Streisand: WireGuard hosted on GCP cannot access Google and many other sites

Created on 4 Apr 2019  路  9Comments  路  Source: StreisandEffect/streisand

Expected behavior:

Be able to bypass all websites with Wireguard

Actual Behavior:

Some previously blocked sites are unblocked but some normal sites like google.com got blocked

Steps to Reproduce:

  1. Follow Streisand interactive wizard to set up a Wireguard only GCE server
  2. Follow instructions on the opened html page
  3. Connect to the server using instructions and Wireguard profiles provided
  4. Open browser and visit google.com
  5. Time out

Ansible Information

  • Ansible version: 2.7.9
  • Ansible system: Linux
  • Host OS: Archlinux
  • Host OS version: NA
  • Python interpreter: python2.7
  • Python version: 2.7.16

Streisand Information

  • Streisand Git revision: 8f06cadd1500c7cdc02889fe1683d1124e00f78b
  • Streisand Git clone has untracked changes: no
  • Genesis role: genesis-google
  • Custom SSH key: True

Enabled Roles

  • Shadowsocks enabled: False
  • Wireguard enabled: True
  • OpenVPN enabled: False
  • stunnel enabled: False
  • Tor enabled: False
  • Openconnect enabled: False
  • TinyProxy enabled: False
  • SSH forward user enabled: False
  • Configured number of VPN clients: 5

Additional Details:

Log output from Ansible or other relevant services (link to Gist for longer output):

Target Cloud Provider: Google Compute Engine (Google Cloud Platform)
Operating System of target host: Debian I suppose
Operating System of client: Arch linux/Android
Version of Ansible, using ansible --version : 2.7.9
Output from git rev-parse HEAD in your Streisand directory : 8f06cadd1500c7cdc02889fe1683d1124e00f78b

Most helpful comment

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server
sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

All 9 comments

:wave: @haoyet - I'm not actively involved with Streisand anymore and can't provide you with help but on the surface your problem sounds similar to one I debugged in the past: https://github.com/StreisandEffect/streisand/issues/1089#issuecomment-350400689

I would recommend checking whether you have success accessing these sites after adjusting your MTU or switching to a provider other than GCE.

google.com does not work and many other sites do not work.

Ok! I'll try setting up a Streisand server from the current code in master in GCE and seeing if I'm able to access google.com - hopefully the answer is "no" and I can iterate on troubleshooting faster.

@Ronaldkornblow : Good news - I was able to reproduce the problem and I can recommend a short-term workaround while I spend some time figuring out the best solution longer term.

In practice it seems a MTU larger than 1360 results in UDP fragmentation on the GCE network. Out of box my server/client both had an MTU of 1420. You should be able to resolve this by updating the MTU on the wg0-server interface on the server and the wg0-client interface on your client machine.

You can do so by running:
sudo ifconfig wg0-server mtu 1360 on the server
sudo ifconfig wg0-client mtu 1360 on the client

I'll have to spend some time thinking about how best to address this permanently. Thanks for reporting!

_Originally posted by @cpu in https://github.com/StreisandEffect/streisand/issues/1089#issuecomment-350400689_

So I tried the solution but I got SIOCSIFMTU: No such device on both server and client, I already looked this issue up but didn't find any valid solutions

Forgive me for my ignorance.

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server
sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

Just to explain, the WireGuard interface on the server is wg0 and interface on the client is the currently active wireguard profile, the two random word thing that look like attack-slender

I'm re-opening this because it should be something Streisand does when it knows it's on GCE. Thank you for the description!

I change eth0 mtu to 1500

nano /etc/network/if-up.d/start.sh 

ifconfig eth0 mtu 1500

wg-quick down wg0 && wg-quick up wg0

it works for me, then you dont have to worried about MTU issue for Wiregurad, Ikev2, Openconnect

Since ifconfig was deprecated, I found the alternate command to do the same thing:

sudo ip link set dev wg0 mtu 1360 on the server
sudo ip link set dev [currently active wireguard profile] mtu 1360 on the client, and it worked!

Thank you so much for the assistance!

This worked for me as well. Not sure why this issue should be closed. I'm going to try and figure out how to set this on startup on the server and the client. Does anyone have an idea on how to do that?

I found this thread https://lists.zx2c4.com/pipermail/wireguard/2019-May/004190.html Doesn't this mean that this issue solved in new versions of wg?

This is a known issue due to Google GCP's MTU and has been discussed on the lists.

https://lore.kernel.org/wireguard/DM6PR12MB3401FF1DE04A62EAD84F2C74BB7B0@DM6PR12MB3401.namprd12.prod.outlook.com/t/#u

https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/8518300-support-for-mtu-1460-bytes

@trochdewei No, if your public wireguard server is on GCP, their MTU of 1460 will still come into play.

Was this page helpful?
0 / 5 - 0 ratings