From: Barry Scott <barry@barrys-emacs.org>
To: Sean Baildon <sean@baildon.co>
Cc: wireguard@lists.zx2c4.com
Subject: Re: macOS Catalina failing https
Date: Sun, 1 Mar 2020 08:44:45 +0000 [thread overview]
Message-ID: <221C4F9E-5759-4E64-B019-593115357433@barrys-emacs.org> (raw)
In-Reply-To: <CAAF+QM=2cF9nV2Fq-HbUrbFbNwzw51FqAcG6RBvXv-07YWmp5Q@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 4532 bytes --]
> On 27 Feb 2020, at 16:46, Sean Baildon <sean@baildon.co> wrote:
>
> Hey,
>
> Recently purchased and upgraded a new MBP to Catalina.
>
> Requests to https enabled sites over the VPN no longer work, even
> using my old configuration. Requests to insecure sites—ex.
> http://example.com—work just fine.
>
> My iOS devices work as expected. I've tried using the iOS
> configurations on the laptop, but it's the same behaviour; hanging.
>
> I'm using the Mac App Store version of wireguard on a vanilla install
> of macOS Catalina. Are there any known issues? Happy to provide any
> useful debug
I like to use curl to find out the details of what is breaking.
This is the result of my testing using wireguard on macOS 10.15.3.
I connect wireguard via mobile data to my home router 172.16.4.1.
I change the Allowed IPs to include the IP of example.com:
Allowed IPS: 93.184.216.34/32, 172.16.2.0/24, 172.16.4.0/24
And used trace route to see if example.com <http://example.com/> was routed via
wireguard.
$ traceroute example.com
traceroute to example.com (93.184.216.34), 64 hops max, 52 byte packets
1 172.16.4.1 (172.16.4.1) 108.362 ms 69.420 ms 61.568 ms
$ curl --verbose https://example.com
* Rebuilt URL to: https://example.com/
* Trying 93.184.216.34...
* TCP_NODELAY set
* Connected to example.com (93.184.216.34) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /opt/local/share/curl/curl-ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=Los Angeles; O=Internet Corporation for Assigned Names and Numbers; OU=Technology; CN=www.example.org
* start date: Nov 28 00:00:00 2018 GMT
* expire date: Dec 2 12:00:00 2020 GMT
* subjectAltName: host "example.com" matched cert's "example.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Age: 485981
< Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
< Date: Sun, 01 Mar 2020 08:36:35 GMT
< Etag: "3147526947"
< Expires: Sun, 08 Mar 2020 08:36:35 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECS (nyb/1D1E)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1256
<
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
width: 600px;
margin: 5em auto;
padding: 2em;
background-color: #fdfdff;
border-radius: 0.5em;
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
div {
margin: 0 auto;
width: auto;
}
}
</style>
</head>
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>
* Connection #0 to host example.com left intact
Barry
[-- Attachment #1.2: Type: text/html, Size: 9499 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2020-03-03 23:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-27 16:46 Sean Baildon
2020-03-01 7:08 ` Eiji Tanioka
2020-03-01 8:44 ` Barry Scott [this message]
2020-03-01 8:55 ` Barry Scott
2020-03-01 12:11 ` Rémi Lapeyre
2020-03-01 22:28 ` Andrew Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=221C4F9E-5759-4E64-B019-593115357433@barrys-emacs.org \
--to=barry@barrys-emacs.org \
--cc=sean@baildon.co \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).