Netflix Issues over WireGuard

johnpoz

You mention local sites - at the school? Yeah those would prob be broken if your going to send traffic down the vpn.. You would have all those not to go through the vpn..

This gets complicated very quickly - I personally do not see what the point would be other than access to local stuff on your network.

Netflix could also have issues with dns.. I don't know if netflix has started doing this - but a method to prevent geoip circumvent could be to not prevent access to IPs from different regions..

So with how dns can work with CDNs - like netflix, is your query comes from region A of the world.. It points to IPs in Region A.. If your query comes from region B, you get handed Region B IPs.. But if your trying to talk to Region B ip from Region A you could be blocked.

So with what your trying to do - you could have all kinds of issues going on, where are you pointing the wrt clients to for dns? Where is your vpn exit point, etc.

How you route traffic down the wg vpn from the client to you, would be different than how its done in openvpn.

Before you go playing with your wrt end, I would just set it up to test with your phone using your cell connection.. As you test client.

arrmo

@johnpoz said in Netflix Issues over WireGuard:

You mention local sites - at the school?

Agreed! I was thinking that, but they are public sites - I can get to them from here (i.e. sitting on the pfSense subnet). Of course that may just be confusing me.

@johnpoz said in Netflix Issues over WireGuard:

Before you go playing with your wrt end, I would just set it up to test with your phone using your cell connection.. As you test client.

Agreed! I have my phone doing that, routing all traffic ... and it works like a champ (of course ... LOL). It's also the case that the router itself works fine - but I think it directly accesses WG on that end. It's just DHCP clients on the OW subnet, they are the only ones having issues.

Part of my confusion is that Netflix (my test site, as I know it breaks sometimes) works fine if the rule is applied to the tunnel, but not the interface. So I can make it work, but now it's just annoying me, and I don't like things I don't understand ... LMAO! So not a huge issue, as I say - an annoyance. But I'd also like to figure it out, so others can learn from it, avoid the pain in the future. Paying back for the help folks have given me. So part of me doesn't want to stop, but part of me also knows it may not be worth the fight .

Thanks!

johnpoz

I have not looked at all to how wg is setup in psfense.. Once 2.5 comes out it will be one of my new things to play with.

I have phones to play with, I have VPS all over the globe I can leverage to act as clients..

To your setup there really should be no difference between a wrt client or a phone client (coming from the internet via cell coverage - not your wifi)

I can setup vps as a wg peer, and use pfsense as client and route all my traffic through that, etc.

But I have not spent any time playing with wg, because until it was part of pfsense there was no point in playing with it. I would never set it up on its own, because openvpn in pfsense provides everything I need in a vpn solution for my phones.. Or for routing traffic out a vpn, etc.

Once 2.5 drops I have these on my today/play list

Reinstall using ZFS vs UFS..
Set HAproxy to only do tls 1.3 (waiting update of openssl on pfsense)
Play with WG.
Play with usb tethering in using my cell phone as emergency whole home internet connection if internet is out..

Other stuff - haven't put on the list yet ;)

arrmo

@johnpoz You have a long list . And not sure about you, but I find these things fun ... and painful ... all at the same time. But like a puzzle, I can't put them down. That's why I keep trying to get this one working - not really having to, but it's also a challenge I just can't drop.

Thanks!

PS, will report back as I do fight through this ... just cuz I will in time, and to let others know so they avoid the same pitfalls.

johnpoz

Not really that long ;)

Yeah I find this stuff fun - but I have been doing IT for like 30 years.. And do it for a living as well. I am senior network engineer for a global 100 company.. More of operations manager as of late ;)

But yeah a puzzle/problem is what drives me.. So give me a few days after 2.5 drops and will be much better suited to answer any wg questions.

arrmo

@johnpoz Sounds great! And we need to talk. We sound very similar - I have an RF background, wireless R&D for network equipment, for about 30 years now also ... . Sadly, I remember the days of Nortel, used to work there ... a bit back now of course!

johnpoz

RF you say ;) guess what I did in the Navy.. HF comms, most specific the SRC-16, but also URT-23s and some crypto..

That was back before computers were really even thing..

arrmo

@johnpoz Nice! Sounds very cool. And yes, computers were real boat anchors back then . I started in optical fiber amplifiers. Man, takes me back!

AB5G

@arrmo Your issue may be related to this - https://www.reddit.com/r/WireGuard/comments/ef1hhj/mturelated_problems_when_using_a_lan_gateway_to/

I'm taking a guess here but only Netflix not working points to the MTU issues.

arrmo

@ab5g said in Netflix Issues over WireGuard:

I'm taking a guess here but only Netflix not working points to the MTU issues.

It may be! I had other issues before, that may have been "hiding" this. Hmmm ... let me read this one over a couple times - wondering where I need to set the MTU (i.e. just on OpenWrt "client"). It's funny, but two different DHCP clients hanging off that OW router - one works, the other doesn't ... LOL.

Thanks!

Griffo

@ab5g Given your prompt I just went and did the old ping test to determine MTU on some of my WG tunnels. The highest i could get was 1392 without a fragmentation error, which given the 28 byte ICMP & TCP header aligns to 1420.

I then checked ifconfig, and it looks like pfsense already sets all WG interfaces to 1420:

e.g

wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
    

What I can't find is why 1420 is the magic number.. I thought WG had only 32 bytes of overhead

I can confirm however that Netflix works fine on my WG tunnels to a commercial VPN provider.

AB5G

@griffo 1420 is the default MTU for WG (1500-80) - comes from here - https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html

If you are running WG over a PPPoE instead of Ethernet then instead of 1500-80 you'd have 1492 (MTU for PPPoE) - 80 = 1412.

P:S : For me I have no issues on WG - except for some missing packets that I strongly believe is a bug. I have a separate thread on it.

arrmo

@griffo said in Netflix Issues over WireGuard:

The highest i could get was 1392 without a fragmentation error

Hi,

Sorry for the delay - having a bit of "fun" today, with rolling power outages thanks to crazy winter weather. Trying to get to this, between outages .

@Griffo , to your comment above, about "The highest i could get was 1392 without a fragmentation error" ... are you just adjusting the size of ping (packets), to see where it breaks? Will try to duplicate here, but want to first understand how you are doing it .

I do see here the same 1420 MTU on pfSense, but perhaps on the remote end (OW) it's not following / abiding by this? I do also see some notes in the links from @AB5G (thanks!) about messing with iptables - is this on the OW side (I assume, but may be wrong).

Thanks again!

arrmo

OK, an update - and this is VERY odd . There are two clients behind the OW router, both getting DHCP from the router, and both on the same subnet and WG link of course. But ... one of them, Netflix is fine. The other - nope! One is a Windows laptop, the other a Roku TV. I did change the MTU setting on the router, but that made no difference, and I actually captured the traffic coming out from the tunnel on the pfSense side (tcpdump) - both seem to show a maximum packet size of 1424 (to and from Netflix) ... not sure if that is an issue or not, as this is on the pfSense side, not OW (where I reduced the size ... perhaps not enough though?).

But ... as both clients are on the same subnet - seems like it's not routing, nor packet size? Or am I just confused?

Thanks!

Dhiru

I suspect that TCP MSS clamping is not enabled for wireguard interfaces. I am facing similar issues with not just Netflix but several other websites on 2.5 when wireguard is enabled to route all traffic through VPN.

I was able to fix this by adding a clamping rule on my VPN server. Ideally I would like pfSense to add the rule on the interface by default.

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

arrmo

@dhiru Yes, agreed - and similar to the link above from @AB5G. There is a way to do this in the webConfigurator as well (you can set MSS inside the interface). I tried it, and it works ... and also fixes my issue, thanks!

What's very odd, I can see the MSS webConfigurator setting works (based on tcpdump captures). But when I upgraded from 2.5-RC to 2.5 => it no longer seems to be needed. Huh?

Thanks!