Re: issue with certain apps + wireguard

From: Kalin KOZHUHAROV <me.kalin@gmail.com>
To: Arpit Gupta <g.arpit@gmail.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: issue with certain apps + wireguard
Date: Tue, 8 Jan 2019 09:01:38 +0100	[thread overview]
Message-ID: <CAKXLc7cRqa+22pVnJvErGMpBd1-TWXNrjzfQE3q2=uqbnFq2Cw@mail.gmail.com> (raw)
In-Reply-To: <CAGCGytL90oVSVe_VNKszSynq_gvNzKGwORk8LEacXMANVaD2zA@mail.gmail.com>

On Tue, Jan 8, 2019 at 3:22 AM Arpit Gupta <g.arpit@gmail.com> wrote:
> A new user here. Recently setup wireguard to run on my pi 3 + pi hole. I am noticing some interesting behavior with certain apps.
>
Apps running where? Name your hosts (fakename if you prefer) for clarity.

> When using Google Duo on my android phone it would not work if wireguard was configured in split tunnel mode. When i enabled all traffic via wireguard it worked fine.
>
"android phone"? How does it connect to where?

> Downloading app updates my phone when on wireguard would not work regardless if it was split tunnel or all traffic was being routed via wireguard. Interestingly installing an app did not have any issue.
>
Is there wireguard tunnel starting from "phone" (end ending where?), or no?

> Another issue i noticed is when i try to open lets say a pdf attachment in my browser from gmail it gets stuck in downloading state. I then turn off wireguard and then it works fine.

> I am noob in the matters of VPN, security, network etc so i wanted to see if people had thoughts on how i can debug this further to determine if this is an issue with the wireguard app on my phone vs the peer running on my pi and if there are certain types of apps i should add to my exclude list. Right now i have added google duo and play store to it.
>
For a start, get one or two levels below "Google store", "app" and so
on. Test with simple tools, possibly platform agnostic (ping,
wget/curl).
In IP networks, data travels in packets, apps talk via sockets and
send those packets. Packet flow can be observed via Wireshark
(tcpdump, thsark) and can be recorded in a packet capture (pcap file).
Linux networking is flexible enough to allow non-working
configurations (or working not in the way one thinks);
examining/sharing (running) configurations is a key point (`ip addr;
ip route; wg; cat /etc/resolv.conf; ping -c3 8.8.8.8` commands run as
root might help).

> I have confirmed pi hole is not causing issues as when i disable wireguard applications are working fine and still using pi hole dns.
>
Since you have "working" and "non-working" state (i.e. when you
"enable wireguard"), compare (diff) the two and try to understand what
changes (execute the commands and record their output in a text file
before and after:
<reboot>
bash -c "ip addr; ip route; wg; cat /etc/resolv.conf; ping -c3
8.8.8.8" >test.good 2>&1
<enable wireguard>
bash -c "ip addr; ip route; wg; cat /etc/resolv.conf; ping -c3
8.8.8.8" >test.bad 2>&1

Then compare test.{good,bad} with a diff utility (diff, sdiff,
gvimdiff, etc.). When you have more than one host involved, do that
for each host before/after.

Cheers,
Kalin.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard