-
Notifications
You must be signed in to change notification settings - Fork 2k
WireGuard/GCE - standard MTU causes fragmentation, some Google sites fail. #1089
Comments
Hi @Ronaldkornblow, thanks for filing the issue :-)
What I recommend we try first is to have you bring down the wireguard interface, bring it back up, browse to a site that doesn't work, and then check the status of a few things. Can you please run these commands and share the output?
When you say "not all sites work" - can you give some examples? Do they consistently fail? Have you tried using OpenVPN or one of the other VPN services, if so, do the same websites fail or do they only fail for WireGuard? I've heard that Google's Cloud Env can have MTU problems that manifest as persistent network errors to some sites but we should rule out the easier stuff before we chase that rumour down.
This is a commit from May - was that when you created your Streisand server? Apologies for the barrage of questions :-) |
Hi @cpu, Thank you for the quick response.
blahblah:~/streisand$ cat /etc/resolv.conf
blahblah):~/streisand$ cat /etc/resolv.conf
interface: wg0-client peer: blahblah I replaced with
duckduckgo.com works.
Yes. I did it back then. Do you want netstat from the sites that do not work? Thank you so much for your help |
Ok! I'll try setting up a Streisand server from the current code in master in GCE and seeing if I'm able to access google.com - hopefully the answer is "no" and I can iterate on troubleshooting faster.
Ok. That might be useful to know but if you want to wait and see if I'm able to reproduce the problem myself to save yourself some time/energy that's fine with me :-)
That's ok for now. I'm going to see if I can repro and if not we can come back to the drawing board.
Happy to help! |
@Ronaldkornblow : Good news - I was able to reproduce the problem and I can recommend a short-term workaround while I spend some time figuring out the best solution longer term. In practice it seems a MTU larger than 1360 results in UDP fragmentation on the GCE network. Out of box my server/client both had an MTU of 1420. You should be able to resolve this by updating the MTU on the You can do so by running: I'll have to spend some time thinking about how best to address this permanently. Thanks for reporting! |
@cpu Thank you for investigating.
sorry for noob question, but... How do I SSH into my streisand server? Thank you for the support. |
No apologies needed :-) From a command line you should be able to do Edit: Make sure to use the External IP you see in the GCE interface, not the internal |
sudo: unable to resolve host streisand |
@Ronaldkornblow That warning is OK. If you want to confirm it worked you can run |
@cpu got it thank you. |
@Ronaldkornblow - Did the temporary MTU change fix your problems accessing Google websites? |
@cpu What is a good way to make streisand start on boot along with the MTU changes? |
Great! Glad to hear.
I'll get back to you on this - I'm not sure yet. |
@Ronaldkornblow In the
|
@Ronaldkornblow I did a little bit more testing. After provisioning a fresh GCE instance with Streisand the I think I initially A) suggested the wrong MTU, I was calculating the overhead of WireGuard incorrectly (See this post for a better accounting). B) suggested changing the server |
I'm going to close this issue for now. I think adding the Unfortunately I don't think there is anything Streisand can do to generate client profiles with a correct hardcoded MTU that will be appropriate for all cases. If someone more clever than myself has an idea for an improvement I'm all ears :-) @Ronaldkornblow Thanks for reporting the problem. |
@cpu A note on the generated server instructions for wireguard would be helpful for non techies, had same issue with GCE, had to change the MTU on the client to |
@cpu @zx2c4 I did some more checking, tcpdump monitoring of both endpoints shows that the server gets the connection from the client but doesn't answer! After restarting the wireguard server, endpoints connects fine again. I'd appreciate any help in debugging this. First step I suppose iptables and ufw, any suggestion? |
Sounds like a good idea 👍 I'm behind on Streisand notifications/threads, apologies. I won't be able to look at this for a while yet. |
Expected behavior:
Browse Internet.
Actual Behavior:
Only some DNS responses happen? I am really not sure what is going on. Symptoms are that when I browse internet, not all sites work.
But when I: dig @10.192.122.1 google.com I get:
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22030
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 299 IN A 74.125.124.102
google.com. 299 IN A 74.125.124.139
google.com. 299 IN A 74.125.124.138
google.com. 299 IN A 74.125.124.113
google.com. 299 IN A 74.125.124.101
google.com. 299 IN A 74.125.124.100
;; Query time: 60 msec
;; SERVER: 10.192.122.1#53(10.192.122.1)
;; WHEN: Fri Dec 08 11:58:57 PST 2017
;; MSG SIZE rcvd: 135
Steps to Reproduce:
This use to error out until I installed nscd and unbound. I installed those items and now it seems to get though quick up with no error. Still browsing gets the ERR_TIMED_OUT.
I do not
[ contents of
streisand-diagnostics.md
here ]Additional Details:
Log output from Ansible or other relevant services (link to Gist for longer output):
Target Cloud Provider: gcp
Operating System of target host: ubuntu 16.04
Operating System of client: ubuntu 16.04
Version of Ansible, using
ansible --version
: ansible 2.3.0.0Output from
git rev-parse HEAD
in your Streisand directory : 8730537The text was updated successfully, but these errors were encountered: