* Fragmentation
@ 2019-06-18 15:32 Nigel Magnay
2019-06-22 8:45 ` Fragmentation ѽ҉ᶬḳ℠
2019-06-23 9:50 ` Fragmentation Vincent Wiemann
0 siblings, 2 replies; 3+ messages in thread
From: Nigel Magnay @ 2019-06-18 15:32 UTC (permalink / raw)
To: wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1513 bytes --]
Hi!
I have successfully set up a wireguard connection, to a server hosted
inside Microsoft Azure. Thankyou for this software, it's so much easier to
configure than the alternatives.
I have a small problem though, which I think I understand (but seems
strange), but I'm not sure of the correct solution.
I have routed all internet traffic over this connection; it works, I can
successfully ping sites, and view some. I'm using IP masquerading at both
ends to connect entire networks (I thus use the client as a gateway).
However - some hosts do not respond - or, rather, there's a packet
fragmentation issue.
I can see with tcpdump on the server entries like this:
17:55:04.461804 IP 85.118.26.200.https > vpn1.60630: Flags [.], seq 1:1441,
ack 518, win 30, length 1440
17:55:04.461849 IP vpn1 > 85.118.26.200: ICMP vpn1 unreachable - need to
frag (mtu 1420), length 556
Which I take to mean "we got a response, it's length is too big to fit in
the vpn payload, please shorten".
What happens though is nothing - it just keeps receiving over-long
responses, so it doesn't work - which is hardly wireguard's fault.
Now, I guess either the end server is simply ignoring me, or the ICMP stuff
is being blocked somewhere. I'm not knowledgeable enough to know if either
of these are likely, as I'm a bit puzzle as to how anything could work
properly if either of those were true.
So - am I doing something wrong? What's the right knobs for me to be
twiddling here?
I have wireguard 0.0.20190601 at each end.
[-- Attachment #1.2: Type: text/html, Size: 1713 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fragmentation
2019-06-18 15:32 Fragmentation Nigel Magnay
@ 2019-06-22 8:45 ` ѽ҉ᶬḳ℠
2019-06-23 9:50 ` Fragmentation Vincent Wiemann
1 sibling, 0 replies; 3+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2019-06-22 8:45 UTC (permalink / raw)
To: wireguard
Any SQM measures deployed? That what it caused it on my nodes until
disabled.
On 18/06/2019 17:32, Nigel Magnay wrote:
> Hi!
>
> I have successfully set up a wireguard connection, to a server hosted
> inside Microsoft Azure. Thankyou for this software, it's so much
> easier to configure than the alternatives.
>
>
> I have a small problem though, which I think I understand (but seems
> strange), but I'm not sure of the correct solution.
>
> I have routed all internet traffic over this connection; it works, I
> can successfully ping sites, and view some. I'm using IP masquerading
> at both ends to connect entire networks (I thus use the client as a
> gateway).
>
> However - some hosts do not respond - or, rather, there's a packet
> fragmentation issue.
>
> I can see with tcpdump on the server entries like this:
>
> 17:55:04.461804 IP 85.118.26.200.https > vpn1.60630: Flags [.], seq
> 1:1441, ack 518, win 30, length 1440
> 17:55:04.461849 IP vpn1 > 85.118.26.200 <http://85.118.26.200>: ICMP
> vpn1 unreachable - need to frag (mtu 1420), length 556
>
> Which I take to mean "we got a response, it's length is too big to fit
> in the vpn payload, please shorten".
>
> What happens though is nothing - it just keeps receiving over-long
> responses, so it doesn't work - which is hardly wireguard's fault.
>
> Now, I guess either the end server is simply ignoring me, or the ICMP
> stuff is being blocked somewhere. I'm not knowledgeable enough to know
> if either of these are likely, as I'm a bit puzzle as to how anything
> could work properly if either of those were true.
>
> So - am I doing something wrong? What's the right knobs for me to be
> twiddling here?
>
> I have wireguard 0.0.20190601 at each end.
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fragmentation
2019-06-18 15:32 Fragmentation Nigel Magnay
2019-06-22 8:45 ` Fragmentation ѽ҉ᶬḳ℠
@ 2019-06-23 9:50 ` Vincent Wiemann
1 sibling, 0 replies; 3+ messages in thread
From: Vincent Wiemann @ 2019-06-23 9:50 UTC (permalink / raw)
To: Nigel Magnay, wireguard
Hi Nigel,
I can't tell for sure what your problem is,
but I guess you don't use MSS clamping for the masquerading.
Regards,
Vincent Wiemann
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-17 20:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-18 15:32 Fragmentation Nigel Magnay
2019-06-22 8:45 ` Fragmentation ѽ҉ᶬḳ℠
2019-06-23 9:50 ` Fragmentation Vincent Wiemann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).