OUT" src=Some(0.0.0.0:0) iface=None family_hint=Some(1.1.1.1:53)
25-11-07 16:21:23:8155322 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-JP-OUT" src=None iface=None family_hint=Some(138.199.39.132:443)
25-11-07 16:21:23:8176941 DEBUG handle_tcp:dispatch_stream: clash-lib\src\app\dispatcher\dispatcher_impl.rs:115: remote connection established [TCP] 127.0.0.1:62383 -> 1.1.1.1:443[0.0.0.0]
25-11-07 16:21:24:067148 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:28:889578  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:28:9463859 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:33:966332  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:34:0238092 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:39:0384892  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:39:0958863 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:44:1117421  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:44:1694239 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:49:1902284  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:49:2472812 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:54:2644593  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:54:3227252 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:21:59:3488868  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:21:59:4048666 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:22:04:4226936  WARN C:\Users\runneradmin\.cargo\git\checkouts\boring-noise-d992a022c5e34421\e8a17ec\src\noise\timers.rs:234: HANDSHAKE(REKEY_TIMEOUT)
25-11-07 16:22:04:6808843 ERROR start_receiving: clash-lib\src\proxy\wg\wireguard.rs:245: failed to decapsulate packet: InvalidAeadTag self=WireguardTunnel { source_peer_ip: 100.116.42.153, endpoint: 138.199.39.132:443 }
25-11-07 16:22:06:5877395  WARN clash-lib\src\proxy\socks\inbound\mod.rs:32: SOCKS5 inbound listener on [::]:18888 stopped

After clash-rs is stopped, Invoke-WebRequest show following error:

pwsh log

PS D:\dev\router-conf> Invoke-WebRequest -Uri "https://1.1.1.1/cdn-cgi/trace" -Proxy "socks5://127.0.0.1:18888" -UseBasicParsing
Invoke-WebRequest: Received an unexpected EOF or 0 bytes from the transport stream.

[Small-Ku]

While I tried to connect it with Invoke-WebRequest -Uri "https://claude.ai/cdn-cgi/trace" -Proxy "socks5://127.0.0.1:18888" -UseBasicParsing, clash-rs crashed.

clash-rs config

# config.yaml
---
socks-port: 18888
ipv6: true
mode: rule
log-level: debug

dns:
  enable: true
  ipv6: true

  default-nameserver:
    - 1.1.1.1
  
  nameserver:
    - 1.1.1.1

proxies:
  - name: "WS-OUT"
    type: wireguard
    server: jfk-106-wg.whiskergalaxy.com
    port: 1194
    private-key: [erased]
    public-key: [erased]
    pre-shared-key: [erased]
    ip: 100.89.7.234/32
    allowed-ips:
      - 0.0.0.0/0
      - ::/0
    mtu: 1280
    udp: true

rules:
  - MATCH, WS-OUT

pwsh log

PS D:\dev\router-conf> Invoke-WebRequest -Uri "https://claude.ai/cdn-cgi/trace" -Proxy "socks5://127.0.0.1:18888" -UseBasicParsing
Invoke-WebRequest: Unable to read data from the transport connection: 遠端主機已強制關閉一個現存的連線。.

clash-rs log

# console log

PS D:\dev\router-conf\clash-rs> clash-rs
25-11-07 16:44:25:1608701 DEBUG clash-lib\src\lib.rs:407: initializing cache store
25-11-07 16:44:25:1613357 DEBUG clash-lib\src\app\dns\resolver\system.rs:19: creating system resolver with ipv6=true
25-11-07 16:44:25:1614453 DEBUG clash-lib\src\lib.rs:418: initializing bootstrap outbounds
25-11-07 16:44:25:1616872 DEBUG clash-lib\src\lib.rs:434: initializing mmdb
25-11-07 16:44:25:1618014 DEBUG clash-lib\src\lib.rs:448: country mmdb not set, skipping
25-11-07 16:44:25:1619093 DEBUG clash-lib\src\lib.rs:452: initializing dns resolver
25-11-07 16:44:25:1620173 DEBUG clash-lib\src\app\dns\helper.rs:26: building nameserver: UDP://1.1.1.1:53#None
25-11-07 16:44:25:1621597 DEBUG clash-lib\src\app\dns\helper.rs:26: building nameserver: UDP://1.1.1.1:53#None
25-11-07 16:44:25:1624082 DEBUG clash-lib\src\lib.rs:469: initializing outbound manager
25-11-07 16:44:25:162568 DEBUG clash-lib\src\app\outbound\manager.rs:107: initializing proxy providers
25-11-07 16:44:25:1627057 DEBUG clash-lib\src\app\outbound\manager.rs:111: initializing handlers
25-11-07 16:44:25:1628816 DEBUG clash-lib\src\app\outbound\manager.rs:115: initializing connectors
25-11-07 16:44:25:1630059 DEBUG clash-lib\src\lib.rs:490: initializing geosite
25-11-07 16:44:25:1631177 DEBUG clash-lib\src\lib.rs:504: geosite not set, skipping
25-11-07 16:44:25:1632388 DEBUG clash-lib\src\lib.rs:508: initializing country asn mmdb
25-11-07 16:44:25:1633538 DEBUG clash-lib\src\lib.rs:522: ASN mmdb not found and not configured for download, skipping
25-11-07 16:44:25:1634969 DEBUG clash-lib\src\lib.rs:526: initializing router
25-11-07 16:44:25:1636478 DEBUG clash-lib\src\lib.rs:542: initializing dispatcher
25-11-07 16:44:25:163763 DEBUG clash-lib\src\lib.rs:552: initializing authenticator
25-11-07 16:44:25:1638766 DEBUG clash-lib\src\lib.rs:555: initializing inbound manager
25-11-07 16:44:25:1639923 DEBUG clash-lib\src\lib.rs:562: initializing tun runner
25-11-07 16:44:25:1641088 DEBUG clash-lib\src\lib.rs:567: initializing dns listener
25-11-07 16:44:25:164228  INFO clash-lib\src\lib.rs:571: all components initialized
25-11-07 16:44:25:1644216  INFO clash-lib\src\app\inbound\network_listener.rs:40: SOCKS-IN TCP listening at: :::18888
25-11-07 16:44:35:0415758  INFO handle_tcp:dispatch_stream: clash-lib\src\app\router\mod.rs:123: matched [TCP] 127.0.0.1:62531 -> claude.ai:443[0.0.0.0] to target WS-OUT[Match]
25-11-07 16:44:35:0417729 DEBUG handle_tcp:dispatch_stream: clash-lib\src\app\dispatcher\dispatcher_impl.rs:101: dispatching [TCP] 127.0.0.1:62531 -> claude.ai:443[0.0.0.0] to WS-OUT[rule]
25-11-07 16:44:35:0421766  INFO handle_tcp:dispatch_stream:connect_stream: clash-lib\src\app\dns\dns_client.rs:532: initializing dns client: UDP: 1.1.1.1:53 via proxy: DIRECT outbound_name="WS-OUT"
25-11-07 16:44:35:0423108 DEBUG handle_tcp:dispatch_stream:connect_stream: clash-lib\src\app\dns\resolver\system.rs:19: creating system resolver with ipv6=false outbound_name="WS-OUT"
25-11-07 16:44:35:0426515 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-OUT" src=Some(0.0.0.0:0) iface=None family_hint=Some(1.1.1.1:53)
25-11-07 16:44:35:0429125 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-OUT" src=Some(0.0.0.0:0) iface=None family_hint=Some(1.1.1.1:53)
25-11-07 16:44:35:0491716 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-OUT" src=None iface=None family_hint=Some(217.138.255.180:1194)
25-11-07 16:44:35:0505662 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-OUT" src=Some(0.0.0.0:0) iface=None family_hint=Some(1.1.1.1:53)
25-11-07 16:44:35:0508636 DEBUG handle_tcp:dispatch_stream:connect_stream:new_udp_socket: clash-lib\src\proxy\utils\socket_helpers.rs:125: created udp socket outbound_name="WS-OUT" src=Some(0.0.0.0:0) iface=None family_hint=Some(1.1.1.1:53)
25-11-07 16:44:35:0596926 DEBUG handle_tcp:dispatch_stream: clash-lib\src\app\dispatcher\dispatcher_impl.rs:115: remote connection established [TCP] 127.0.0.1:62531 -> claude.ai:443[0.0.0.0]
Well, this is embarrassing.

clash-rs had a problem and crashed. To help us diagnose the problem you can send us a crash report.

We have generated a report file at "C:\Users\Small_Ku\AppData\Local\Temp\report-9f035820-d28d-46fb-8c57-01ab70214226.toml". Submit an issue or email with the subject of "clash-rs Crash Report" and include the report as an attachment.

- Homepage: https://github.com/watfaq/clash-rs
- Authors: https://github.com/Watfaq/clash-rs/graphs/contributors

To submit the crash report:

Open an issue on GitHub: https://github.com/Watfaq/clash-rs/issues

We take privacy seriously, and do not perform any automated error collection. In order to improve the software, we rely on people to submit reports.

Thank you kindly!

clash-rs crash report

# report-9f035820-d28d-46fb-8c57-01ab70214226.toml

name = "clash-rs"
operating_system = "Windows 10.0.26100 (Windows 11 IoTEnterpriseS) [64-bit]"
crate_version = "0.9.2"
explanation = '''
Panic occurred in file 'clash-lib\src\proxy\wg\device.rs' at line 295
'''
cause = "called `Option::unwrap()` on a `None` value"
method = "Panic"
backtrace = """
   0:     0x7ff75734f58d - <unresolved>
   1:     0x7ff75734f710 - <unresolved>
   2:     0x7ff75734f358 - <unresolved>
   3:     0x7ff75734f2f2 - <unresolved>
   4:     0x7ff75792f3c2 - <unresolved>
   5:     0x7ff75792ed39 - <unresolved>
   6:     0x7ff75781d3bd - <unresolved>
   7:     0x7ff757d8ef72 - <unresolved>
   8:     0x7ff757d8ecd3 - <unresolved>
   9:     0x7ff757d88a4f - <unresolved>
  10:     0x7ff757d73ede - <unresolved>
  11:     0x7ff758277931 - aws_lc_0_32_3_jent_entropy_switch_notime_impl
  12:     0x7ff75827790d - aws_lc_0_32_3_jent_entropy_switch_notime_impl
  13:     0x7ff75827743e - aws_lc_0_32_3_jent_entropy_switch_notime_impl
  14:     0x7ff7577b50ed - <unresolved>
  15:     0x7ff7576e9c4e - <unresolved>
  16:     0x7ff7575fdb6f - <unresolved>
  17:     0x7ff75760489b - <unresolved>
  18:     0x7ff7576131de - <unresolved>
  19:     0x7ff757dc8ebf - <unresolved>
  20:     0x7ff757dc23e5 - <unresolved>
  21:     0x7ff757dc3515 - <unresolved>
  22:     0x7ff757dc8577 - <unresolved>
  23:     0x7ff757daf8c4 - <unresolved>
  24:     0x7ff757dd4749 - <unresolved>
  25:     0x7ff757dbb40d - <unresolved>
  26:     0x7ff757dbcfc7 - <unresolved>
  27:     0x7ff757dbd29d - <unresolved>
  28:     0x7ff757dbd9bb - <unresolved>
  29:     0x7ff757db03d6 - <unresolved>
  30:     0x7ff757db1318 - <unresolved>
  31:     0x7ff757d818fd - <unresolved>
  32:     0x7ffbda0bdbe7 - BaseThreadInitThunk
  33:     0x7ffbdaaa5a6c - RtlUserThreadStart
"""

[Small-Ku]

Maybe related: https://github.com/firezone/firezone/issues/9845

[ibigbug]

Thanks for reporting! Will take a look

[Small-Ku]

It seems reproducible with a local server with preshared key by following local wireguard config and clash-rs config:

[Interface]
PrivateKey = WBAz4XiNeSV4T+DHBJA9nKihQgLQbFuWRVZhXksuBUY=
ListenPort = 51820
Address = 10.0.0.1/24

[Peer]
PublicKey = tjsm6eYtbaosssv8WTCqL3DcT9yrLDHne8UFaP0qlyo=
PresharedKey = W2khZtKpoBuR4Q8F0w8Ojq34jdmkiaJdwDvpa0kv7x4=
AllowedIPs = 10.0.0.2/32

---
socks-port: 18888
mode: rule
log-level: debug

dns:
  enable: true

  default-nameserver:
    - 1.1.1.1
  
  nameserver:
    - 1.1.1.1

proxies:
  - name: "WG-OUT"
    type: wireguard
    server: 127.0.0.1
    port: 51820
    private-key: ABOCR1VHTxAYij4TIbQea6ssT48XOJqeZ7rjr/saoXc=
    public-key: hlbE/m+DMHc1NTKqvGSZ/FENjhwI2HNN7ywMx/tj7Ww=
    pre-shared-key: W2khZtKpoBuR4Q8F0w8Ojq34jdmkiaJdwDvpa0kv7x4=
    ip: 10.0.0.2/32
    allowed-ips:
      - 0.0.0.0/0
      - ::/0
    mtu: 1280
    udp: true

rules:
  - MATCH, WG-OUT

[ibigbug]

the crash seems to be unrelated - it's the remote endpoint being an IPv6 addr but your local wg config doesn't have an ipv6 local addr. but i agree this should be handled better

[ibigbug]

can seem to reproduce it and i think PSK is also tested at https://github.com/watfaq/clash-rs/blob/b628d653e568ce5d13e08ce06ee1ec2147622039/clash-lib/src/proxy/wg/mod.rs#L368

not too sure what's going on here