Re: macOS Catalina failing https

From: Barry Scott <barry@barrys-emacs.org>
To: Sean Baildon <sean@baildon.co>
Cc: wireguard@lists.zx2c4.com
Subject: Re: macOS Catalina failing https
Date: Sun, 1 Mar 2020 08:44:45 +0000	[thread overview]
Message-ID: <221C4F9E-5759-4E64-B019-593115357433@barrys-emacs.org> (raw)
In-Reply-To: <CAAF+QM=2cF9nV2Fq-HbUrbFbNwzw51FqAcG6RBvXv-07YWmp5Q@mail.gmail.com>

[-- Attachment #1.1: Type: text/plain, Size: 4532 bytes --]

> On 27 Feb 2020, at 16:46, Sean Baildon <sean@baildon.co> wrote:
> 
> Hey,
> 
> Recently purchased and upgraded a new MBP to Catalina.
> 
> Requests to https enabled sites over the VPN no longer work, even
> using my old configuration. Requests to insecure sites—ex.
> http://example.com—work just fine.
> 
> My iOS devices work as expected. I've tried using the iOS
> configurations on the laptop, but it's the same behaviour; hanging.
> 
> I'm using the Mac App Store version of wireguard on a vanilla install
> of macOS Catalina. Are there any known issues? Happy to provide any
> useful debug

I like to use curl to find out the details of what is breaking.

This is the result of my testing using wireguard on macOS 10.15.3.
I connect wireguard via mobile data to my home router 172.16.4.1.
I change the Allowed IPs to include the IP of example.com:

Allowed IPS: 93.184.216.34/32, 172.16.2.0/24, 172.16.4.0/24

And used trace route to see if example.com <http://example.com/> was routed via
wireguard.

$ traceroute example.com
traceroute to example.com (93.184.216.34), 64 hops max, 52 byte packets
 1  172.16.4.1 (172.16.4.1)  108.362 ms  69.420 ms  61.568 ms

$ curl --verbose https://example.com
* Rebuilt URL to: https://example.com/
*   Trying 93.184.216.34...
* TCP_NODELAY set
* Connected to example.com (93.184.216.34) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=Los Angeles; O=Internet Corporation for Assigned Names and Numbers; OU=Technology; CN=www.example.org
*  start date: Nov 28 00:00:00 2018 GMT
*  expire date: Dec  2 12:00:00 2020 GMT
*  subjectAltName: host "example.com" matched cert's "example.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Age: 485981
< Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
< Date: Sun, 01 Mar 2020 08:36:35 GMT
< Etag: "3147526947"
< Expires: Sun, 08 Mar 2020 08:36:35 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECS (nyb/1D1E)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1256
<
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>
* Connection #0 to host example.com left intact

Barry

[-- Attachment #1.2: Type: text/html, Size: 9499 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard