Netflix Issues over WireGuard

johnpoz

What do you wan to do with your wg connection? Do you want to route all traffic out it, just some traffic?

Unless the upstream vpn provider knows about all your networks (which would for sure conflict with the other clients using the vpn service) You would need an outbound nat your networks to vpn network IP.

Just like you do in any other vpn connection. Just like you do on your normal wan connection. Pfsense nats your networks IPs to the IP of the connection.

If you setup wg to be your default route, then you wouldn't need to policy route, other than stuff you don't want to go down the vpn. If you don't have wg setup as your default route, then you would need to route traffic you want to go out that connection.. Your going to need an outbound nat in there somewhere..

Policy routing depends on what you want to do, and how your doing it. The protocols and methods used in wg doesn't really matter. When it comes to routing.

Not sure what guide you followed, or what service your using that provides wg as a method of connecting. But when it comes to routing and firewall rules - what you use for the tunnel.. What needs to be understood are you going to send all traffic down this tunnel or not?

My "guess" to your netflix issues or any other issues some other sites would be you messing with rules and having states, and then changing new connections to take a different route, etc.

You mention a phone? Not sure how that comes into play at all.. Why don't you draw up your network with this wrt, where your wifi comes in... And exactly your wanting to use wg.. I could see all kinds of issues if your wifi is of your wrt, and pfsense is downstream of that and your connecting to this wifi trying to connect to wg running on pfsense, and then send it down another wg connect to some vpn service to get to the internet?

arrmo

@johnpoz said in Netflix Issues over WireGuard:

What do you wan to do with your wg connection? Do you want to route all traffic out it, just some traffic?

Thanks for taking the time to explain this, it does help! Let me try to clarify. FYI, this is a bit of a follow-on, to getting the basic setup working (first) ... captured here. But not expecting you to go through that, let me try to summarize!

Yes, I am trying to route all traffic over the WG connection. I know that WG relies on peer connections, but to make explaining easier, let me use the server and client terms. Hopefully why will become clear in a minute .

I have a pfSense machine ("server") here beside me, and a remote OpenWrt (OW) "client" (child away at university - LOL!). So trying to route all the remote (client) traffic through my local pfSense firewall. I have WG up and running, and basically working pretty well - in fact, if I ssh in to the OW box itself, I can get to the internet, everything seems to work. Where I have been having issues is with the subnet (DHCP clients) hanging off of the OW router. Clear so far?

A bit more detail to help - the local subnet (behind pfSense) is 192.168.2.x (and the cable modem, WAN side of pfSense, is 192.168.1.x). The remote OW subnet is 192.168.0.x. For WG, pfSense is 192.168.253.1, OW is 192.168.253.3 (and another WG client, my mobile, is 192.168.253.2 ... odd that this is the WG GW address that pfSense shows - hence the comment above, but that may be a red herring).

Hopefully still clear. Now, I have assigned wg0 on pfSense to an interface (WG), so in the pfSense Rules I do see WG (interface), and WireGuard (application / group). If I pass all traffic on WireGuard, Netflix works just fine. But if I don't, and instead do it through WG (the interface) ... nope, issues then. Here are the rules I was recommended to add to pfSense (WG interface),

As you mention, I also have Outbound (Hybrid) NAT set up for the OW subnet, as it's not NAT'ing on the OW side. Here is that setup (and of course, on top of this I have the Automatic Rules) - BTW, I did ask, and I was told that the"Interface" here is supposed to be WAN, not WG (right?),

Still with me? Hopefully I'm explaining this OK. I agree with the recommendation that was mentioned in the other thread ... use the WG interface to ensure reply-to is enabled, but it seems to be part of my issue (as setting pass-all instead on WireGuard (group) allows Netflix to work).

Thoughts? Something here I have all messed up / misunderstood.

Thanks for the patience! And sorry for the long-winded summary .

johnpoz

So you have a remote device using wrt running WG that you want to connect to pfsense, and get to stuff on your network, like a nas or plex server?

Not sure why you want to route traffic from this remote wrt box through your internet connection.. Why would you not just let them use their own internet, and only route through the wg vpn for access to your local stuff?

You want to route your internet through wg to this remote wrt box? Why?

Still at a loss to what your wanting to accomplish

you have

child - wrt --- internet (wg vpn) --- pfsense -- your network

Why would child not just use their internet, and pfsense use its internet. The wg is for you to talk to stuff on child network, and for child to talk to your network.

Why would you route netflix through wg or anything other than your 2 networks??

arrmo

@johnpoz Two reasons actually ,

1. There have been a lot of security related issues with the university residence network - so I'd feel safer if all of her traffic comes back through here. Ya, it may just make me feel better ... LOL!
2. The residence network does seem to have issues with a lot of things - almost any streaming video and audio is broken (even though they say it's fine, and the service is 100 Mb/s!). She can't even stream music to her Google Home Mini, and forget about Netflix (but I pay for 4 Netflix users ... arrgh!).

johnpoz

Not sure how you think streaming through your internet would make that faster? If they have a shared internet of 100mbps shared among how many students? Yeah its prob going to suck, routing through that internet to you isn't going to make it faster.. If anything slower..

The only reason to route their stuff through your internet would be circumvention.. She is behind a router, she is just as safe there as she is routing traffic through you.

arrmo

@johnpoz Ya, I'm not sure it's speed - I tested, and she gets ~ 40 Mb/s back to here. Their DNS is really messed up, that I have seen / checked.

If this isn't going to work I guess I can go back to OpenVPN. That was working, it just requires a router reboot every couple of days (not sure why ... it's solid when running, just burps at times). And I admit, WG seemed like a challenge, so now it's more about proving I can get it working. Ya, I'm stubborn ... LMAO!

Thanks!

Griffo

@arrmo said in Netflix Issues over WireGuard:

. It's always the same IP, and also matching to my local internet IP (i.e. WAN side of pfSense). I also checked whois for that IP, and it's correct. FYI, thanks to @AB5G, I have Outbound NAT set up for my pfSense box, so the external traffic should look the same ... agreed? Oh, and YouTube TV is happy, it's also checking IP address - right?

BTW, I am using http://ip4.me/api/ for (internet) IP, works quite nicely (even with curl).

Thanks!

also

I did not have an interface assigned for OpenVPN (mistake perhaps, but that's for another day ... LOL!). But I did have a "pass all" rule for OpenVPN (group).

It's always the Same IP? You didn't have an interface for OpenVPN ?
Are you sure you were actually sending any traffic down either VPN? THose comments plus the firewall rules you posted.. not sure it could ever have worked.

BTW - when Netflix blocks you for VPN / Proxy, it tells you. It doesn't just not work.

arrmo

@griffo said in Netflix Issues over WireGuard:

You didn't have an interface for OpenVPN ?

Correct. I didn't know better . I did have firewall rules though, for the group ... so that way traffic was not blocked (over VPN).

@griffo said in Netflix Issues over WireGuard:

Are you sure you were actually sending any traffic down either VPN?

Pretty sure ... LOL! I say that because,

1. what is my IP => gives me the pfSense internet IP
2. I do see traffic in the Rules (states) of OpenVPN (group)
3. traceroute to google.com, from OW => goes over the OpenVPN N/W

@griffo said in Netflix Issues over WireGuard:

BTW - when Netflix blocks you for VPN / Proxy, it tells you. It doesn't just not work.

Yes, it's just plain timing out. And it's not only Netflix ... she can't even get to some local sites there (that don't need anything special).

Thanks!

arrmo

And what is odd ... if I just add a rule on the group (not interface), then it works ... Netflix that is, still some sites don't. That makes my head hurt .

johnpoz

You mention local sites - at the school? Yeah those would prob be broken if your going to send traffic down the vpn.. You would have all those not to go through the vpn..

This gets complicated very quickly - I personally do not see what the point would be other than access to local stuff on your network.

Netflix could also have issues with dns.. I don't know if netflix has started doing this - but a method to prevent geoip circumvent could be to not prevent access to IPs from different regions..

So with how dns can work with CDNs - like netflix, is your query comes from region A of the world.. It points to IPs in Region A.. If your query comes from region B, you get handed Region B IPs.. But if your trying to talk to Region B ip from Region A you could be blocked.

So with what your trying to do - you could have all kinds of issues going on, where are you pointing the wrt clients to for dns? Where is your vpn exit point, etc.

How you route traffic down the wg vpn from the client to you, would be different than how its done in openvpn.

Before you go playing with your wrt end, I would just set it up to test with your phone using your cell connection.. As you test client.

arrmo

@johnpoz said in Netflix Issues over WireGuard:

You mention local sites - at the school?

Agreed! I was thinking that, but they are public sites - I can get to them from here (i.e. sitting on the pfSense subnet). Of course that may just be confusing me.

@johnpoz said in Netflix Issues over WireGuard:

Before you go playing with your wrt end, I would just set it up to test with your phone using your cell connection.. As you test client.

Agreed! I have my phone doing that, routing all traffic ... and it works like a champ (of course ... LOL). It's also the case that the router itself works fine - but I think it directly accesses WG on that end. It's just DHCP clients on the OW subnet, they are the only ones having issues.

Part of my confusion is that Netflix (my test site, as I know it breaks sometimes) works fine if the rule is applied to the tunnel, but not the interface. So I can make it work, but now it's just annoying me, and I don't like things I don't understand ... LMAO! So not a huge issue, as I say - an annoyance. But I'd also like to figure it out, so others can learn from it, avoid the pain in the future. Paying back for the help folks have given me. So part of me doesn't want to stop, but part of me also knows it may not be worth the fight .

Thanks!

johnpoz

I have not looked at all to how wg is setup in psfense.. Once 2.5 comes out it will be one of my new things to play with.

I have phones to play with, I have VPS all over the globe I can leverage to act as clients..

To your setup there really should be no difference between a wrt client or a phone client (coming from the internet via cell coverage - not your wifi)

I can setup vps as a wg peer, and use pfsense as client and route all my traffic through that, etc.

But I have not spent any time playing with wg, because until it was part of pfsense there was no point in playing with it. I would never set it up on its own, because openvpn in pfsense provides everything I need in a vpn solution for my phones.. Or for routing traffic out a vpn, etc.

Once 2.5 drops I have these on my today/play list

Reinstall using ZFS vs UFS..
Set HAproxy to only do tls 1.3 (waiting update of openssl on pfsense)
Play with WG.
Play with usb tethering in using my cell phone as emergency whole home internet connection if internet is out..

Other stuff - haven't put on the list yet ;)

arrmo

@johnpoz You have a long list . And not sure about you, but I find these things fun ... and painful ... all at the same time. But like a puzzle, I can't put them down. That's why I keep trying to get this one working - not really having to, but it's also a challenge I just can't drop.

Thanks!

PS, will report back as I do fight through this ... just cuz I will in time, and to let others know so they avoid the same pitfalls.

johnpoz

Not really that long ;)

Yeah I find this stuff fun - but I have been doing IT for like 30 years.. And do it for a living as well. I am senior network engineer for a global 100 company.. More of operations manager as of late ;)

But yeah a puzzle/problem is what drives me.. So give me a few days after 2.5 drops and will be much better suited to answer any wg questions.

arrmo

@johnpoz Sounds great! And we need to talk. We sound very similar - I have an RF background, wireless R&D for network equipment, for about 30 years now also ... . Sadly, I remember the days of Nortel, used to work there ... a bit back now of course!

johnpoz

RF you say ;) guess what I did in the Navy.. HF comms, most specific the SRC-16, but also URT-23s and some crypto..

That was back before computers were really even thing..

arrmo

@johnpoz Nice! Sounds very cool. And yes, computers were real boat anchors back then . I started in optical fiber amplifiers. Man, takes me back!

AB5G

@arrmo Your issue may be related to this - https://www.reddit.com/r/WireGuard/comments/ef1hhj/mturelated_problems_when_using_a_lan_gateway_to/

I'm taking a guess here but only Netflix not working points to the MTU issues.

arrmo

@ab5g said in Netflix Issues over WireGuard:

I'm taking a guess here but only Netflix not working points to the MTU issues.

It may be! I had other issues before, that may have been "hiding" this. Hmmm ... let me read this one over a couple times - wondering where I need to set the MTU (i.e. just on OpenWrt "client"). It's funny, but two different DHCP clients hanging off that OW router - one works, the other doesn't ... LOL.

Thanks!

Griffo

@ab5g Given your prompt I just went and did the old ping test to determine MTU on some of my WG tunnels. The highest i could get was 1392 without a fragmentation error, which given the 28 byte ICMP & TCP header aligns to 1420.

I then checked ifconfig, and it looks like pfsense already sets all WG interfaces to 1420:

e.g

wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
    

What I can't find is why 1420 is the magic number.. I thought WG had only 32 bytes of overhead

I can confirm however that Netflix works fine on my WG tunnels to a commercial VPN provider.