Skip to content
This repository has been archived by the owner on Jun 4, 2021. It is now read-only.

WireGuard hosted on GCP cannot access Google and many other sites #1552

Open
howyay opened this issue Apr 4, 2019 · 9 comments
Open

WireGuard hosted on GCP cannot access Google and many other sites #1552

howyay opened this issue Apr 4, 2019 · 9 comments

Comments

@howyay
Copy link

howyay commented Apr 4, 2019

Expected behavior:

Be able to bypass all websites with Wireguard

Actual Behavior:

Some previously blocked sites are unblocked but some normal sites like google.com got blocked

Steps to Reproduce:

  1. Follow Streisand interactive wizard to set up a Wireguard only GCE server
  2. Follow instructions on the opened html page
  3. Connect to the server using instructions and Wireguard profiles provided
  4. Open browser and visit google.com
  5. Time out

Ansible Information

  • Ansible version: 2.7.9
  • Ansible system: Linux
  • Host OS: Archlinux
  • Host OS version: NA
  • Python interpreter: python2.7
  • Python version: 2.7.16

Streisand Information

  • Streisand Git revision: 8f06cad
  • Streisand Git clone has untracked changes: no
  • Genesis role: genesis-google
  • Custom SSH key: True

Enabled Roles

  • Shadowsocks enabled: False
  • Wireguard enabled: True
  • OpenVPN enabled: False
  • stunnel enabled: False
  • Tor enabled: False
  • Openconnect enabled: False
  • TinyProxy enabled: False
  • SSH forward user enabled: False
  • Configured number of VPN clients: 5

Additional Details:

Log output from Ansible or other relevant services (link to Gist for longer output):

Target Cloud Provider: Google Compute Engine (Google Cloud Platform)
Operating System of target host: Debian I suppose
Operating System of client: Arch linux/Android
Version of Ansible, using ansible --version : 2.7.9
Output from git rev-parse HEAD in your Streisand directory : 8f06cad
@cpu
Copy link
Collaborator

cpu commented Apr 4, 2019

👋 @Haoyet - I'm not actively involved with Streisand anymore and can't provide you with help but on the surface your problem sounds similar to one I debugged in the past: #1089 (comment)

I would recommend checking whether you have success accessing these sites after adjusting your MTU or switching to a provider other than GCE.

@howyay
Copy link
Author

howyay commented Apr 4, 2019

google.com does not work and many other sites do not work.

Ok! I'll try setting up a Streisand server from the current code in master in GCE and seeing if I'm able to access google.com - hopefully the answer is "no" and I can iterate on troubleshooting faster.

@Ronaldkornblow : Good news - I was able to reproduce the problem and I can recommend a short-term workaround while I spend some time figuring out the best solution longer term.

In practice it seems a MTU larger than 1360 results in UDP fragmentation on the GCE network. Out of box my server/client both had an MTU of 1420. You should be able to resolve this by updating the MTU on the wg0-server interface on the server and the wg0-client interface on your client machine.

You can do so by running:
sudo ifconfig wg0-server mtu 1360 on the server
sudo ifconfig wg0-client mtu 1360 on the client

I'll have to spend some time thinking about how best to address this permanently. Thanks for reporting!

Originally posted by @cpu in #1089 (comment)

So I tried the solution but I got SIOCSIFMTU: No such device on both server and client, I already looked this issue up but didn't find any valid solutions

Forgive me for my ignorance.

@howyay
Copy link
Author

howyay commented Apr 4, 2019

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server
sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

@howyay
Copy link
Author

howyay commented Apr 4, 2019

Just to explain, the WireGuard interface on the server is wg0 and interface on the client is the currently active wireguard profile, the two random word thing that look like attack-slender

@howyay howyay closed this as completed Apr 4, 2019
@nopdotcom nopdotcom reopened this Apr 5, 2019
@nopdotcom
Copy link
Member

I'm re-opening this because it should be something Streisand does when it knows it's on GCE. Thank you for the description!

@zoonderkins
Copy link

zoonderkins commented May 18, 2019

I change eth0 mtu to 1500

nano /etc/network/if-up.d/start.sh 

ifconfig eth0 mtu 1500

wg-quick down wg0 && wg-quick up wg0

it works for me, then you dont have to worried about MTU issue for Wiregurad, Ikev2, Openconnect

@chepurko
Copy link

chepurko commented Jun 9, 2019

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server
sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

This worked for me as well. Not sure why this issue should be closed. I'm going to try and figure out how to set this on startup on the server and the client. Does anyone have an idea on how to do that?

@trochdewei
Copy link

I found this thread https://lists.zx2c4.com/pipermail/wireguard/2019-May/004190.html Doesn't this mean that this issue solved in new versions of wg?

@Strykar
Copy link

Strykar commented Oct 24, 2019

This is a known issue due to Google GCP's MTU and has been discussed on the lists.

https://lore.kernel.org/wireguard/DM6PR12MB3401FF1DE04A62EAD84F2C74BB7B0@DM6PR12MB3401.namprd12.prod.outlook.com/t/#u

https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/8518300-support-for-mtu-1460-bytes

@trochdewei No, if your public wireguard server is on GCP, their MTU of 1460 will still come into play.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants