Re: Wireguard IP packets fragmentation issue
On Fri, May 13, 2022 at 11:10:41PM +0200, n18fu...@tutanota.com wrote: > Hi, > > I've set up an OpenBSD server on the Cloud, set up a Wireguard tunnel, and > configured default route through that server. I've noticed that I can't > access some websites: my browser was not able to complete TLS handshakes > with some servers. I've traced the issue to the fact that the MTU on my > server's network interface is 1500 while the default MTU on a wg0 > interface is 1420. So when a large enough packet has a DF flag set it > would not make it through the smaller wg0 interface. I've fixed the > problem by adding a "scrub" option to server's pf.conf like this: > > match out on egress from (wg0:network) nat-to (egress:0) scrub (no-df > random-id) > > But I'm surprised that I did not see anyone mentioning this problem. I > also did not see that "scrub" option included in any examples of Wireguard > setup that I was able to find. > > I'm not a networking expert, so I wonder if using a "scrub" option like > that is a good idea. Seems like ICMP responses are being dropped. In such cases the proper solution is fix whatever is filtering out ICMP responses. However, according to https://github.com/QubesOS/qubes-issues/issues/5264#issuecomment-683177300 Wireguard deliberately drops ICMP responses to its UDP transport packets. If this is the case in your situation, the better solution might be to drop the MTU on the Wireguard interfaces so oversized packets are rejected before they're encapsulated. A common fail-safe MTU for VPN interfaces is 1300 or 1280. Another alternative might be to switch to IPSec+IKEv2. If there's no NAT between your tunnel endpoints, it won't need to use UDP encapsulation, so packet overhead would be smaller. But even with NAT traversal, OpenBSD's iked might handle things better (e.g. permitting fragmentation of its UDP packet, or mirroring ICMP responses), though I don't know specifically if this would the case.
Re: Updating nextcloud to new major version
On Fri, 2022-05-13 at 20:58 +0200, Florian Obser wrote: > On 2022-05-13 19:35 +02, Clemens Gößnitzer > wrote: > > When I try to update nextcloud to the next major version, it would > > not > > let me easily: > > > > # pkg_add -vi nextcloud > > Update candidates: quirks-5.5 -> quirks-5.5 > > quirks-5.5 signed on 2022-05-12T23:37:02Z > > Ambiguous: choose package for nextcloud > > a 0: > > 1: nextcloud-21.0.8p0 > > 2: nextcloud-22.2.6 > > 3: nextcloud-23.0.3 > > Your choice: 3 > > Can't install nextcloud-23.0.3 because of conflicts (nextcloud- > > 22.2.6) > > --- nextcloud-23.0.3 --- > > Can't install nextcloud-23.0.3: conflicts > > Couldn't install nextcloud-23.0.3 > > > > > > Is there a way to do this upgrade without pkg_delete nextcloud && > > pkg_install nextcloud? > > pkg_add -r nextcloud That worked. Thanks! > > worked for me. > > > > > Thanks. > > >
Re: Updating nextcloud to new major version
On 2022-05-13 19:35 +02, Clemens Gößnitzer wrote: > When I try to update nextcloud to the next major version, it would not > let me easily: > > # pkg_add -vi nextcloud > Update candidates: quirks-5.5 -> quirks-5.5 > quirks-5.5 signed on 2022-05-12T23:37:02Z > Ambiguous: choose package for nextcloud > a 0: > 1: nextcloud-21.0.8p0 > 2: nextcloud-22.2.6 > 3: nextcloud-23.0.3 > Your choice: 3 > Can't install nextcloud-23.0.3 because of conflicts (nextcloud-22.2.6) > --- nextcloud-23.0.3 --- > Can't install nextcloud-23.0.3: conflicts > Couldn't install nextcloud-23.0.3 > > > Is there a way to do this upgrade without pkg_delete nextcloud && > pkg_install nextcloud? pkg_add -r nextcloud worked for me. > > Thanks. > -- I'm not entirely sure you are real.
Re: Updating nextcloud to new major version
On Fri, 2022-05-13 at 11:05 -0700, Courtney wrote: > Have you tried pkg_add -Uu? That did not do the trick... Thanks for the suggestion. > > Courtney > > On 5/13/22 10:35, Clemens Gößnitzer wrote: > > When I try to update nextcloud to the next major version, it would > > not > > let me easily: > > > > # pkg_add -vi nextcloud > > Update candidates: quirks-5.5 -> quirks-5.5 > > quirks-5.5 signed on 2022-05-12T23:37:02Z > > Ambiguous: choose package for nextcloud > > a 0: > > 1: nextcloud-21.0.8p0 > > 2: nextcloud-22.2.6 > > 3: nextcloud-23.0.3 > > Your choice: 3 > > Can't install nextcloud-23.0.3 because of conflicts (nextcloud- > > 22.2.6) > > --- nextcloud-23.0.3 --- > > Can't install nextcloud-23.0.3: conflicts > > Couldn't install nextcloud-23.0.3 > > > > > > Is there a way to do this upgrade without pkg_delete nextcloud && > > pkg_install nextcloud? > > > > Thanks. > > >
Re: Updating nextcloud to new major version
Have you tried pkg_add -Uu? Courtney On 5/13/22 10:35, Clemens Gößnitzer wrote: When I try to update nextcloud to the next major version, it would not let me easily: # pkg_add -vi nextcloud Update candidates: quirks-5.5 -> quirks-5.5 quirks-5.5 signed on 2022-05-12T23:37:02Z Ambiguous: choose package for nextcloud a 0: 1: nextcloud-21.0.8p0 2: nextcloud-22.2.6 3: nextcloud-23.0.3 Your choice: 3 Can't install nextcloud-23.0.3 because of conflicts (nextcloud-22.2.6) --- nextcloud-23.0.3 --- Can't install nextcloud-23.0.3: conflicts Couldn't install nextcloud-23.0.3 Is there a way to do this upgrade without pkg_delete nextcloud && pkg_install nextcloud? Thanks.
Updating nextcloud to new major version
When I try to update nextcloud to the next major version, it would not let me easily: # pkg_add -vi nextcloud Update candidates: quirks-5.5 -> quirks-5.5 quirks-5.5 signed on 2022-05-12T23:37:02Z Ambiguous: choose package for nextcloud a 0: 1: nextcloud-21.0.8p0 2: nextcloud-22.2.6 3: nextcloud-23.0.3 Your choice: 3 Can't install nextcloud-23.0.3 because of conflicts (nextcloud-22.2.6) --- nextcloud-23.0.3 --- Can't install nextcloud-23.0.3: conflicts Couldn't install nextcloud-23.0.3 Is there a way to do this upgrade without pkg_delete nextcloud && pkg_install nextcloud? Thanks.
Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks
On 2022-05-13, Marko Cupać wrote: > The only problem I currently have with pfsync is the fact that it does > not synchronise queue membership of states. IIRC this is meant to work but only if you have identical rulesets, after expanding interface addresses etc. This will require some care in constructing pf.conf - interface groups instead of interface names if nic hw is different - "(self)" or list the addresses of both firewalls instead of using "self" - avoid "antispoof".
Re: A speed test with Iperf , Relayd and PF
On 2022-05-13, Fabrizio Francione wrote: > Code: > tcp connection fixup { > tcp nodelay > } > > relay IPERF_TEST{ > listen on 10.10.10.2 port 6740 > forward to 192.168.20.9 port 6670 > protocol fixup > } > With IPERF I obtain a speed of 144Mbps . Why use nodelay? That disables Nagle and is normally only wanted for interactive protocols like SSH. High chance that will be slowing things down. https://en.m.wikipedia.org/wiki/Nagle%27s_algorithm > If instead, I deactivate the relayd function and using a simple PF > redirecting with > > Code: > > pass in on em0 proto {tcp} from any to em0 port 6740 rdr-to 192.168.20.9 > port 6670 > > I obtain a speed of 892 Mbps. rdr-to and relayd TCP proxies are totally different things. -- Please keep replies on the mailing list.