search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.15k stars 1.99k forks source link

WireGuard hosted on GCP cannot access Google and many other sites #1552

Open howyay opened 5 years ago

howyay commented 5 years ago

Expected behavior:

Be able to bypass all websites with Wireguard

Actual Behavior:

Some previously blocked sites are unblocked but some normal sites like google.com got blocked

Steps to Reproduce:

  1. Follow Streisand interactive wizard to set up a Wireguard only GCE server
  2. Follow instructions on the opened html page
  3. Connect to the server using instructions and Wireguard profiles provided
  4. Open browser and visit google.com
  5. Time out

Ansible Information

Streisand Information

Enabled Roles

Additional Details:

Log output from Ansible or other relevant services (link to Gist for longer output):

Target Cloud Provider: Google Compute Engine (Google Cloud Platform)
Operating System of target host: Debian I suppose
Operating System of client: Arch linux/Android
Version of Ansible, using ansible --version : 2.7.9
Output from git rev-parse HEAD in your Streisand directory : 8f06cadd1500c7cdc02889fe1683d1124e00f78b
cpu commented 5 years ago

:wave: @haoyet - I'm not actively involved with Streisand anymore and can't provide you with help but on the surface your problem sounds similar to one I debugged in the past: https://github.com/StreisandEffect/streisand/issues/1089#issuecomment-350400689

I would recommend checking whether you have success accessing these sites after adjusting your MTU or switching to a provider other than GCE.

howyay commented 5 years ago

google.com does not work and many other sites do not work.

Ok! I'll try setting up a Streisand server from the current code in master in GCE and seeing if I'm able to access google.com - hopefully the answer is "no" and I can iterate on troubleshooting faster.

@Ronaldkornblow : Good news - I was able to reproduce the problem and I can recommend a short-term workaround while I spend some time figuring out the best solution longer term.

In practice it seems a MTU larger than 1360 results in UDP fragmentation on the GCE network. Out of box my server/client both had an MTU of 1420. You should be able to resolve this by updating the MTU on the wg0-server interface on the server and the wg0-client interface on your client machine.

You can do so by running: sudo ifconfig wg0-server mtu 1360 on the server sudo ifconfig wg0-client mtu 1360 on the client

I'll have to spend some time thinking about how best to address this permanently. Thanks for reporting!

Originally posted by @cpu in https://github.com/StreisandEffect/streisand/issues/1089#issuecomment-350400689

So I tried the solution but I got SIOCSIFMTU: No such device on both server and client, I already looked this issue up but didn't find any valid solutions

Forgive me for my ignorance.

howyay commented 5 years ago

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

howyay commented 5 years ago

Just to explain, the WireGuard interface on the server is wg0 and interface on the client is the currently active wireguard profile, the two random word thing that look like attack-slender

nopdotcom commented 5 years ago

I'm re-opening this because it should be something Streisand does when it knows it's on GCE. Thank you for the description!

zoonderkins commented 5 years ago

I change eth0 mtu to 1500 

nano /etc/network/if-up.d/start.sh 

ifconfig eth0 mtu 1500

wg-quick down wg0 && wg-quick up wg0

it works for me, then you dont have to worried about MTU issue for Wiregurad, Ikev2, Openconnect

chepurko commented 5 years ago

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

This worked for me as well. Not sure why this issue should be closed. I'm going to try and figure out how to set this on startup on the server and the client. Does anyone have an idea on how to do that?

trochdewei commented 5 years ago

I found this thread https://lists.zx2c4.com/pipermail/wireguard/2019-May/004190.html Doesn't this mean that this issue solved in new versions of wg?

Strykar commented 4 years ago

This is a known issue due to Google GCP's MTU and has been discussed on the lists.

https://lore.kernel.org/wireguard/DM6PR12MB3401FF1DE04A62EAD84F2C74BB7B0@DM6PR12MB3401.namprd12.prod.outlook.com/t/#u

https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/8518300-support-for-mtu-1460-bytes

@trochdewei No, if your public wireguard server is on GCP, their MTU of 1460 will still come into play.