On Thu, 24 Aug 2023 08:50:20 -0400
Saint Michael wrote:
> This is the Achiles' heel of Wireguard. It reduces the MTU too much. Other
> tunneling techniques use a much larger MTU. I use Mikotik routers and one
> of the supported tunnels goes up to 1472. Some apps requiere a large MTU.
> Why Wiregu
On Thu, 17 Aug 2023 20:14:52 +
blurt_overkill...@simplelogin.com wrote:
> I see here[1] that if you're using IPv4 exclusively, you can get away with
> an MTU of 1440. If my client only has IPv4 internet, however the server
> issues an IPv6 address for use by the client, can the client still us
On Wed, 16 Aug 2023 07:06:53 +0200
Henrik Hautakoski wrote:
> Add a simple "restart" command that just do cmd_down followed by an cmd_up.
> Saves abit of typing :)
>
> Signed-off-by: Henrik Hautakoski
> ---
> src/wg-quick/linux.bash | 7 ++-
> 1 file changed, 6 insertions(+), 1 deletion(-
On Sun, 19 Feb 2023 21:18:34 +0100
Nico Schottelius wrote:
> If I am not mistaken that would mean in practice:
>
>if orignal_pkg.ip_dst == one_of_my_ips then
> return_pkg.ip.src = orignal_pkg.ip_dst
> return_pkg.ip.dst = orignal_pkg.ip_src
>fi
>
> For me that sounds like a s
On Sun, 19 Feb 2023 19:04:28 +0100
Daniel Gröber wrote:
> +static inline bool parse_address_family(int *family, const char *value)
> +{
> + if (strcmp(value, "inet") == 0)
> + *family = AF_INET;
> + else if (strcmp(value, "inet6") == 0)
> + *family = AF_INET6;
Wou
Hello,
I'm trying to move all my WG communication with peers to a non-primary IP of my
server.
It has IPs added like this:
inet6 2001:db8::ca6c/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 2001:db8::1/128 scope global nodad
valid_lft forever pre
Hello,
On Tue, 19 Jul 2022 21:36:57 +
Quentin Vallin wrote:
> I'm trying to separate my peer configuration and automate it.
>
> I know that I can use the post hook PostUp = wg addconf /path/to/my/file
>
> It would be easier to have a special path were wireguard can merge the config
> fil
On Wed, 1 Jun 2022 10:07:31 +0100
Houman wrote:
> I didn't change the MTU settings, but I have a suspicion about MTU. I
> found this article here that makes some interesting suggestions to set
> MTU to 1280: https://keremerkan.net/posts/wireguard-mtu-fixes/
>
> And beyond that iptables -A FORWAR
On Sun, 08 May 2022 08:34:46 +0200
Nico Schottelius wrote:
> The connection stays correctly established.
>
> If anyone has a pointer on what might be going on, any help is
> appreciated.
Maybe you don't have a corresponding firewall rule, and happen to rely on the
ESTABLISHED,RELATED matching i
On Tue, 22 Feb 2022 00:57:10 +0500
Roman Mamedov wrote:
> On Mon, 21 Feb 2022 22:16:22 +0300
> Michael Tokarev wrote:
>
> > 21.02.2022 22:11, Michael Adams wrote:
> > > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back,
> > > for IPv6 VPN
On Mon, 21 Feb 2022 22:16:22 +0300
Michael Tokarev wrote:
> 21.02.2022 22:11, Michael Adams wrote:
> > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back,
> > for IPv6 VPN support on Windows & Linux. It's good practice.
>
> Lemme guess. The OP is routing wg packets over IPv
On Thu, 14 Oct 2021 04:45:32 +0200
uxdwzco...@moenia.de wrote:
> as I understand, linux needs the ability to change hardware-addresses on
> netdevs to put them into a bridge or bond, but wireguard-netdevs on
> linux don't support hw-addresses at all (at least in kernel 5.10).
>
> is it possible (
On Mon, 27 Sep 2021 04:14:35 -0500
Bruno Wolff III wrote:
> This isn't a simple problem. The assumption is that someone is seeing
> your network traffic and blocking it.
The assumption is that there's an appliance at the ISP which has a DROP rule
for UDP with 4 fixed bytes at a fixed offset. It
On Mon, 27 Sep 2021 02:11:30 -0500
Bruno Wolff III wrote:
> On Mon, Sep 27, 2021 at 09:53:08 +0900,
> Nico Schottelius wrote:
> >
> >I'd appreciate if wireguard upstream would take this in, maybe even
> >supporting multiple / dynamic listen ports.
>
> The problem is mostly orthogonal to Wireg
On Fri, 24 Sep 2021 11:31:40 -0400
tlhackque wrote:
> WireGuard server (Linux, details below) behind a site router that
> handles IPv4 NAT & an IPv6 tunnel.
>
> Server LAN has other hosts (and multiple subnets/vlans) - mostly dual stack.
>
> The WireGuard server is able to access the WireGuard
On Mon, 30 Aug 2021 19:44:21 +0200
Daniel wrote:
> > Do you get WG working at all, between some other two hosts (not involving
> > this
> > particular server for now)?
> Yes. Clients are shown on both sides as connected, trafic seems to go
> out on each side but other one as received near to no
On Mon, 30 Aug 2021 19:28:11 +0200
Daniel wrote:
> To be sure (and I think it is as I have no problem with ipv4):
>
> . my interfaces are named wig4tootai our wigserver Nothing wrong here ?
>
> . conf file are not named .conf but server.conf or
> anyname.conf Nothing wrong here too ?
Interfac
On Mon, 30 Aug 2021 12:24:01 +0200
Daniel wrote:
> Using tcpdump -i any I see the trafic coming to the gre interface and
> that's all. But netstat show
>
> udp6 0 0 :::12345 :::*
> 0 125391 -
>
> and ps aux output is
>
> dh@peech:~$ ps a
On Sat, 28 Aug 2021 07:05:45 +0930
Mike O'Connor wrote:
> On a 1500 link I'm having to use 1280 to get ipv6 to successfully go
> over a wireguard link.
Then it is not a true 1500 MTU link, something in-between drops packets at a
lower bar. Or maybe not all of them, but just UDP, for example.
B
On Thu, 26 Aug 2021 13:14:00 +0200
Daniel wrote:
> Correction
>
> Le 25/08/2021 à 17:25, Daniel a écrit :
> > Hi list,
> >
> > I setup wireguard on a server running Debian 11 and get it to work with
> > 2 clients (Debian 11 and Ubuntu 20.04). Clients and server are on
> > separate networks, o
On Fri, 20 Aug 2021 13:16:34 +0200
S Bauer wrote:
> Hello team,
>
> Hoping you could help me out with a foggy situation.
> The past week I have been struggling to get the Wireguard VPN working
> smoothly. Everything seems to work on paper, except in a specific way
> it doesn't. I am using Pop!_O
On Mon, 7 Jun 2021 16:46:17 +0500
Roman Mamedov wrote:
> On Mon, 7 Jun 2021 13:27:10 +0200
> "Jason A. Donenfeld" wrote:
>
> > Can you walk me through your use case a bit more, so I can wrap my mind
> > around the requirements?
> >
> > ingress --pla
On Mon, 7 Jun 2021 13:27:10 +0200
"Jason A. Donenfeld" wrote:
> Can you walk me through your use case a bit more, so I can wrap my mind
> around the requirements?
>
> ingress --plain--> wireguard --wireguard[plain]--> vxlan
> --vxlan[wireguard[plain]]--> egress
Not sure I understand your schem
On Mon, 7 Jun 2021 11:34:21 +0200
"Jason A. Donenfeld" wrote:
> 2) Local egress fragmentation WOULD be affected by this and is the
> most relevant thing in this discussion. In this case, a packet that
> gets encrypted and winds up being larger than the mtu of the interface
> that the encrypted pa
On Sun, 6 Jun 2021 11:13:36 +0200
"Jason A. Donenfeld" wrote:
> Specifically the change would be to not allow IP fragmentation of the
> encrypted UDP packets. This way, in the case of a loop, eventually the
> packet size exceeds MTU, and it gets dropped: dumb and effective.
> Depending on how thi
On Thu, 20 May 2021 11:15:30 +0500
Roman Mamedov wrote:
> > So, what do you mean is that wireguard does a single DNS resolution at
> > the beginning and further DNS resolutions need to be done elsewere. Is
> > that correct?
>
> Yes.
I also remembered a case where just P
On Thu, 20 May 2021 00:28:08 +0200
Vicente Bergas wrote:
> There is a public IP assigned to the router. The IP is dynamic, so, it
> can change from time to time, but, once assigned, it is exclusive to
> the router.
> There is no carrier-grade NAT.
> I've configured the router to forward the wireg
On Tue, 18 May 2021 13:22:31 +0200
Vicente Bergas wrote:
> A server connected to the Internet through an ISP that provides a
> dynamic IP with NAT.
If it's NAT, then your server has no dedicated public IP? What do you update
to DNS, IP of the ISP's NAT pool (shared IP with many other customers)?
On Sat, 8 May 2021 19:49:06 +0100
lejeczek wrote:
> > Also remember that sets of AllowedIPs should be unique within the network,
> > i.e. can't have the same AllowedIPs or ranges listed for multiple nodes at
> > the
> > same time. Setting it to the same /24 on all nodes will not work.
> >
> > If
On Sat, 8 May 2021 17:31:58 +0100
lejeczek wrote:
> I'm experiencing a pretty weird wireguard, or perhaps
> kernel/OS stack bits behavior.
>
> I have three nodes which all can ping each other on wg0's
> IPs but when I add a secondary IP:
>
> -> $ ip addr add 10.0.0.226/24 dev wg0
>
> it gets
On Sun, 02 May 2021 13:02:28 +0200
Nico Schottelius wrote:
> when running a lot of VPN connections using wireguard, there are some
> questions we see quite often from users, two of which I'd like to
> discuss here:
>
> Multiple keys per Peer
> --
>
> Users often ask for shar
On Sat, 24 Apr 2021 11:11:50 +0100
lejeczek wrote:
> Hi guys.
>
> Apologies, I'll bother you guys as I failed to find some
> better places to ask, I searched for forums etc. but failed.
>
> Can wiregurard ifaces be enslaved by LInux bridge? I tried
> but it did not work for me. Similarly "mav
On Sat, 10 Apr 2021 10:27:23 -0500
Lonnie Abelbeck wrote:
> I have been testing the T-Mobile Home Internet (4G/5G fixed wireless) service
> to a Linode VM via WireGuard.
>
> The TMHI service uses CGNAT plus an additional NAT in their modem/gateway
> with a MTU of 1420, so WireGuard is configur
On Sat, 3 Apr 2021 06:27:40 +0200
Giovanni Francesco wrote:
> Hi, I am looking to understand if "EndPoint" IP data may be shared among
> peers within the tunnel?
>
> The question may sound confusing, let me explain my setup.
>
> I have a static IPv4 wireguard server (let's call it "A" peer) wh
On Sat, 23 Jan 2021 11:52:56 -0500
Ken D'Ambrosio wrote:
> Hey, all. I'm relatively new to WireGuard, and have a RasPi at my house
> doing firewall duty. Installed WG on it, and on a VPS, and am trying to
> get the VPS to access hosts on my home subnet. So:
>
> VPS <-192.168.50.0/24-> RasPi
On Thu, 21 Jan 2021 19:07:18 +0500
Roman Mamedov wrote:
> On Sun, 17 Jan 2021 11:36:42 +0100
> Harald Dunkel wrote:
>
> > Hi folks,
> >
> > I am using PPPoE to connect to my IP provider. To use wireguard on Linux I
> > have to reduce the MTU in wg0.conf to 1
On Sun, 17 Jan 2021 11:36:42 +0100
Harald Dunkel wrote:
> Hi folks,
>
> I am using PPPoE to connect to my IP provider. To use wireguard on Linux I
> have to reduce the MTU in wg0.conf to 1400. Using the default 1420 a ssh
> connection tunneled through wireguard gets stuck (reproducible). An echo
On Wed, 13 Jan 2021 20:14:46 +
"Posegga, Joachim" wrote:
> Dear all,
>
> I am trying to connect multiple wireguard clients behind the same NAT-Gateway
> to a Mikrotik server with a public IP. I am not yet sure where exactly the
> problem is, but it seems that only one client at a time can
On Tue, 5 Jan 2021 21:12:12 +0100
Chris Osicki wrote:
> As far as I can see after few tests, AllowedIPs config file option has
> nothing to do with routing and I hope
> it will stay like this.
wg-quick uses AllowedIPs to also set up matching entries in the system routing
table. This can be dis
On Tue, 17 Nov 2020 13:00:01 +0100
"Marco Davids (SIDN)" wrote:
> Hello,
>
> We have a Wireguard VPN and everything is working fine.
>
> There is just one little thing: IPv6 Happy Eyeballs.
>
> Without the VPN enabled, happy eyeballs works fine. The (IPv6) is
> preferred over A (IPv4). B
On Thu, 12 Nov 2020 09:34:43 +0100
"Jason A. Donenfeld" wrote:
> Could you let me know the rationale for your continued use of Windows
> 7? Is it economic? Is it just UI preference, and security isn't a
> priority to you? Something else?
For me, the UI preference absolutely; but security *is* ce
On Tue, 10 Nov 2020 18:56:56 +0500
Roman Mamedov wrote:
> Hello,
>
> Building kernel 5.4.76 with WireGuard v1.0.20200908 fails for me now with:
>
> AS [M] net/wireguard/crypto/zinc/chacha20/chacha20-x86_64.o
> In file included from :
> ././net/wireguard/compat/com
Hello,
Building kernel 5.4.76 with WireGuard v1.0.20200908 fails for me now with:
AS [M] net/wireguard/crypto/zinc/chacha20/chacha20-x86_64.o
In file included from :
././net/wireguard/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
#define SYM_FUNC_START ENTRY
In file included f
On Fri, 9 Oct 2020 16:19:22 +0200
Chris wrote:
> Maybe I oversimplify your problem, but from what I read, your standard route
> will be using the Iranian net.
> And - I guess - it is only a limited numer of IP addresses, that you would
> like
> to reach through the tunnel.
>
> I don't know yo
On Fri, 9 Oct 2020 17:16:18 +0330
Rudi C wrote:
> > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov wrote:
> > Seems like you misunderstand what I mean. If you use the in-VPN (internal)
> > IP
> > of your VPS, all communication with the SOCKS proxy installed on the VPS
On Fri, 9 Oct 2020 17:00:31 +0330
Rudi C wrote:
> > On Fri, Oct 9, 2020 at 4:52 PM Roman Mamedov wrote:
> > just install a SOCKS proxy
>
> These simple solutions get blocked by the DPI. (I do have my own VPS.)
Seems like you misunderstand what I mean. If you use the in-VP
On Sun, 4 Oct 2020 15:41:52 +0330
Rudi C wrote:
> I use Wireguard to circumvent Iran's censorship. A major problem with
> it is that it's very hard to selectively proxy specific domains/apps
> through Wireguard, while leaving others alone. This is an essential
> feature for Iran's internet, as:
>
On Wed, 30 Sep 2020 15:42:19 -0700
PGNet Dev wrote:
> I've two linux machines connected with wg.
>
> Machine #1 is a remote VM, & connects to the public 'net.
>
> Machine #2 is local, on my LAN.
>
> To date, they've only routed internal traffic. Nice -n- easy.
>
> I'm adding forwarding of s
On Mon, 20 Jul 2020 17:04:46 +0200
wrote:
> Yes, it is up to date.
> Joachim
>
> -Ursprüngliche Nachricht-
> Von: Jason A. Donenfeld
> Gesendet: Monday, 20 July 2020 16:49
> An: Joachim Lindenberg
> Cc: WireGuard mailing list
> Betreff: Re: Wireguard on Ubuntu 18.04.4 (LTS)?
>
> Is
On Mon, 29 Jun 2020 13:03:40 +0200
Toke Høiland-Jørgensen wrote:
> Eh? This is specified pretty clearly in RFC4291, section 2.1:
It also says:
-
2.5.6. Link-Local IPv6 Unicast Addresses
Link-Local addresses are for use on a single link. Link-Local
addresses have the following form
On Mon, 29 Jun 2020 12:22:49 +0200
Toke Høiland-Jørgensen wrote:
> Reid Rankin writes:
>
> > Each IPv6 network device is *required* to have a link-local
> > address by the RFC
>
> Given this
What you quoted is the shakiest statement of the entire proposal. Might be a
cool idea and all, but I
On Tue, 19 May 2020 11:09:24 +0200
nicolas prochazka wrote:
> Hello,
> I'm trying to use vxlan encapsulated into Wireguard tunnel, with a
> multicast group for announcement.
> Ex :
> ip -6 link add vxlan100 type vxlan id 100 dstport 4789 local
> `wg0Ip6_lock` group ff05::100 dev wg0 ttl 5
>
>
On Thu, 14 May 2020 16:35:30 +0930
Mike O'Connor wrote:
> Hi All
>
> For the last few weeks my Wireguard link which I use to as my default
> gateway has been having issues with TCP connections stalling.
>
> I've been trying to work out what is wrong. I just noticed that the
> Wireguard link has
On Tue, 14 Apr 2020 17:02:41 +0200
ajs124 wrote:
> On Sat, 11 Apr 2020 12:13:36 -0700
> wrote:
>
> > I have some older routers that run OpenWRT just fine, but are a bit slow at
> > Wireguard (3-5 MBytes/s for SMB transfers) and which are too slow for
> > playing HD movies.
> > For these routers
On Mon, 30 Mar 2020 18:19:17 -0600
"Jason A. Donenfeld" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hello,
>
> A new version, v1.0.20200330, of the backported WireGuard kernel module for
> 3.10 <= Linux <= 5.5.y has been tagged in the git repository.
My kernel build for 5.4.
On Sat, 14 Mar 2020 15:51:51 +0100
Torsten Krah wrote:
> resend to the list:
>
> Hm, sorry I don't get the message. Imho its down to the user. I can
> choose to use ping or ping6 or tell e.g. java via a system property to
> prefer IPv4 if dual stack is available.
>
> In wireguard I can force ip
On Sun, 16 Feb 2020 07:58:48 -0500
Neal Becker wrote:
> I'm testing wireguard
> wireguard-0.0.20191219-2.fc31.x86_64
> between a Fedora 31 client and server, comparing to openvpn.
>
> Openvpn is running between a linux client outside my lan and a server on my
> router, which is running dd-wrt.
>
On Tue, 10 Dec 2019 18:36:06 +0100
"Jason A. Donenfeld" wrote:
> That bachelors thesis says in the abstract, "Latency was measured
> through the round-trip time of ICMP packets while throughput was
> measured by generating UDP traffic using iPerf3. The results showed
> that, when using linear loo
On Tue, 10 Dec 2019 17:54:49 +0100
"Jason A. Donenfeld" wrote:
> iptables rules and nftables rules can co-exist just fine, without any
> translation needed. Indeed if your iptables is symlinked to
> iptables-nft, then you'll insert nftables rules when you try to insert
> iptables rules, but it re
On Fri, 29 Nov 2019 16:18:52 -0500
zrm wrote:
> Ballpark estimate, round a keepalive packet to about a hundred bytes.
> You're also going to get a re-keys, call those two hundred bytes. If you
> have a keepalive every 30 seconds and a re-key every 120 seconds, that's
> around 18KB per hour per
On Thu, 18 Jul 2019 08:38:54 +0200
Janne Johansson wrote:
> With taskset you should be able to:
> https://www.howtoforge.com/linux-taskset-command/
It appears "taskset" only works on regular programs, not kernel threads:
# taskset -p -c 1 2128
pid 2128's current affinity list: 0
taskset: failed
On Sat, 29 Jun 2019 12:38:01 +0200
Christopher Bachner wrote:
> In htop I can see that one of the 4 cores is running at 99%. So I assume
> that is the bottleneck.
>
> Is there a way to improve this? I assume it does not matter which side is
> the server and which is the client?
You can see that
On Wed, 17 Jul 2019 17:45:18 +0800
Yousong Zhou wrote:
> For WireGuard overhead breakdown [1], maybe it's worth also mentioning
> that N the length of encrypted data will be padded to be multiples of
> 16.
>
> I am only aware of this when fragmentation was spotted. With 1500 as
> MTU for ethern
Hello,
Today I noticed there are kernel threads named "wg-crypt-wgX" (the latter part
being name of the interface). However when there is actual load on WG, these
don't seem to be active, and in "top" we still see a bunch of "kworker/0:X"
using the CPU.
Would it be possible to give those kworkers
Hello,
Just wanted to share my excitement about
https://git.zx2c4.com/WireGuard/diff/?id=57a8ca7f49b5e70aae18b8b5a70cde8f9e4a9346&id2=7cf2dae97635c8c20a8943522bab2b56c6885c8d
This means WG packets can now be fragmented, and as such we can use arbitrary
large MTU inside WG. This in turn means we c
Hello,
I use WireGuard over IPv6 on a PPPoE connection. The Internet interface MTU is
1492. By my calculations MTU 1412 on the WG interface should fit.
However, the following occurs on various MTU combinations between the Remote
(a server in a DC with full 1500 wire MTU) and Local WG interface MT
On Thu, 28 Mar 2019 23:22:45 +0900
Tomasz Chmielewski wrote:
> Does Wireguard allow to set up mesh VPN with "relative ease"?
>
> Say, we have 10 servers with public IPs, we want them all to create a
> VPN network with private subnet 10.11.12.0/24, and have all 10 servers
> communicate directly
On Sun, 03 Mar 2019 08:56:12 +0100
XRP wrote:
> [#] ip link set mtu 1200 up dev wg1
> [#] ip route add fdb8:a70c:b109:9935::/64 dev wg1
> RTNETLINK answers: No such device
IPv6 cannot work with MTU less than 1280 on the device.
--
With respect,
Roman
___
Hello,
I'm facing a strange issue where "ifconfig" shows the IPv6 twice for one
particular WG interface. Other similar interfaces on the same machine aren't
affected. Can't pinpoint what's special about this one yet.
The IP is not added twice during interface setup. Adding it once more, as
expect
On Tue, 26 Feb 2019 12:39:50 +
"STR ." wrote:
> I have Fiber to our apartment complex basement, from there Cat6 runs to
> each apartment. The ISP/apartment service provider suggests an MTU of
> 1448, which I set for the PPPoE interface on my OpenWRT router.
It could be that your ISP meant th
On Thu, 14 Feb 2019 18:02:26 +
Lee Yates wrote:
Sorry, hit "send" before reading the rest of your message.
> the router runs headless and is awkward to get a monitor to so I can access
> the BIOS.
You can toggle it without needing the BIOS.
It is possible to disable SMT from grub, with Linu
On Thu, 14 Feb 2019 18:02:26 +
Lee Yates wrote:
> recommendations to disable HT, I got to wondering how much - if at all -
> disabling HT would impact on WireGuard's real world performance. I mean,
> it obviously can utilise logical cores/threads, but is there a real
> world throughput benefi
On Mon, 19 Nov 2018 09:54:38 +0100
Matthias Urlichs wrote:
> Redirecting port 53 to their DNS (presumably one close to their LTE
> endpoint) is reasonable, that should improve speed.
There is no justification to mess with user traffic like that.
If I specifically chose to use a specific DNS ser
On Sat, 6 Oct 2018 11:21:01 +0100
Brian Candler wrote:
> (Aside: I wish ssh had a feature like SNI, so that you could build an
> ssh proxy that forwards incoming connections to the right host. I have
> done this before using an inbound SOCKS proxy, but it's messy to use)
What insane things pe
On Sat, 22 Sep 2018 15:55:22 -0400
"Aaron W. Swenson" wrote:
> I’m going to use the official documentation IP addresses. I am using real IPv6
> addresses and not using NAT66. Naturally, NAT is being used for IPv4. Here are
> the definitions I’m using:
>
> Server Public IPv6: 2001:DB8::DEAD:F
Hello,
AS [M] net/wireguard/crypto/zinc/curve25519/curve25519-arm.o
net/wireguard/crypto/zinc/curve25519/curve25519-arm.S: Assembler messages:
net/wireguard/crypto/zinc/curve25519/curve25519-arm.S:21: Error: r13 not
allowed here -- `and sp,sp,#0xfff0'
scripts/Makefile.build:429: recipe for
On Mon, 3 Sep 2018 12:43:19 +0200
Ole-Morten Duesund wrote:
> Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER
> should keep the connection up.
Do you encounter any difference between 5, 25 and 55, only 5 works for you? If
not, setting it to such a low interval seems wasteful,
On Mon, 27 Aug 2018 15:32:49 +0200
netrav...@gmail.com wrote:
> When using multicast over WireGuard, would it not be more viable to use
> an extra encapsulation layer to run multicast inside of?
>
> I am specifically thinking of running either GRE or L2TPv3 over wgX.
I know people run VXLAN or o
Hello,
I am trying to get IPv6 link-local IPs and route advertisements to work over
WG. The reason is not for the usual case of address autoconfiguration, but to
use RA as a dynamic routing protocol of sorts, as it can distribute routes --
or in case of WG (where routes need to be static in Allowe
On Mon, 13 Aug 2018 02:53:44 +1000
StarBrilliant wrote:
> I know Wireguard can already do IP layer fragmentation. (Just set
> tunnel MTU >= 1441 then fragmentation will be turned on)
Is that really expected to work? I tried setting MTU 9000 on both ends of a WG
tunnel, but large packets still do
On Fri, 10 Aug 2018 14:35:14 +0100
Brian Candler wrote:
> From my point of view, the only thing which makes me uncomfortable
> about wireguard is the lack of any second authentication factor. Your
> private key is embedded in a plaintext file in your device (e.g.
> laptop), not even protected
On Tue, 31 Jul 2018 21:26:53 +0200
"Jason A. Donenfeld" wrote:
> Hey list,
>
> I submitted patchset v1 of WireGuard to LKML a few minutes ago:
>
> [0/3] https://marc.info/?l=linux-netdev&m=153306429108040&w=2
> [1/3] https://marc.info/?l=linux-netdev&m=153306429908043&w=2
> [2/3] https://marc.i
On Fri, 13 Jul 2018 08:49:45 -0500
Lonnie Abelbeck wrote:
> For certain lower-end x86 boxes I test, I noticed WG 0.0.20180708 w/NAPI
> actually slowed down receive performance.
>
> Jason recently added "receive: use gro call instead of plain call" [1]
> commit, which made a big performance imp
On Tue, 10 Jul 2018 20:38:24 +0200
"Jason A. Donenfeld" wrote:
> I might not be understanding you correctly. Do you mean to suggest
> that removing simd_relax() actually harms performance now? That having
> it in there helps performance?
Actually no, after your message I swapped kernels again to
On Tue, 10 Jul 2018 20:57:29 +0500
Roman Mamedov wrote:
> I'll probably test again without simd_relax
Somehow it's now noticeably worse without those. Even got some dips below
1 Gbit/s which I have never seen before, and the overall speed is lower.
--
With r
On Tue, 10 Jul 2018 16:57:14 +0200
"Jason A. Donenfeld" wrote:
> The latest snapshot will still have the same preemption relaxation
> with simd_relax(), but gets performance gains by moving to napi, so
> it's still faster overall. If you want the simd_relax() to not take a
> hit and get maximum t
On Sun, 08 Jul 2018 18:52:32 +0200
"Jason A. Donenfeld" wrote:
> * receive: use NAPI on the receive path
>
> This is a big change that should both improve preemption latency (by not
> disabling it unconditionally) and vastly improve rx performance on most
> systems by using NAPI. The m
On Thu, 07 Jun 2018 09:40:08 +0200
Riccardo Berto wrote:
> Just want to report that I can't add a wg interface of type wireguard
> with linux 4.17.0 on aarch64 (Raspberry Pi 3).
>
> Error message: `RTNETLINK answers: Operation not supported`.
>
> I'm using ArchLinuxARM. Downgrading to 4.16.x m
On Thu, 17 May 2018 12:40:55 +0900
Paul wrote:
> For me it looks like a problem solvable in software (as done for the
> BMX routing protocol). Why even bother to get hardware involved?
Personally I am puzzled this is even an issue in WG. Not a single other VPN
protocol mandates every node to ke
On Sun, 15 Apr 2018 14:49:23 -0400
"Patrick O'Sullivan" wrote:
> $ sudo ip route get 4.2.2.1
> 4.2.2.1 dev wg0 table 51820 src 10.111.111.100
^^^
> cache
> Can someone please explain this behavior?
Probably will be easier to do if you show the output of "ip -4 rule
On Sat, 14 Apr 2018 16:45:32 +0200
"Jason A. Donenfeld" wrote:
> In this case, WireGuard seems to be doing the right thing. Think you
> could come up with some minimal test that exhibits the behavior you're
> seeing?
I now remember in more detail what was the problem. It was not with MTU 1412
on
On Sat, 14 Apr 2018 16:15:07 +0200
"Jason A. Donenfeld" wrote:
> Hi Roman,
>
> I answered this in my first email to you, which perhaps got lost in
> the mix of emails, so I'll quote the relevant part:
>
> > 2) When we pad the packet payload. In this case, we pad it to the
> > nearest multiple o
On Sat, 14 Apr 2018 15:16:56 +0200
"Jason A. Donenfeld" wrote:
> Hi Roman,
>
> This commit should fix it. It now has a unit test too so that we don't
> hit this issue again. Thanks for reporting it in such detail.
>
> https://git.zx2c4.com/WireGuard/commit/?id=a88a067d5477f877003d3703bb3b95cb4e
On Sat, 14 Apr 2018 03:47:57 +0200
"Jason A. Donenfeld" wrote:
> Hi Roman,
>
> This also came up in another thread I was replying to earlier tonight.
> While one way indeed is to have an 'include' directive, it seems
> simple enough to just do something like:
>
> $ wg setconf wg0 <(cat /etc/wir
On Sun, 25 Mar 2018 21:17:35 +0200
Kalin KOZHUHAROV wrote:
> There is a reason, at least one, good one - it is called simplicity.
> It is also hard to work when you are running out of disk space or
> memory; do you expect WG to solve that for you?
> Simply put, IP addressing schemes are not a par
Hello,
I need to have multiple gateways on my WG network that can provide access to
the entire IPv4 (or IPv6) Internet, for redundancy and load-balancing
purposes.
In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on more than one
peer. Then I would add routes into the regular routing
On Fri, 16 Mar 2018 15:53:43 +0500
Roman Mamedov wrote:
> But guess what, turns out that didn't work either. Tried both OUTPUT and
> POSTROUTING chains on the "mangle" table, and set-mss all the way down to
> 1220, no matter what, the iperf3 output looked the same
On Fri, 16 Mar 2018 10:35:18 +0100
Matthias Ordner wrote:
> If you only care about TCP connections you could set a different TCP-MSS
> with an iptables rule.
On Fri, 16 Mar 2018 11:01:51 +0100
Kalin KOZHUHAROV wrote:
> You may need to pre-shape the packets for the "offenders", e.g.
>
> ip6ta
Hello,
I have a host which is on PPPoE and has 1492 as underlying MTU.
When WireGuard starts by default, it sets MTU of its interface to 1420. All
TCP connections trying to send a stream of data over the WG interface to that
host, hang up (I test with iperf3).
My first idea was to override the M
Hello,
I would like to be able to split the [Interface] and [Peer] parts of the config
file into separate files. The reason is that currently I manage configurations
of my various hosts at a central location, then push out common configs to all
hosts.
This becomes problematic with current WireGua
100 matches
Mail list logo