OPNsense Forum

English Forums => Virtual private networks => Topic started by: wpn38l on November 23, 2023, 04:41:49 pm

Title: Selective Routing through Wireguard works for Ping / DNS / Curl but can't browse
Post by: wpn38l on November 23, 2023, 04:41:49 pm

Howdy,

I've got a Wireguard tunnel setup using the Selective Routing guide. The tunnel is up and appears to be working. Ping responses to External hosts are on par with non VPN traffic, I can resolve hosts with no issues, using Curl to check my IP and I get the VPN IP address that I expect. I can even use IPERF to do a bandwidth test and everything seems to be flowing at good speeds.

However, I can't browse the web. The firewall isn't catching anything in terms of blocks etc.. Everything is being passed. I've messed around with MTU and used ping to work out one that doesn't result in fragmentation but that doesn't make any difference.

Investigating the traffic flow I suspect there's something wrong with my NAT config but I don't know what. When I turn on logging for all of my rules I can see the Inbound traffic to my LAN interface with the source being the workstation and the destination being the external host. I can then see the outbound NAT with the source being the workstation and the destination being the external. Finally, I can see outbound traffic that is caught by the floating rule with the source being my Wireguard Peer Address and the destination being the external host. (I've attached a screenshot).

I've gone through the guide several times and each time I get the same result. I've tested a wireguard connection using the Surfshark app on my workstation and it works so it's not the provider.

If anyone can point me in the right direction because I'm at a loss. From what I can tell it should work but it just does not want to.

Title: Re: Selective Routing through Wireguard works for Ping / DNS / Curl but can't browse
Post by: zan on November 23, 2023, 05:23:04 pm

I suspect PMTUD doesn't work correctly somewhere between your server through tunnel to the endpoint, hence DF packets with large payload like TLS packets can't be reassemble correctly.
You may need to set the MSS to make it work. Go to your WG interface and set the value of MTU and MSS. I usually use 1400 for both.

Title: Re: Selective Routing through Wireguard works for Ping / DNS / Curl but can't browse
Post by: wpn38l on November 23, 2023, 05:41:01 pm

You are a legend. That did the trick.

Thank you so much for that.