Development discussion of WireGuard
 help / color / Atom feed
* WireGuard over WireGuard
@ 2020-05-06 16:57 buddybalaa
  2020-05-06 17:54 ` derrick
  0 siblings, 1 reply; 12+ messages in thread
From: buddybalaa @ 2020-05-06 16:57 UTC (permalink / raw)


We are running WireGuard over WireGuard. It appears to work well;
however I am noticing some applications struggle to work reliably.
Lots of failed page loadss / timeouts. Any pointers on how I could go
about debugging these issues?

Any general pointers on running WireGuard over WireGuard? One note
about my deployment is that it uses socat to transparently proxy the
inner tunnel between devices.

The setup looks something like this:
tunnel 1 (iOS) -> socat -> tunnel 0 -> Linux (tunnel 0) -> (tunnel 1)

Thanks for the feedback.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 16:57 WireGuard over WireGuard buddybalaa
@ 2020-05-06 17:54 ` derrick
  2020-05-06 21:37   ` buddybalaa
  0 siblings, 1 reply; 12+ messages in thread
From: derrick @ 2020-05-06 17:54 UTC (permalink / raw)


Have you checked your MTUs? ~Derrick


On 5/6/20 9:57 AM, Mo Balaa wrote:
> We are running WireGuard over WireGuard. It appears to work well;
> however I am noticing some applications struggle to work reliably.
> Lots of failed page loadss / timeouts. Any pointers on how I could go
> about debugging these issues?
>
> Any general pointers on running WireGuard over WireGuard? One note
> about my deployment is that it uses socat to transparently proxy the
> inner tunnel between devices.
>
> The setup looks something like this:
> tunnel 1 (iOS) -> socat -> tunnel 0 -> Linux (tunnel 0) -> (tunnel 1)
>
> Thanks for the feedback.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 17:54 ` derrick
@ 2020-05-06 21:37   ` buddybalaa
  2020-05-06 22:00     ` Jason
  0 siblings, 1 reply; 12+ messages in thread
From: buddybalaa @ 2020-05-06 21:37 UTC (permalink / raw)


Was hoping setting them both to automatic would just work; but after
some fiddling that appears to be the issue.

What is the optimal MTU for the inner WireGuard tunnel if the outer
one is set 1420?

Thanks

On Wed, May 6, 2020 at 12:59 PM Derrick Lyndon Pallas <derrick at pallas.us> wrote:
>
> Have you checked your MTUs? ~Derrick
>
>
> On 5/6/20 9:57 AM, Mo Balaa wrote:
> > We are running WireGuard over WireGuard. It appears to work well;
> > however I am noticing some applications struggle to work reliably.
> > Lots of failed page loadss / timeouts. Any pointers on how I could go
> > about debugging these issues?
> >
> > Any general pointers on running WireGuard over WireGuard? One note
> > about my deployment is that it uses socat to transparently proxy the
> > inner tunnel between devices.
> >
> > The setup looks something like this:
> > tunnel 1 (iOS) -> socat -> tunnel 0 -> Linux (tunnel 0) -> (tunnel 1)
> >
> > Thanks for the feedback.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 21:37   ` buddybalaa
@ 2020-05-06 22:00     ` Jason
  2020-05-06 22:24       ` justin
  0 siblings, 1 reply; 12+ messages in thread
From: Jason @ 2020-05-06 22:00 UTC (permalink / raw)


On Wed, May 6, 2020 at 3:37 PM Mo Balaa <buddybalaa at gmail.com> wrote:
>
> Was hoping setting them both to automatic would just work; but after
> some fiddling that appears to be the issue.
>
> What is the optimal MTU for the inner WireGuard tunnel if the outer
> one is set 1420?

1340 or 1360


^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 22:00     ` Jason
@ 2020-05-06 22:24       ` justin
  2020-05-06 22:25         ` Jason
  0 siblings, 1 reply; 12+ messages in thread
From: justin @ 2020-05-06 22:24 UTC (permalink / raw)


> 1340 or 1360

Why two options? I've been using 1340 for a long time. 

-- 
  Justin Kilpatrick
  justin at althea.net

On Wed, May 6, 2020, at 6:00 PM, Jason A. Donenfeld wrote:
> On Wed, May 6, 2020 at 3:37 PM Mo Balaa <buddybalaa at gmail.com> wrote:
> >
> > Was hoping setting them both to automatic would just work; but after
> > some fiddling that appears to be the issue.
> >
> > What is the optimal MTU for the inner WireGuard tunnel if the outer
> > one is set 1420?
> 
> 1340 or 1360
>


^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 22:24       ` justin
@ 2020-05-06 22:25         ` Jason
  2020-05-06 23:28           ` John Lauro
  0 siblings, 1 reply; 12+ messages in thread
From: Jason @ 2020-05-06 22:25 UTC (permalink / raw)


On Wed, May 6, 2020 at 4:24 PM Justin Kilpatrick <justin at althea.net> wrote:
>
> > 1340 or 1360
>
> Why two options? I've been using 1340 for a long time.

WireGuard over IPv4 has a 60 byte overhead. WireGuard over IPv6 has an
80 byte overhead.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-06 22:25         ` Jason
@ 2020-05-06 23:28           ` John Lauro
  2020-05-06 23:54             ` Jason
  0 siblings, 1 reply; 12+ messages in thread
From: John Lauro @ 2020-05-06 23:28 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: Justin Kilpatrick, WireGuard mailing list

Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
and I have IPv6 completely disabled.

Can/should the MTU of wireguard be bumped to 1440?

On Wed, May 6, 2020 at 6:26 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Wed, May 6, 2020 at 4:24 PM Justin Kilpatrick <justin@althea.net> wrote:
> >
> > > 1340 or 1360
> >
> > Why two options? I've been using 1340 for a long time.
>
> WireGuard over IPv4 has a 60 byte overhead. WireGuard over IPv6 has an
> 80 byte overhead.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 23:28           ` John Lauro
@ 2020-05-06 23:54             ` Jason
  2020-05-07  0:57               ` derrick
  0 siblings, 1 reply; 12+ messages in thread
From: Jason @ 2020-05-06 23:54 UTC (permalink / raw)


On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro at gmail.com> wrote:
>
> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> and I have IPv6 completely disabled.
>
> Can/should the MTU of wireguard be bumped to 1440?

You could if you wanted. But if you don't do it perfectly on all sides
with total uniformity and clearheadedness about your network design,
you'll run into subtle problems.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* WireGuard over WireGuard
  2020-05-06 23:54             ` Jason
@ 2020-05-07  0:57               ` derrick
  2020-05-12  6:56                 ` Dimitar Vassilev
  0 siblings, 1 reply; 12+ messages in thread
From: derrick @ 2020-05-07  0:57 UTC (permalink / raw)


Note for the list: IPv6 has a minimum of 1280, which means 1360 in the 
outer layer. ~Derrick


On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro at gmail.com> wrote:
>> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
>> and I have IPv6 completely disabled.
>>
>> Can/should the MTU of wireguard be bumped to 1440?
> You could if you wanted. But if you don't do it perfectly on all sides
> with total uniformity and clearheadedness about your network design,
> you'll run into subtle problems.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-07  0:57               ` derrick
@ 2020-05-12  6:56                 ` Dimitar Vassilev
  2020-05-12 11:14                   ` Justin Kilpatrick
  0 siblings, 1 reply; 12+ messages in thread
From: Dimitar Vassilev @ 2020-05-12  6:56 UTC (permalink / raw)
  To: Derrick Lyndon Pallas; +Cc: WireGuard mailing list

Hi all,

for my enlightenment can you please advise in which situation such
setups are useful?

Thanks!


На чт, 7.05.2020 г. в 4:01 Derrick Lyndon Pallas <derrick@pallas.us> написа:
>
> Note for the list: IPv6 has a minimum of 1280, which means 1360 in the
> outer layer. ~Derrick
>
>
> On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> > On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
> >> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> >> and I have IPv6 completely disabled.
> >>
> >> Can/should the MTU of wireguard be bumped to 1440?
> > You could if you wanted. But if you don't do it perfectly on all sides
> > with total uniformity and clearheadedness about your network design,
> > you'll run into subtle problems.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-12  6:56                 ` Dimitar Vassilev
@ 2020-05-12 11:14                   ` Justin Kilpatrick
  2020-05-31 19:34                     ` Mo Balaa
  0 siblings, 1 reply; 12+ messages in thread
From: Justin Kilpatrick @ 2020-05-12 11:14 UTC (permalink / raw)
  To: wireguard

Althea uses WireGuard over WireGuard for mesh routing. Each device maintains a link to peers using WireGuard and then also maintains it's connection to the exit over a multihop WireGuard connection.

Building working WireGuard tunnels over fe80 ipv6 link local addresses was a real pain. Packets sometimes arrive only to the interfaced scoped address and other times arrive without an interface scope. Requiring two tunnels to successfully listen on one port. 

-- 
  Justin Kilpatrick
  justin@althea.net

On Tue, May 12, 2020, at 2:56 AM, Dimitar Vassilev wrote:
> Hi all,
> 
> for my enlightenment can you please advise in which situation such
> setups are useful?
> 
> Thanks!
> 
> 
> На чт, 7.05.2020 г. в 4:01 Derrick Lyndon Pallas <derrick@pallas.us> написа:
> >
> > Note for the list: IPv6 has a minimum of 1280, which means 1360 in the
> > outer layer. ~Derrick
> >
> >
> > On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> > > On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
> > >> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> > >> and I have IPv6 completely disabled.
> > >>
> > >> Can/should the MTU of wireguard be bumped to 1440?
> > > You could if you wanted. But if you don't do it perfectly on all sides
> > > with total uniformity and clearheadedness about your network design,
> > > you'll run into subtle problems.
>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: WireGuard over WireGuard
  2020-05-12 11:14                   ` Justin Kilpatrick
@ 2020-05-31 19:34                     ` Mo Balaa
  0 siblings, 0 replies; 12+ messages in thread
From: Mo Balaa @ 2020-05-31 19:34 UTC (permalink / raw)
  To: Justin Kilpatrick; +Cc: WireGuard mailing list

Hi All,

Reporting back on my progress after modify MTUs. Still seeing
significant intermittent stuck /hung connections on iOS in a
Wireguard over Wireguard tunnel (most apparent when using Twitter app for iOS)

Looking at getting Wireshark setup to do some debugging this afternoon
and would also appreciate any tips on how to go about figuring this
out.


Kind regards,

Mo

On Tue, May 12, 2020 at 6:17 AM Justin Kilpatrick <justin@althea.net> wrote:
>
> Althea uses WireGuard over WireGuard for mesh routing. Each device maintains a link to peers using WireGuard and then also maintains it's connection to the exit over a multihop WireGuard connection.
>
> Building working WireGuard tunnels over fe80 ipv6 link local addresses was a real pain. Packets sometimes arrive only to the interfaced scoped address and other times arrive without an interface scope. Requiring two tunnels to successfully listen on one port.
>
> --
>   Justin Kilpatrick
>   justin@althea.net
>
> On Tue, May 12, 2020, at 2:56 AM, Dimitar Vassilev wrote:
> > Hi all,
> >
> > for my enlightenment can you please advise in which situation such
> > setups are useful?
> >
> > Thanks!
> >
> >
> > На чт, 7.05.2020 г. в 4:01 Derrick Lyndon Pallas <derrick@pallas.us> написа:
> > >
> > > Note for the list: IPv6 has a minimum of 1280, which means 1360 in the
> > > outer layer. ~Derrick
> > >
> > >
> > > On 5/6/20 4:54 PM, Jason A. Donenfeld wrote:
> > > > On Wed, May 6, 2020 at 5:28 PM John Lauro <johnalauro@gmail.com> wrote:
> > > >> Wireguard is defaulting to 1420 MTU, the ethernet adapter is 1500 MTU,
> > > >> and I have IPv6 completely disabled.
> > > >>
> > > >> Can/should the MTU of wireguard be bumped to 1440?
> > > > You could if you wanted. But if you don't do it perfectly on all sides
> > > > with total uniformity and clearheadedness about your network design,
> > > > you'll run into subtle problems.
> >

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, back to index

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-06 16:57 WireGuard over WireGuard buddybalaa
2020-05-06 17:54 ` derrick
2020-05-06 21:37   ` buddybalaa
2020-05-06 22:00     ` Jason
2020-05-06 22:24       ` justin
2020-05-06 22:25         ` Jason
2020-05-06 23:28           ` John Lauro
2020-05-06 23:54             ` Jason
2020-05-07  0:57               ` derrick
2020-05-12  6:56                 ` Dimitar Vassilev
2020-05-12 11:14                   ` Justin Kilpatrick
2020-05-31 19:34                     ` Mo Balaa

Development discussion of WireGuard

Archives are clonable: git clone --mirror http://inbox.vuxu.org/wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git