Hi,
Talking about my example with chained VPNs. It is a misconfiguration but
not intentional, and no responsible administrator can solve this because
client really has no way to tell a VPN provider what MTU he needs.
Technically VP providers can make such interface for clients but none of
fou
Hi,
I've dig into the subject two years ago and only vague remember details.
As far as I can recall there was a time when WireGuard set DF flag by
default and there were two issues:
1) for security reasons WireGuard doesn't issue ICMP fragmentation
required response in the unencrypted channe
On 06.05.2020 19:22, Simon Deziel wrote:
On 2020-05-05 12:03 a.m., Jason at zx2c4.com (Jason A. Donenfeld) wrote:
Ahh, you're running -proposed, gotcha. So I guess I should wait until
this hits the main repo. Any idea when they usually do that?
The next kernel batch should land in -updates on M
The system is Ubuntu 18.04.4, and wireguard is broken in recent kernel
update "5.3.0-53.47~18.04.1"... not sure why 18.04.1 is landed on
18.04.4 system
# ip link add dev wg0 type wireguard
Error: Unknown device type.
And nothing is shown by "lsmod | grep wireguard' and "dmesg | grep
wireguard
On 26.02.2020 6:59, Samuel Holland wrote:
On 2/25/20 9:44 PM, Vasili Pupkin wrote:
It seams that russian translation is very basic and not utilize
quantity="two"
and quantity="few" forms, without them some plurals reads odd. Do you need help
fixing it or it is done on pur
On 26.02.2020 5:56, Samuel Holland wrote:
On 2/25/20 2:13 AM, Eiji Tanioka wrote:
Hi Samuel.
I already translated in Japanese, but I didn't concern about plurals.
Japanese doesn't have plurals, so does "values-ja/strings.xml" needs these fix?
- remove plurals
- add string resource that have sa
The TCP connection MSS is set to 1460 bytes and also Don't fragment flag
is set. The server selects this MSS as a frame size on its side and
packet is dropped, probably. If you are using linux router try to use
this command "iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-m
On 11.12.2019 1:09, Jason A. Donenfeld wrote:
On Tue, Dec 10, 2019 at 11:03 PM Vasili Pupkin wrote:
As far as I know both of them are maintained in the same repository and
both use the same userspace library to interact with the kernel and down
there all the rules are translated into BPF code
On 10.12.2019 20:12, Roman Mamedov wrote:
On Tue, 10 Dec 2019 17:54:49 +0100
"Jason A. Donenfeld" wrote:
iptables rules and nftables rules can co-exist just fine, without any
translation needed. Indeed if your iptables is symlinked to
iptables-nft, then you'll insert nftables rules when you tr
On 10.12.2019 18:48, Jason A. Donenfeld wrote:
restore '%s-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP
nftcmd '%sadd rule %s %s preraw iifname != %s %s daddr %s fib saddr type !=
local drop
I am trying to understand the rulesets. When you check the type of the
source a
On 06.12.2019 18:18, Jason A. Donenfeld wrote:
But for the sake of wg-quick
the filter can be enables for wireguard interface only to be sure it
wouldn't break anything else
How do you propose this works? That'd require adding -d, right? In
that case we're back to more or less the original r
On 06.12.2019 19:12, Jordan Glover wrote:
But nft rule won't be visible from iptables tools like iptables-save,
right? This may be confusing for people who still use iptables for
setting up firewall on their systems.
Right. And for those using NFT, they will see a strange rule in their
defaul
On 06.12.2019 18:08, Jason A. Donenfeld wrote:
On Fri, Dec 6, 2019 at 4:06 PM Jordan Glover
wrote:
On Thursday, December 5, 2019 8:24 PM, Jason A. Donenfeld
wrote:
If we can make nft coexistance work reliably, perhaps we can run the
nft rule on systems where the nft binary simply exists.
On 05.12.2019 23:24, Jason A. Donenfeld wrote:
Hey Vasili,
On Thu, Dec 5, 2019 at 8:50 PM Vasili Pupkin wrote:
Isn't it enough to just enforce Strong Host Model, i.e. a host won't
respond from it's IP that is not facing the interface. If a host is
connected to two subnets 10
Isn't it enough to just enforce Strong Host Model, i.e. a host won't
respond from it's IP that is not facing the interface. If a host is
connected to two subnets 10.1.x.x and 10.2.x.x and have two IP 10.1.0.1
and 10.2.0.1, it will just drop all the packets sent to 10.1.0.1 that
came from the in
In my setup I have a client running Win7, the tun interface allows to
make connection from client to server but it only route packets back
for some time and then broke.
The client system is NOT behind the NAT and PersistentKeepalive=25 do
not help, the issue is local and external network route enc
On Mon, Aug 26, 2019 at 5:09 AM Jason A. Donenfeld wrote:
> > Usage of fwmark is my current workaround. If the same user id of an
> > outer packets is not a bug then ignore it.
>
> I can see arguments both ways. Do you recall off hand the last kernel
> version that had the prior behavior? I'd like
Usage of fwmark is my current workaround. If the same user id of an
outer packets is not a bug then ignore it.
On Sun, Aug 25, 2019 at 10:07 PM Jason A. Donenfeld wrote:
>
> On Sun, Aug 25, 2019 at 1:03 PM Vasili Pupkin wrote:
> > Yes. On kernel version 4, outer packets (i.e. encry
Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
sent from privileged user
account credentials so they pass the iptables sandbox. On kernel 5
they inherit owner id of the user who sent unencrypted packets.
.
On Sun, Aug 25, 2019 at 9:52 PM Jason A. Donenfeld wrote:
>
> Could
In the newest kernel version, Wireguard encrypted packets are sent
from the same user credentials as the user that created original
packets. I have a firewall setup that limits programs run from a
particular user to wireguard tun interface, it worked in kernel 4.18
and is broken in kernel 5.0. In t
20 matches
Mail list logo
