Development discussion of WireGuard
 help / color / mirror / Atom feed
* WireGuard over WireGuard
@ 2020-05-06 16:57 Mo Balaa
  2020-05-06 17:54 ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 12+ messages in thread
From: Mo Balaa @ 2020-05-06 16:57 UTC (permalink / raw)
  To: WireGuard mailing list

We are running WireGuard over WireGuard. It appears to work well;
however I am noticing some applications struggle to work reliably.
Lots of failed page loadss / timeouts. Any pointers on how I could go
about debugging these issues?

Any general pointers on running WireGuard over WireGuard? One note
about my deployment is that it uses socat to transparently proxy the
inner tunnel between devices.

The setup looks something like this:
tunnel 1 (iOS) -> socat -> tunnel 0 -> Linux (tunnel 0) -> (tunnel 1)

Thanks for the feedback.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 16:57 WireGuard over WireGuard Mo Balaa
@ 2020-05-06 17:54 ` Derrick Lyndon Pallas
  2020-05-06 21:37   ` Mo Balaa
  0 siblings, 1 reply; 12+ messages in thread
From: Derrick Lyndon Pallas @ 2020-05-06 17:54 UTC (permalink / raw)
  To: wireguard

Have you checked your MTUs? ~Derrick


On 5/6/20 9:57 AM, Mo Balaa wrote:
> We are running WireGuard over WireGuard. It appears to work well;
> however I am noticing some applications struggle to work reliably.
> Lots of failed page loadss / timeouts. Any pointers on how I could go
> about debugging these issues?
>
> Any general pointers on running WireGuard over WireGuard? One note
> about my deployment is that it uses socat to transparently proxy the
> inner tunnel between devices.
>
> The setup looks something like this:
> tunnel 1 (iOS) -> socat -> tunnel 0 -> Linux (tunnel 0) -> (tunnel 1)
>
> Thanks for the feedback.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 17:54 ` Derrick Lyndon Pallas
@ 2020-05-06 21:37   ` Mo Balaa
  2020-05-06 22:00     ` Jason A. Donenfeld
  0 siblings, 1 reply; 12+ messages in thread
From: Mo Balaa @ 2020-05-06 21:37 UTC (permalink / raw)
  To: Derrick Lyndon Pallas; +Cc: WireGuard mailing list

Was hoping setting them both to automatic would just work; but after
some fiddling that appears to be the issue.

What is the optimal MTU for the inner WireGuard tunnel if the outer
one is set 1420?

Thanks

On Wed, May 6, 2020 at 12:59 PM Derrick Lyndon Pallas <derrick@pallas.us> wrote:
>
> Have you checked your MTUs? ~Derrick
>
>
> On 5/6/20 9:57 AM, Mo Balaa wrote:
> > We are running WireGuard over WireGuard. It appears to work well;
> > however I am noticing some applications struggle to work reliably.
> > Lots of failed page loadss / timeouts. Any pointers on how I could go
> > about debugging these issues?
> >
> > Any general pointers on running WireGuard over WireGuard? One note
> > about my deployment is that it uses socat to transparently proxy the
> > inner tunnel between devices.
> >
> > The setup looks something like this:
> > tunnel 1 (iOS) -> socat -> tunnel 0 -> Linux (tunnel 0) -> (tunnel 1)
> >
> > Thanks for the feedback.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 21:37   ` Mo Balaa
@ 2020-05-06 22:00     ` Jason A. Donenfeld
  2020-05-06 22:24       ` Justin Kilpatrick
  0 siblings, 1 reply; 12+ messages in thread
From: Jason A. Donenfeld @ 2020-05-06 22:00 UTC (permalink / raw)
  To: buddybalaa; +Cc: Derrick Lyndon Pallas, WireGuard mailing list

On Wed, May 6, 2020 at 3:37 PM Mo Balaa <buddybalaa@gmail.com> wrote:
>
> Was hoping setting them both to automatic would just work; but after
> some fiddling that appears to be the issue.
>
> What is the optimal MTU for the inner WireGuard tunnel if the outer
> one is set 1420?

1340 or 1360

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 22:00     ` Jason A. Donenfeld
@ 2020-05-06 22:24       ` Justin Kilpatrick
  2020-05-06 22:25         ` Jason A. Donenfeld
  0 siblings, 1 reply; 12+ messages in thread
From: Justin Kilpatrick @ 2020-05-06 22:24 UTC (permalink / raw)
  To: wireguard

> 1340 or 1360

Why two options? I've been using 1340 for a long time. 

-- 
  Justin Kilpatrick
  justin@althea.net

On Wed, May 6, 2020, at 6:00 PM, Jason A. Donenfeld wrote:
> On Wed, May 6, 2020 at 3:37 PM Mo Balaa <buddybalaa@gmail.com> wrote:
> >
> > Was hoping setting them both to automatic would just work; but after
> > some fiddling that appears to be the issue.
> >
> > What is the optimal MTU for the inner WireGuard tunnel if the outer
> > one is set 1420?
> 
> 1340 or 1360
>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 22:24       ` Justin Kilpatrick
@ 2020-05-06 22:25         ` Jason A. Donenfeld
  2020-05-06 23:28           ` John Lauro
  0 siblings, 1 reply; 12+ messages in thread
From: Jason A. Donenfeld @ 2020-05-06 22:25 UTC (permalink / raw)
  To: Justin Kilpatrick; +Cc: WireGuard mailing list

On Wed, May 6, 2020 at 4:24 PM Justin Kilpatrick <justin@althea.net> wrote:
>
> > 1340 or 1360
>
> Why two options? I've been using 1340 for a long time.

WireGuard over IPv4 has a 60 byte overhead. WireGuard over IPv6 has an
80 byte overhead.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 22:25         ` Jason A. Donenfeld
@ 2020-05-06 23:28           ` John Lauro
  2020-05-06 23:54             ` Jason A. Donenfeld
  0 siblings, 1 reply; 12+ messages in thread
From: John Lauro @ 2020-05-06 23:28 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: Justin Kilpatrick, WireGuard mailing list

Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
and I have IPv6 completely disabled.

Can/should the MTU of wireguard be bumped to 1440?

On Wed, May 6, 2020 at 6:26 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Wed, May 6, 2020 at 4:24 PM Justin Kilpatrick <justin@althea.net> wrote:
> >
> > > 1340 or 1360
> >
> > Why two options? I've been using 1340 for a long time.
>
> WireGuard over IPv4 has a 60 byte overhead. WireGuard over IPv6 has an
> 80 byte overhead.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 23:28           ` John Lauro
@ 2020-05-06 23:54             ` Jason A. Donenfeld
  2020-05-07  0:57               ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 12+ messages in thread
From: Jason A. Donenfeld @ 2020-05-06 23:54 UTC (permalink / raw)
  To: John Lauro; +Cc: Justin Kilpatrick, WireGuard mailing list

On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
>
> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> and I have IPv6 completely disabled.
>
> Can/should the MTU of wireguard be bumped to 1440?

You could if you wanted. But if you don't do it perfectly on all sides
with total uniformity and clearheadedness about your network design,
you'll run into subtle problems.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 23:54             ` Jason A. Donenfeld
@ 2020-05-07  0:57               ` Derrick Lyndon Pallas
  2020-05-12  6:56                 ` Dimitar Vassilev
  0 siblings, 1 reply; 12+ messages in thread
From: Derrick Lyndon Pallas @ 2020-05-07  0:57 UTC (permalink / raw)
  To: wireguard

Note for the list: IPv6 has a minimum of 1280, which means 1360 in the 
outer layer. ~Derrick


On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
>> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
>> and I have IPv6 completely disabled.
>>
>> Can/should the MTU of wireguard be bumped to 1440?
> You could if you wanted. But if you don't do it perfectly on all sides
> with total uniformity and clearheadedness about your network design,
> you'll run into subtle problems.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-07  0:57               ` Derrick Lyndon Pallas
@ 2020-05-12  6:56                 ` Dimitar Vassilev
  2020-05-12 11:14                   ` Justin Kilpatrick
  0 siblings, 1 reply; 12+ messages in thread
From: Dimitar Vassilev @ 2020-05-12  6:56 UTC (permalink / raw)
  To: Derrick Lyndon Pallas; +Cc: WireGuard mailing list

Hi all,

for my enlightenment can you please advise in which situation such
setups are useful?

Thanks!


На чт, 7.05.2020 г. в 4:01 Derrick Lyndon Pallas <derrick@pallas.us> написа:
>
> Note for the list: IPv6 has a minimum of 1280, which means 1360 in the
> outer layer. ~Derrick
>
>
> On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> > On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
> >> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> >> and I have IPv6 completely disabled.
> >>
> >> Can/should the MTU of wireguard be bumped to 1440?
> > You could if you wanted. But if you don't do it perfectly on all sides
> > with total uniformity and clearheadedness about your network design,
> > you'll run into subtle problems.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-12  6:56                 ` Dimitar Vassilev
@ 2020-05-12 11:14                   ` Justin Kilpatrick
  2020-05-31 19:34                     ` Mo Balaa
  0 siblings, 1 reply; 12+ messages in thread
From: Justin Kilpatrick @ 2020-05-12 11:14 UTC (permalink / raw)
  To: wireguard

Althea uses WireGuard over WireGuard for mesh routing. Each device maintains a link to peers using WireGuard and then also maintains it's connection to the exit over a multihop WireGuard connection.

Building working WireGuard tunnels over fe80 ipv6 link local addresses was a real pain. Packets sometimes arrive only to the interfaced scoped address and other times arrive without an interface scope. Requiring two tunnels to successfully listen on one port. 

-- 
  Justin Kilpatrick
  justin@althea.net

On Tue, May 12, 2020, at 2:56 AM, Dimitar Vassilev wrote:
> Hi all,
> 
> for my enlightenment can you please advise in which situation such
> setups are useful?
> 
> Thanks!
> 
> 
> На чт, 7.05.2020 г. в 4:01 Derrick Lyndon Pallas <derrick@pallas.us> написа:
> >
> > Note for the list: IPv6 has a minimum of 1280, which means 1360 in the
> > outer layer. ~Derrick
> >
> >
> > On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> > > On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
> > >> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> > >> and I have IPv6 completely disabled.
> > >>
> > >> Can/should the MTU of wireguard be bumped to 1440?
> > > You could if you wanted. But if you don't do it perfectly on all sides
> > > with total uniformity and clearheadedness about your network design,
> > > you'll run into subtle problems.
>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-12 11:14                   ` Justin Kilpatrick
@ 2020-05-31 19:34                     ` Mo Balaa
  0 siblings, 0 replies; 12+ messages in thread
From: Mo Balaa @ 2020-05-31 19:34 UTC (permalink / raw)
  To: Justin Kilpatrick; +Cc: WireGuard mailing list

Hi All,

Reporting back on my progress after modify MTUs. Still seeing
significant intermittent stuck /hung connections on iOS in a
Wireguard over Wireguard tunnel (most apparent when using Twitter app for iOS)

Looking at getting Wireshark setup to do some debugging this afternoon
and would also appreciate any tips on how to go about figuring this
out.


Kind regards,

Mo

On Tue, May 12, 2020 at 6:17 AM Justin Kilpatrick <justin@althea.net> wrote:
>
> Althea uses WireGuard over WireGuard for mesh routing. Each device maintains a link to peers using WireGuard and then also maintains it's connection to the exit over a multihop WireGuard connection.
>
> Building working WireGuard tunnels over fe80 ipv6 link local addresses was a real pain. Packets sometimes arrive only to the interfaced scoped address and other times arrive without an interface scope. Requiring two tunnels to successfully listen on one port.
>
> --
>   Justin Kilpatrick
>   justin@althea.net
>
> On Tue, May 12, 2020, at 2:56 AM, Dimitar Vassilev wrote:
> > Hi all,
> >
> > for my enlightenment can you please advise in which situation such
> > setups are useful?
> >
> > Thanks!
> >
> >
> > На чт, 7.05.2020 г. в 4:01 Derrick Lyndon Pallas <derrick@pallas.us> написа:
> > >
> > > Note for the list: IPv6 has a minimum of 1280, which means 1360 in the
> > > outer layer. ~Derrick
> > >
> > >
> > > On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> > > > On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
> > > >> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> > > >> and I have IPv6 completely disabled.
> > > >>
> > > >> Can/should the MTU of wireguard be bumped to 1440?
> > > > You could if you wanted. But if you don't do it perfectly on all sides
> > > > with total uniformity and clearheadedness about your network design,
> > > > you'll run into subtle problems.
> >

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2020-05-31 19:34 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-06 16:57 WireGuard over WireGuard Mo Balaa
2020-05-06 17:54 ` Derrick Lyndon Pallas
2020-05-06 21:37   ` Mo Balaa
2020-05-06 22:00     ` Jason A. Donenfeld
2020-05-06 22:24       ` Justin Kilpatrick
2020-05-06 22:25         ` Jason A. Donenfeld
2020-05-06 23:28           ` John Lauro
2020-05-06 23:54             ` Jason A. Donenfeld
2020-05-07  0:57               ` Derrick Lyndon Pallas
2020-05-12  6:56                 ` Dimitar Vassilev
2020-05-12 11:14                   ` Justin Kilpatrick
2020-05-31 19:34                     ` Mo Balaa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).