WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Fragmentation
@ 2019-06-18 15:32 Nigel Magnay
  2019-06-22  8:45 ` Fragmentation ѽ҉ᶬḳ℠
  2019-06-23  9:50 ` Fragmentation Vincent Wiemann
  0 siblings, 2 replies; 3+ messages in thread
From: Nigel Magnay @ 2019-06-18 15:32 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1513 bytes --]

Hi!

I have successfully set up a wireguard connection, to a server hosted
inside Microsoft Azure. Thankyou for this software, it's so much easier to
configure than the alternatives.


I have a small problem though, which I think I understand (but seems
strange), but I'm not sure of the correct solution.

I have routed all internet traffic over this connection; it works, I can
successfully ping sites, and view some. I'm using IP masquerading at both
ends to connect entire networks (I thus use the client as a gateway).

However - some hosts do not respond - or, rather, there's a packet
fragmentation issue.

I can see with tcpdump on the server entries like this:

17:55:04.461804 IP 85.118.26.200.https > vpn1.60630: Flags [.], seq 1:1441,
ack 518, win 30, length 1440
17:55:04.461849 IP vpn1 > 85.118.26.200: ICMP vpn1 unreachable - need to
frag (mtu 1420), length 556

Which I take to mean "we got a response, it's length is too big to fit in
the vpn payload, please shorten".

What happens though is nothing - it just keeps receiving over-long
responses, so it doesn't work - which is hardly wireguard's fault.

Now, I guess either the end server is simply ignoring me, or the ICMP stuff
is being blocked somewhere. I'm not knowledgeable enough to know if either
of these are likely, as I'm a bit puzzle as to how anything could work
properly if either of those were true.

So - am I doing something wrong? What's the right knobs for me to be
twiddling here?

I have wireguard 0.0.20190601 at each end.

[-- Attachment #1.2: Type: text/html, Size: 1713 bytes --]

<div dir="ltr">Hi!<br><br>I have successfully set up a wireguard connection, to a server hosted inside Microsoft Azure. Thankyou for this software, it&#39;s so much easier to configure than the alternatives.<br><br><br>I have a small problem though, which I think I understand (but seems strange), but I&#39;m not sure of the correct solution.<br><br>I have routed all internet traffic over this connection; it works, I can successfully ping sites, and view some. I&#39;m using IP masquerading at both ends to connect entire networks (I thus use the client as a gateway).<br><br>However - some hosts do not respond - or, rather, there&#39;s a packet fragmentation issue.<br><br>I can see with tcpdump on the server entries like this:<br><br>17:55:04.461804 IP 85.118.26.200.https &gt; vpn1.60630: Flags [.], seq 1:1441, ack 518, win 30, length 1440<br>17:55:04.461849 IP vpn1 &gt; <a href="http://85.118.26.200">85.118.26.200</a>: ICMP vpn1 unreachable - need to frag (mtu 1420), length 556<br><br>Which I take to mean &quot;we got a response, it&#39;s length is too big to fit in the vpn payload, please shorten&quot;.<br><br>What happens though is nothing - it just keeps receiving over-long responses, so it doesn&#39;t work - which is hardly wireguard&#39;s fault.<br><br>Now, I guess either the end server is simply ignoring me, or the ICMP stuff is being blocked somewhere. I&#39;m not knowledgeable enough to know if either of these are likely, as I&#39;m a bit puzzle as to how anything could work properly if either of those were true.<br><br>So - am I doing something wrong? What&#39;s the right knobs for me to be twiddling here?<br><br>I have wireguard 0.0.20190601 at each end.<div><br></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Fragmentation
  2019-06-18 15:32 Fragmentation Nigel Magnay
@ 2019-06-22  8:45 ` ѽ҉ᶬḳ℠
  2019-06-23  9:50 ` Fragmentation Vincent Wiemann
  1 sibling, 0 replies; 3+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2019-06-22  8:45 UTC (permalink / raw)
  To: wireguard

Any SQM measures deployed? That what it caused it on my nodes until
disabled.

On 18/06/2019 17:32, Nigel Magnay wrote:
> Hi!
>
> I have successfully set up a wireguard connection, to a server hosted
> inside Microsoft Azure. Thankyou for this software, it's so much
> easier to configure than the alternatives.
>
>
> I have a small problem though, which I think I understand (but seems
> strange), but I'm not sure of the correct solution.
>
> I have routed all internet traffic over this connection; it works, I
> can successfully ping sites, and view some. I'm using IP masquerading
> at both ends to connect entire networks (I thus use the client as a
> gateway).
>
> However - some hosts do not respond - or, rather, there's a packet
> fragmentation issue.
>
> I can see with tcpdump on the server entries like this:
>
> 17:55:04.461804 IP 85.118.26.200.https > vpn1.60630: Flags [.], seq
> 1:1441, ack 518, win 30, length 1440
> 17:55:04.461849 IP vpn1 > 85.118.26.200 <http://85.118.26.200>: ICMP
> vpn1 unreachable - need to frag (mtu 1420), length 556
>
> Which I take to mean "we got a response, it's length is too big to fit
> in the vpn payload, please shorten".
>
> What happens though is nothing - it just keeps receiving over-long
> responses, so it doesn't work - which is hardly wireguard's fault.
>
> Now, I guess either the end server is simply ignoring me, or the ICMP
> stuff is being blocked somewhere. I'm not knowledgeable enough to know
> if either of these are likely, as I'm a bit puzzle as to how anything
> could work properly if either of those were true.
>
> So - am I doing something wrong? What's the right knobs for me to be
> twiddling here?
>
> I have wireguard 0.0.20190601 at each end.
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Fragmentation
  2019-06-18 15:32 Fragmentation Nigel Magnay
  2019-06-22  8:45 ` Fragmentation ѽ҉ᶬḳ℠
@ 2019-06-23  9:50 ` Vincent Wiemann
  1 sibling, 0 replies; 3+ messages in thread
From: Vincent Wiemann @ 2019-06-23  9:50 UTC (permalink / raw)
  To: Nigel Magnay, wireguard

Hi Nigel,

I can't tell for sure what your problem is,
but I guess you don't use MSS clamping for the masquerading.

Regards,

Vincent Wiemann
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-18 15:32 Fragmentation Nigel Magnay
2019-06-22  8:45 ` Fragmentation ѽ҉ᶬḳ℠
2019-06-23  9:50 ` Fragmentation Vincent Wiemann

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox