Question about MTU and Wireguard and the current changes

[henning . reich]

Hi,
I run in some connection troubles between two wireguards host (one 
running fedora 35, one arch linux). If I tried to transfer large files 
through SSH (SCP or btrfs send/receive thorugh ssh through wireguard 
tunnel) it stucks after a few byte and nothing transfered anymore.


This happens in the last days, so probably an update on one or both 
machines. I also saw, that there some changes on the MTU thing (If I 
remember correctly, a per peer MTU is configurable)


However. My first try was just set the MTU to a lower number (MTU = 
1200) and yes, scp works again.
Okay, so I did the good old ping test. "ping -M do -s $SIZE -c 1 
172.16.0.2" with $SIZE increasing. And that surprised me. It works until 
an Size of 36932 Bytes. Checked with wireguard and "MTU = 36932" and 
yes, scp still working.


Can somebody explain, why the old default setting of "65456" doesn't 
work anymore but the MTU can set to much higher values as typical ones?


Thanks
Henning

Re: WG default routing

[Henning Reich]

Hi,
you can control the traffic is routed with the AllowedIPs option. If
you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel.
If you just allow for example 10.10.10.10/32 only 10.10.10.10 is
allowed. 10.10.0.0/16,192.168.1.0/24 will allow
10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on...

I use
[Peer]
PublicKey = xxx
AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16
Endpoint = 123.123.123.123:12346
PersistentKeepalive=30

Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki :
>
> Hi
>
> I am quite new to wireguard, moving after years of OpenVPN, and found it 
> simple and _really good_.
> One thing, however, makes me wonder. Why WG tries always to take over all my 
> routing?
> My first try was with wg-quick, and noticed all my traffic went through the 
> WG-VPN connection.
> It escapes me why. What is the idea behind this policy?
>
> On my Linux boxes it's not a problem, I don't have to use wg-quick and with 
> few lines of bash in a script I have what I need. I have root.
> On my Android devices I don't have root, and I cannot change anything in 
> routing etc.
> Why don't you provide an option to specify which net to route which way?
>
> Regards,
> Chris

Re: IPv6 endpoint AND IPv4 fallback endpoint in roadwarrior scenario?

[Henning Reich]

Should a DNS entry Wirth one
 record and one A record solve thus problem? So the OS decide the best
way to connect?

Ulrich Kalloch  schrieb am So., 29. Sep. 2019, 16:29:

> Hello @ all
>
> i am interested in this too.
>
> Regards
>
> Ulli
>
> Am 27.05.19 um 20:10 schrieb Rene 'Renne' Bartsch, B.Sc. Informatics:
> > Hi,
> >
> > is it meanwhile possible to define an IPv6 endpoint AND and an IPv4
> > endpoint as fallback
> > in case a road warrior does not get IPv6 connectivity when switching
> > internet sockets?
> >
> > Regards,
> >
> > Renne
> > ___
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
>
>
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Overlapping AllowedIPs Configuration

[Henning Reich]

No, I think its correct behaviour.
If you have overlapping networks  the more specific route is preferred.
10.10.10.0/24 overrule 10.10.0.0/16.
If the subnets are the same, the last one is the more specific (because
most recent one) and should be used.

And in germany, we say (literal translation): You're allowed to shoot
yourself in the knee.
(to be self-defeating) :-)



Aleksa Sarai  schrieb am Sa., 11. Mai 2019, 15:09:

> Hi all,
>
> I just found out that WireGuard apparently allows you to configure an
> interface that has peers with overlapping AllowedIPs ranges -- which
> obviously won't work with cryptokey routing -- but additionally is
> strange since I feel this should cause an error when configuring the
> interface.
>
> In my case, I accidentally used /32 when generating the IPv6 addresses
> of my clients and ended up with a config like:
>
>   [Interface]
>   Address = 10.13.37.1/32,fd00:dead:beef:cafe::1/64
>   ListenPort = 51820
>   PrivateKey = [key]
>
>   # Peer A.
>   [Peer]
>   PublicKey = [pub]
>   PreSharedKey = [psk]
>   AllowedIPs = 10.13.40.1/32,fd00:dead:beef:1000::/32
>
>   # Peer B.
>   [Peer]
>   PublicKey = [pub]
>   PreSharedKey = [psk]
>   AllowedIPs = 10.13.41.1/32,fd00:dead:beef:1001::/32
>
> This config is wrong (because both peers have overlapping addresses
> specified for AllowedIPs), but wireguard will happily accept it:
>
>   % wg-quick up wg-foo
>   [#] ip link add wg-yavin type wireguard
>   [#] wg setconf wg-yavin /dev/fd/63
>   [#] ip address add 10.13.37.1/32 dev wg-yavin
>   [#] ip address add fd00:dead:beef:cafe::1/64 dev wg-yavin
>   [#] ip link set mtu 1420 up dev wg-yavin
>   [#] ip route add fd42:dead::/32 dev wg-yavin
>   [#] ip route add 10.13.41.1/32 dev wg-yavin
>   [#] ip route add 10.13.40.1/32 dev wg-yavin
>
> This configuration results in only one of the peers actually being given
> the IPv6 range, but I feel like "wg setconf" should've rejected this
> configuration.
>
>   % wg
>   interface: wg-foo
> public key: [pub]
> private key: (hidden)
> listening port: 51820
>
>   peer: [peer A]
> preshared key: (hidden)
> allowed ips: 10.13.40.1/32
>
>   peer: [peer B]
> preshared key: (hidden)
> allowed ips: 10.13.41.1/32, fd42:dead::/32
>
> --
> Aleksa Sarai
> Senior Software Engineer (Containers)
> SUSE Linux GmbH
> 
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Deploy a wireguard on 2 raspberry pi to connect 2 remote lan - Lan2Lan

[Henning Reich]

You have to do the same. Use for the WG-interfaces a "transportation
subnet" and add your local IP as Gateway for the subnet of the other lan
side.

left: ip route add 192.168.90.0/24 via 192.168.1.3
right: ip route add 192.168.1.0/24 via 192.168.90.20


#left
[Interface]
Address = 172.16.0.1/32
ListenPort = 12345
PrivateKey = priv1

#right
[Peer]
PublicKey = pub2
AllowedIPs = 172.16.0.2/32, 192.168.90.0/24
Endpoint = 80.40.20.10:12345

---

#right
[Interface]
Address = 172.16.0.2/32
ListenPort = 12345
PrivateKey = priv2

#left
[Peer]
PublicKey = pub1
AllowedIPs = 172.16.0.1/32, 192.168.1.0/24
Endpoint = 200.100.50.25:12345

Am Mo., 6. Mai 2019 um 22:43 Uhr schrieb Paulo Lopes :

> Hi all!!!
>
> First, let me thank for the amazing vpn protocol that Wireguard is
>
> I need your advise. As you can see on the picture attach, I have 2
> raspberry pi. One as a vpn server and the other as a vpn client to connect
> 2 remote Lan.
>
> Can you point me what I need to do, if I want to replace the openvpn for
> the wireguard?
>
> I can connect 2 rpi with wireguard, but, the others ip machinies on the
> server and client side can´t see each other.
>
> With openvpn I needed to inser iroute and add a static route on both
> routers. What I need to with the wireguard?
>
> Once again many tahnks for all the help you can give me
>
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Wireguard + anycast

[Henning Reich]

I think you could add multiple peers with the same (anycast) Endpoint but
different Key-Pairs (see the try of an example below).
Your DNS will select the IP for the closed one, and WG will try to connect
with each Key until success.
Or did I missing some important point?


cat /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.2/24
ListenPort = 12345
PrivateKey = YIYTN0Hil/32QWTo3F1fTVc3SDkgncXLHbGFlCgIQnM=

# anycast-Server 1
[Peer]
PublicKey = K+m7KQWy78JIAL7+8oFUdgrlBQdS8NZ2IPJu1rPTsnQ=
AllowedIPs = 172.16.0.1/24, 192.168.178.0/24
Endpoint = my.anycast.com:12345

# anycast-Server 2
[Peer]
PublicKey = O79QWUAdNFbWFIuWeKp3264BL3RuWKF+WFO21r2tAo=
AllowedIPs = 172.16.0.1/24, 192.168.178.0/24
Endpoint = my.anycast.com:12345


Am Do., 3. Jan. 2019 um 23:38 Uhr schrieb Edward Vielmetti <
edward.vielme...@gmail.com>:

> A little thought experiment which I haven't tried yet.
>
> Using anycast, a single IP address can be routed to multiple machines in a
> data center or around the world.
>
> Is it at all possible that anycast and Wireguard would play together
> nicely? In particular, is it plausible that you could give a client an
> anycast address of a server to use as its endpoint, and that when it picked
> the correct / closest one that it would do the right thing?
>
> The naive approach would be to have all of the anycast devices share the
> same private/public key pair, but that has a bad smell. And I don't know
> what would happen if your routing changed in mid-connection.
>
> (anycast is the technology used to give name servers a single global
> address, like Google's 8.8.8.8 DNS)
>
> --
> Edward Vielmetti +1 734 330 2465
> edward.vielme...@gmail.com
>
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Starcraft over Wireguard ... :sideeye:

[Henning Reich]

Hi,
I don't understand what you really want. You say someting about other
computers. Who are these other people/copmuters and there they are? Inside
your (or your childs) network or unknown public internet users?
Did you try to set up a game through battle.net or a "local" game? In
addition, your configuration looks like you mixed up with your subnets. On
your childs side, you configure your interface as part of an /24 subnet,
but on your side, its just a /32 "range".
It may work anyway, bit I think its still confusing.

So I think, a good start would be to clean up your wg-config. I like to use
a seperate "subnet" for vpn traffic. So there is no ProxyArp needed,
because the VPN-Server works as a Gateway for his own subnet. Disadvantag
is that you can't use (without some more work) broadcast features. Mostly
use for some autodetections and so on.
Maybe this will help a bit.

On his computer:  (LAN IP 192.168.1.x)

[Interface]
PrivateKey = {blah}=
ListenPort = 12457
Address = 192.168.123.3/24 

[Peer]
PublicKey = {blah2}=
Endpoint = {my home}:12457
AllowedIPs = 192.168.123.0/24 , 192.168.88.0/24


On my computer:  (LAN IP 192.168.88.x)

[Interface]
PrivateKey = {blah3}=
ListenPort = 12457
Address = 192.168.123.2/ 24

[Peer]
PublicKey = {blah4}=
AllowedIPs = 192.168.123.0/24 , 192.168.1.0/24

With this configuration, you should create (and play) games using the
dedicated vpn IPs (192.168.123.2 or 3 ) or maybe (not tested) your orignal
local IPs (192.168.88.xxx or 192.168.1.xxx).


An complete other soloution could be using a layer2 vpn. I like
SoftEtherVPN.
You could install it, bind the vpn to a tap-device (within the SoftEther
configuration) and than bind the tap-device (with linux tools like brctl,
systemd-networkd config) to your physical interface.
If anybody connect to this vpn, it's just like an additional wire to your
network. So all works, inlcuding DHCP in the same subnet and so on.
The strange double-bridge is not needed, if your SC-Host and VPN-Host are
NOT the same device. Because if you bridge the VPN directly to the physical
interface (without the help of an additional tap-device) the VPN Client
can't reach the vpn-server itself.

Or maybe without any VPN? Just Portforwarding and a (dynamic) DNS entry?
You could get free ones here: https://freedns.afraid.org/




2018-02-12 8:23 GMT+01:00 Eric Light :

> Hi, awesome WG mailinglist!
>
> My 18 year-old has recently moved out of home, and we're starting to yearn
> for one of our traditional Starcraft matches.  I thought I should be able
> to do this easily with Wireguard.
>
> The idea, generally, is that one of us would start up a game, and
> Wireguard - with a side serving of ProxyARP and IP forwarding - would help
> make all the other computers see that game.  (or, at very worst, allow me
> to run a game that could be seen by his computer AND the other computers
> here).
>
> -=-=-=-=-=-=-=-=-=-=-=-=-
>
> On his computer:  (LAN IP 192.168.1.x)
>
> [Interface]
> PrivateKey = {blah}=
> ListenPort = 12457
> Address = 192.168.88.3/24
>
> [Peer]
> PublicKey = {blah2}=
> Endpoint = {my home}:12457
> AllowedIPs = 0.0.0.0/0
>
>
> On my computer:  (LAN IP 192.168.88.x)
>
> [Interface]
> PrivateKey = {blah3}=
> ListenPort = 12457
> Address = 192.168.88.2/32
>
> [Peer]
> PublicKey = {blah4}=
> AllowedIPs = 192.168.88.3/32
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-
>
> But it turns out not to be so easy.  Starcraft sets up games over UDP 5353
> and UDP 6112, and originally I thought it was a problem with forwarding UDP
> packets.  However, I can see packets coming over the tunnel from his
> computer, but the packets are being forwarded to an address I don't know:
>
> root@me:~# tcpdump -i home port 5353 or port 6112
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on home, link-type RAW (Raw IP), capture size 262144 bytes
> 20:02:35.744726 IP 192.168.88.3.6112 > 37.244.23.109.3478: UDP, length 10
> 20:02:35.759142 IP 192.168.88.3.6112 > 37.244.23.109.3478: UDP, length 10
> 20:02:35.759157 IP 192.168.88.3.6112 > 37.244.23.109.3478: UDP, length 10
> 20:02:36.045323 IP 37.244.23.109.3478 > 192.168.88.3.6112: UDP, length 19
> 20:02:36.03 IP 37.244.23.109.3478 > 192.168.88.3.6112: UDP, length 19
> 20:02:36.15 IP 37.244.23.109.3478 > 192.168.88.3.6112: UDP, length 19
> 20:03:05.964077 IP 192.168.88.3.6112 > 37.244.23.109.3478: UDP, length 10
> 20:03:05.964118 IP 192.168.88.3.6112 > 37.244.23.109.3478: UDP, length 10
> 20:03:05.987761 IP 192.168.88.3.6112 > 37.244.23.109.3478: UDP, length 10
>
>
> Any ideas where I can start looking?  I get similar behaviour whether I
> host the game on my computer or on his.
>
> Thanks in advance for any help you guys can offer!
>
> E
>
> 
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
>
>
>
> 

wg-quick systemd service does not work directly after boot

[Henning Reich]

Hi,

I'm not sure if this a problem of wg/wg-quick or my system but maybe
somebody can help.

I have a wg0.conf for wg-quick and enabled the systemd service (systemctl
enable wg-quick@wg0).
After a reboot, I have the following status of this service:
--
Feb 07 08:15:13 domain.de systemd[1]: Starting WireGuard via wg-quick(8)
for wg0...
Feb 07 08:15:14 domain.de wg-quick[335]: [#] ip link add wg0 type wireguard
Feb 07 08:15:14 domain.de wg-quick[335]: [#] wg setconf wg0 /dev/fd/63
Feb 07 08:15:14 domain.de wg-quick[335]: Name or service not known: `
remote.de:2'
Feb 07 08:15:14 domain.de wg-quick[335]: Configuration parsing error
Feb 07 08:15:14 domain.de wg-quick[335]: [#] ip link delete dev wg0
Feb 07 08:15:14 domain.de systemd[1]: wg-quick@wg0.service: Main process
exited, code=exited, status=1/FAILURE
Feb 07 08:15:14 domain.de systemd[1]: wg-quick@wg0.service: Failed with
result 'exit-code'.
Feb 07 08:15:14 domain.de systemd[1]: Failed to start WireGuard via
wg-quick(8) for wg0.

It looks for me like wireguard can't resolve my remote site at this moment.
I tried a static resolv.conf file and also systemd-resolved. Both sites
have dynamic IPs so I can't use direct IPs.
If I run "systemctl restart wg-quick@wg0" it works as expected, so my
workaround is to add a 'sleep 5' to the service file.

Any better solutions or is this a "bug"?

Merci
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard