Open howyay opened 5 years ago
:wave: @haoyet - I'm not actively involved with Streisand anymore and can't provide you with help but on the surface your problem sounds similar to one I debugged in the past: https://github.com/StreisandEffect/streisand/issues/1089#issuecomment-350400689
I would recommend checking whether you have success accessing these sites after adjusting your MTU or switching to a provider other than GCE.
google.com does not work and many other sites do not work.
Ok! I'll try setting up a Streisand server from the current code in master in GCE and seeing if I'm able to access google.com - hopefully the answer is "no" and I can iterate on troubleshooting faster.
@Ronaldkornblow : Good news - I was able to reproduce the problem and I can recommend a short-term workaround while I spend some time figuring out the best solution longer term.
In practice it seems a MTU larger than 1360 results in UDP fragmentation on the GCE network. Out of box my server/client both had an MTU of 1420. You should be able to resolve this by updating the MTU on the wg0-server
interface on the server and the wg0-client
interface on your client machine.
You can do so by running:
sudo ifconfig wg0-server mtu 1360
on the server
sudo ifconfig wg0-client mtu 1360
on the client
I'll have to spend some time thinking about how best to address this permanently. Thanks for reporting!
Originally posted by @cpu in https://github.com/StreisandEffect/streisand/issues/1089#issuecomment-350400689
So I tried the solution but I got SIOCSIFMTU: No such device
on both server and client, I already looked this issue up but didn't find any valid solutions
Forgive me for my ignorance.
Since ifconfig
was deprecated, I found the alternate command to do the same thing:
sudo ip link set dev wg0 mtu 1360
on the server
sudo ip link set dev [currently active wireguard profile] mtu 1360
on the client, and it worked!
Thank you so much for the assistance!
Just to explain, the WireGuard interface on the server is wg0
and interface on the client is the currently active wireguard profile, the two random word thing that look like attack-slender
I'm re-opening this because it should be something Streisand does when it knows it's on GCE. Thank you for the description!
I change eth0 mtu to 1500
nano /etc/network/if-up.d/start.sh
ifconfig eth0 mtu 1500
wg-quick down wg0 && wg-quick up wg0
it works for me, then you dont have to worried about MTU issue for Wiregurad, Ikev2, Openconnect
Since
ifconfig
was deprecated, I found the alternate command to do the same thing:
sudo ip link set dev wg0 mtu 1360
on the serversudo ip link set dev [currently active wireguard profile] mtu 1360
on the client, and it worked!Thank you so much for the assistance!
This worked for me as well. Not sure why this issue should be closed. I'm going to try and figure out how to set this on startup on the server and the client. Does anyone have an idea on how to do that?
I found this thread https://lists.zx2c4.com/pipermail/wireguard/2019-May/004190.html Doesn't this mean that this issue solved in new versions of wg?
This is a known issue due to Google GCP's MTU and has been discussed on the lists.
@trochdewei No, if your public wireguard server is on GCP, their MTU of 1460 will still come into play.
Expected behavior:
Be able to bypass all websites with Wireguard
Actual Behavior:
Some previously blocked sites are unblocked but some normal sites like google.com got blocked
Steps to Reproduce:
Ansible Information
Streisand Information
Enabled Roles
Additional Details:
Log output from Ansible or other relevant services (link to Gist for longer output):
Target Cloud Provider: Google Compute Engine (Google Cloud Platform)
Operating System of target host: Debian I suppose
Operating System of client: Arch linux/Android
Version of Ansible, using
ansible --version
: 2.7.9Output from
git rev-parse HEAD
in your Streisand directory : 8f06cadd1500c7cdc02889fe1683d1124e00f78b