Re: Wireguard IP packets fragmentation issue

2022-05-13 Thread William Ahern 
On Fri, May 13, 2022 at 11:10:41PM +0200, n18fu...@tutanota.com wrote:
> Hi,
> 
> I've set up an OpenBSD server on the Cloud, set up a Wireguard tunnel, and
> configured default route through that server. I've noticed that I can't
> access some websites: my browser was not able to complete TLS handshakes
> with some servers. I've traced the issue to the fact that the MTU on my
> server's network interface is 1500 while the default MTU on a wg0
> interface is 1420. So when a large enough packet has a DF flag set it
> would not make it through the smaller wg0 interface. I've fixed the
> problem by adding a "scrub" option to server's pf.conf like this:
> 
>   match out on egress from (wg0:network) nat-to (egress:0) scrub (no-df 
> random-id)
> 
> But I'm surprised that I did not see anyone mentioning this problem. I
> also did not see that "scrub" option included in any examples of Wireguard
> setup that I was able to find.
> 
> I'm not a networking expert, so I wonder if using a "scrub" option like
> that is a good idea.

Seems like ICMP responses are being dropped. In such cases the proper
solution is fix whatever is filtering out ICMP responses.

However, according to
https://github.com/QubesOS/qubes-issues/issues/5264#issuecomment-683177300
Wireguard deliberately drops ICMP responses to its UDP transport packets. If
this is the case in your situation, the better solution might be to drop the
MTU on the Wireguard interfaces so oversized packets are rejected before
they're encapsulated. A common fail-safe MTU for VPN interfaces is 1300 or
1280.

Another alternative might be to switch to IPSec+IKEv2. If there's no NAT
between your tunnel endpoints, it won't need to use UDP encapsulation, so
packet overhead would be smaller. But even with NAT traversal, OpenBSD's
iked might handle things better (e.g. permitting fragmentation of its UDP
packet, or mirroring ICMP responses), though I don't know specifically if
this would the case.

Re: Updating nextcloud to new major version

2022-05-13 Thread Clemens Gößnitzer 
On Fri, 2022-05-13 at 20:58 +0200, Florian Obser wrote:
> On 2022-05-13 19:35 +02, Clemens Gößnitzer 
> wrote:
> > When I try to update nextcloud to the next major version, it would
> > not
> > let me easily:
> > 
> > # pkg_add -vi nextcloud
> > Update candidates: quirks-5.5 -> quirks-5.5
> > quirks-5.5 signed on 2022-05-12T23:37:02Z
> > Ambiguous: choose package for nextcloud
> > a   0: 
> >     1: nextcloud-21.0.8p0
> >     2: nextcloud-22.2.6
> >     3: nextcloud-23.0.3
> > Your choice: 3
> > Can't install nextcloud-23.0.3 because of conflicts (nextcloud-
> > 22.2.6)
> > --- nextcloud-23.0.3 ---
> > Can't install nextcloud-23.0.3: conflicts
> > Couldn't install nextcloud-23.0.3
> > 
> > 
> > Is there a way to do this upgrade without pkg_delete nextcloud &&
> > pkg_install nextcloud?
> 
> pkg_add -r nextcloud

That worked.  Thanks!

> 
> worked for me.
> 
> > 
> > Thanks.
> > 
>

Re: Updating nextcloud to new major version

2022-05-13 Thread Florian Obser 
On 2022-05-13 19:35 +02, Clemens Gößnitzer  wrote:
> When I try to update nextcloud to the next major version, it would not
> let me easily:
>
> # pkg_add -vi nextcloud
> Update candidates: quirks-5.5 -> quirks-5.5
> quirks-5.5 signed on 2022-05-12T23:37:02Z
> Ambiguous: choose package for nextcloud
> a   0: 
> 1: nextcloud-21.0.8p0
> 2: nextcloud-22.2.6
> 3: nextcloud-23.0.3
> Your choice: 3
> Can't install nextcloud-23.0.3 because of conflicts (nextcloud-22.2.6)
> --- nextcloud-23.0.3 ---
> Can't install nextcloud-23.0.3: conflicts
> Couldn't install nextcloud-23.0.3
>
>
> Is there a way to do this upgrade without pkg_delete nextcloud &&
> pkg_install nextcloud?

pkg_add -r nextcloud

worked for me.

>
> Thanks.
>

-- 
I'm not entirely sure you are real.

Re: Updating nextcloud to new major version

2022-05-13 Thread Clemens Gößnitzer 
On Fri, 2022-05-13 at 11:05 -0700, Courtney wrote:
> Have you tried pkg_add -Uu?

That did not do the trick...  Thanks for the suggestion.

> 
> Courtney
> 
> On 5/13/22 10:35, Clemens Gößnitzer wrote:
> > When I try to update nextcloud to the next major version, it would
> > not
> > let me easily:
> > 
> > # pkg_add -vi nextcloud
> > Update candidates: quirks-5.5 -> quirks-5.5
> > quirks-5.5 signed on 2022-05-12T23:37:02Z
> > Ambiguous: choose package for nextcloud
> > a   0: 
> >  1: nextcloud-21.0.8p0
> >  2: nextcloud-22.2.6
> >  3: nextcloud-23.0.3
> > Your choice: 3
> > Can't install nextcloud-23.0.3 because of conflicts (nextcloud-
> > 22.2.6)
> > --- nextcloud-23.0.3 ---
> > Can't install nextcloud-23.0.3: conflicts
> > Couldn't install nextcloud-23.0.3
> > 
> > 
> > Is there a way to do this upgrade without pkg_delete nextcloud &&
> > pkg_install nextcloud?
> > 
> > Thanks.
> > 
>

Re: Updating nextcloud to new major version

2022-05-13 Thread Courtney 

Have you tried pkg_add -Uu?

Courtney

On 5/13/22 10:35, Clemens Gößnitzer wrote:

When I try to update nextcloud to the next major version, it would not
let me easily:

# pkg_add -vi nextcloud
Update candidates: quirks-5.5 -> quirks-5.5
quirks-5.5 signed on 2022-05-12T23:37:02Z
Ambiguous: choose package for nextcloud
a   0: 
 1: nextcloud-21.0.8p0
 2: nextcloud-22.2.6
 3: nextcloud-23.0.3
Your choice: 3
Can't install nextcloud-23.0.3 because of conflicts (nextcloud-22.2.6)
--- nextcloud-23.0.3 ---
Can't install nextcloud-23.0.3: conflicts
Couldn't install nextcloud-23.0.3


Is there a way to do this upgrade without pkg_delete nextcloud &&
pkg_install nextcloud?

Thanks.

Updating nextcloud to new major version

2022-05-13 Thread Clemens Gößnitzer 
When I try to update nextcloud to the next major version, it would not
let me easily:

# pkg_add -vi nextcloud
Update candidates: quirks-5.5 -> quirks-5.5
quirks-5.5 signed on 2022-05-12T23:37:02Z
Ambiguous: choose package for nextcloud
a   0: 
1: nextcloud-21.0.8p0
2: nextcloud-22.2.6
3: nextcloud-23.0.3
Your choice: 3
Can't install nextcloud-23.0.3 because of conflicts (nextcloud-22.2.6)
--- nextcloud-23.0.3 ---
Can't install nextcloud-23.0.3: conflicts
Couldn't install nextcloud-23.0.3


Is there a way to do this upgrade without pkg_delete nextcloud &&
pkg_install nextcloud?

Thanks.

Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

2022-05-13 Thread Stuart Henderson 
On 2022-05-13, Marko Cupać  wrote:
> The only problem I currently have with pfsync is the fact that it does
> not synchronise queue membership of states.

IIRC this is meant to work but only if you have identical rulesets,
after expanding interface addresses etc. This will require some care in
constructing pf.conf - interface groups instead of interface names if
nic hw is different - "(self)" or list the addresses of both firewalls
instead of using "self" - avoid "antispoof".

Re: A speed test with Iperf , Relayd and PF

2022-05-13 Thread Stuart Henderson 
On 2022-05-13, Fabrizio Francione  wrote:
> Code:
> tcp connection fixup {
>    tcp nodelay
> }
> 
> relay IPERF_TEST{
>    listen on 10.10.10.2 port 6740
>    forward to 192.168.20.9 port 6670
>    protocol fixup
> }
> With IPERF I obtain a speed of 144Mbps .

Why use nodelay? That disables Nagle and is normally only wanted for 
interactive protocols like SSH. High chance that will be slowing
things down.

https://en.m.wikipedia.org/wiki/Nagle%27s_algorithm 

> If instead, I deactivate the relayd function and using a simple PF
> redirecting with
>
> Code:
>
> pass in on em0 proto {tcp} from any to em0 port 6740 rdr-to 192.168.20.9
> port 6670
>
> I obtain a speed of 892 Mbps.

rdr-to and relayd TCP proxies are totally different things.


-- 
Please keep replies on the mailing list.