[-- Attachment #1.1: Type: text/plain, Size: 1986 bytes --] Hello All, Just started with wireguard and installation went smoothly. I am planning to setup wireguard on gcp linux server and connect my ubuntu laptop to use GCP server as vpn server. Primary requirement is to use GCP server as vpn server while traveling. I have got partial success with my setup. I am able to browse few sites and not able to browse few more. They are very popular sites. For example, I am able to go to www.yahoo.com but gmail.google.com I get error message that site took too long to respond. I have opened udp port 51840 inbound to my GCP server. My client side (ubuntu laptop) [Interface] PrivateKey = <ubuntu laptop privkey> Address = 192.168.1.2 DNS = 8.8.8.8 [Peer] PublicKey = <gcp server pubkey>ystemctl start wg-quick@wg0 Endpoint = <gcp server's public ip>:51840 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 My server (GCP) [Interface] Address = 192.168.1.1 SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE ListenPort = 51840 PrivateKey = <gcp server priv key> [Peer] PublicKey = <ubuntu laptop public key> AllowedIPs = 192.168.1.2/32 with this configuration if I start wireguard on both system using systemctl start wg-quick@wg0 , I am able to ping 192.168.1.1 from 192.168.1.2 without any packet drop. However, if I browse through chrome or firefox, for few sites it gives me error like site took too long to respond. On the same browser if I try few more sites, they work. Same time when it does not work from browser, if I ping the site, I get the dns resolved and response for the ping. I am not able to troubleshoot further., Are there any other logs I can refer to? Any idea what could have gone wrong? Has anyone faced this issue before? Thanks in advanced for the help. Kunal Shah [-- Attachment #1.2: Type: text/html, Size: 3929 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
GCP uses an MTU of 1460 because Google's network does weird things. That means the MTU for WireGuard should be 1380. On the GCP box, try adding `MTU=1380` to your config and add this line to PostUp: ` ; iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu` _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1090 bytes --] Hi Jason, Thanks for your response. After the changes you suggested, It still gives me the same problem. Now my GCP server wireguard configuration looks like this. [Interface] Address = 192.168.1.1 SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADEi;iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE ListenPort = 51840 PrivateKey = <private key> MTU=1380 [Peer] PublicKey = <public key> AllowedIPs = 192.168.1.2/32 On Sun, 9 Feb 2020 at 03:06, Jason A. Donenfeld <Jason@zx2c4.com> wrote: > GCP uses an MTU of 1460 because Google's network does weird things. > That means the MTU for WireGuard should be 1380. On the GCP box, try > adding `MTU=1380` to your config and add this line to PostUp: ` > ; iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j > TCPMSS --clamp-mss-to-pmtu` > [-- Attachment #1.2: Type: text/html, Size: 1852 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1426 bytes --] I think I found the problem, there is a typo in my iptable command. While editing with vi, I may have added additional i in the end of MASQUERADE. I removed it and restarted it. Now I am monitoring for issues. On Sun, 9 Feb 2020 at 10:55, Kunal Shah <kunalv.shah@gmail.com> wrote: > Hi Jason, > > Thanks for your response. After the changes you suggested, It still gives > me the same problem. Now my GCP server wireguard configuration looks like > this. > > [Interface] > Address = 192.168.1.1 > SaveConfig = true > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j > ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADEi;iptables -t > mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i > -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE > ListenPort = 51840 > PrivateKey = <private key> > MTU=1380 > > [Peer] > PublicKey = <public key> > AllowedIPs = 192.168.1.2/32 > > On Sun, 9 Feb 2020 at 03:06, Jason A. Donenfeld <Jason@zx2c4.com> wrote: > >> GCP uses an MTU of 1460 because Google's network does weird things. >> That means the MTU for WireGuard should be 1380. On the GCP box, try >> adding `MTU=1380` to your config and add this line to PostUp: ` >> ; iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j >> TCPMSS --clamp-mss-to-pmtu` >> > [-- Attachment #1.2: Type: text/html, Size: 2433 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard