Can't connect to github.com through OpenWrt using Wireguard

Installing and Using OpenWrt Network and Wireless Configuration
10

Removed the static routes and ran 8 traceroutes (IPv4/6, modem/OpenWrt router, linux/windows). Looks like you're on the right track, this is more progress that I've made in weeks. So IPv6 support would be the problem?

Windows, Modem, IPv6

Tracing route to google.com [2a00:1450:4001:800::200e]
over a maximum of 30 hops:

  1    10 ms     4 ms     4 ms  kabel [x] 
  2    41 ms    16 ms    18 ms  x 
  3    19 ms    15 ms    15 ms  2a02:8100:6:2::105:c1 
  4     *        *        *     Request timed out.
  5     *       15 ms     *     2a00::1fff:0:c01:c01:9 
  6     *        *        *     Request timed out.
  7    28 ms    34 ms    29 ms  2001:4860:1:1::1d4 
  8    53 ms    44 ms    39 ms  2a00:1450:80f2::1 
  9    47 ms    41 ms    47 ms  2001:4860:0:12e4::1 
 10    42 ms    43 ms    70 ms  2001:4860:0:12e4::3 
 11    48 ms    29 ms    30 ms  2001:4860::c:4001:ec6 
 12    63 ms    28 ms    31 ms  2001:4860::c:4001:5c5 
 13    35 ms     *       29 ms  2001:4860::c:4000:f873 
 14     *        *        *     Request timed out.
 15    32 ms     *        *     2001:4860:0:1::26d7 
 16    28 ms    36 ms    28 ms  fra07s27-in-x200e.1e100.net [2a00:1450:4001:800::200e] 

Trace complete.

Windows, Router, IPv6

Unable to resolve target system name google.com.

Windows, Modem, IPv4

Tracing route to google.com [172.217.23.110]
over a maximum of 30 hops:

  1    30 ms    22 ms     5 ms  kabel [192.168.0.1]
  2     *       53 ms    30 ms  x-isp.superkabel.de [x]
  3    29 ms    38 ms    39 ms  x.static.kabel-deutschland.de [x]
  4    37 ms    62 ms    33 ms  145.254.3.94
  5   126 ms    67 ms    40 ms  145.254.2.217
  6    69 ms   136 ms    48 ms  145.254.2.217
  7    64 ms    71 ms    47 ms  72.14.194.138
  8    45 ms    48 ms   169 ms  216.239.62.103
  9   123 ms    51 ms    48 ms  108.170.253.34
 10    37 ms    76 ms   123 ms  216.239.57.7
 11   115 ms    62 ms    45 ms  172.253.50.110
 12    43 ms    49 ms    50 ms  209.85.241.145
 13    49 ms    46 ms    73 ms  108.170.226.2
 14    86 ms    45 ms    73 ms  108.170.252.65
 15    67 ms    49 ms   205 ms  172.253.73.155
 16    49 ms    40 ms    44 ms  fra16s45-in-f14.1e100.net [172.217.23.110]

Trace complete.

Windows, Router, IPv4

Tracing route to google.com [172.217.23.110]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  OpenWrt.lan [192.168.99.1]
  2    32 ms    28 ms    27 ms  x
  3    27 ms    28 ms    26 ms  x.se [x]
  4    34 ms    28 ms    37 ms  core2.ams.net.google.com [80.249.209.100]
  5    28 ms    30 ms    29 ms  108.170.241.172
  6     *       31 ms     *     209.85.254.157
  7    58 ms     *       55 ms  108.170.234.11
  8    59 ms    60 ms    58 ms  108.170.229.169
  9    66 ms    63 ms    62 ms  108.170.251.193
 10    57 ms    61 ms    56 ms  172.253.73.153
 11    55 ms    62 ms    61 ms  mil04s23-in-f110.1e100.net [172.217.23.110]

Trace complete.

Linux Modem, IPv6

 1  kabel (x)  4,5553 ms  4,6142 ms  6,6722 ms
 2  x (x)  30,8669 ms  12,9900 ms  15,3939 ms
 3  x (x)  11,9746 ms  15,8145 ms  13,9181 ms
 4  2a02:8100:6:2::105:c1 (2a02:8100:6:2::105:c1)  14,9157 ms 2a02:8100:6:2::a:d (2a02:8100:6:2::a:d)  186,2798 ms *
 5  * * *
 6  * * *
 7  2001:4860:1:1::1d4 (2001:4860:1:1::1d4)  29,3146 ms  30,5681 ms  31,1880 ms
 8  2a00:1450:80b0::1 (2a00:1450:80b0::1)  27,0340 ms  25,8713 ms  25,6457 ms
 9  * * *
10  2001:4860:0:12e5::4 (2001:4860:0:12e5::4)  30,1130 ms  26,2233 ms  28,3097 ms
11  2001:4860::c:4001:ec1 (2001:4860::c:4001:ec1)  29,7255 ms  28,4526 ms  27,4241 ms
12  2001:4860::c:4001:9920 (2001:4860::c:4001:9920)  31,6615 ms  36,2326 ms  30,9295 ms
13  2607:f8b0:e000:8000::4 (2607:f8b0:e000:8000::4)  29,7721 ms  31,7576 ms  30,6741 ms
14  * * 2607:f8b0:e000:8000::3 (2607:f8b0:e000:8000::3)  27,6563 ms
15  * 2001:4860:0:1::3007 (2001:4860:0:1::3007)  32,4933 ms *
16  ams17s08-in-x0e.1e100.net (2a00:1450:400e:80e::200e)  35,1844 ms  28,7570 ms  28,6716 ms

Linux, Router, IPv6

traceroute6: connect: Network is unreachable

Linux, Modem, IPv4

traceroute to google.com (172.217.23.110), 30 hops max, 60 byte packets
 1  kabel (192.168.0.1)  9.979 ms  9.907 ms  9.856 ms
 2  x-isp.superkabel.de (x)  25.441 ms  27.085 ms  27.069 ms
 3  x.static.kabel-deutschland.de (x)  26.946 ms  31.380 ms  31.348 ms
 4  145.254.3.68 (145.254.3.68)  31.299 ms  31.236 ms  29.777 ms
 5  145.254.2.215 (145.254.2.215)  41.932 ms 145.254.2.217 (145.254.2.217)  42.585 ms 145.254.2.215 (145.254.2.215)  42.528 ms
 6  145.254.2.215 (145.254.2.215)  45.516 ms 145.254.2.217 (145.254.2.217)  27.621 ms  27.541 ms
 7  72.14.194.138 (72.14.194.138)  37.555 ms  49.961 ms  58.063 ms
 8  * * *
 9  209.85.251.130 (209.85.251.130)  62.910 ms 108.170.253.81 (108.170.253.81)  60.759 ms 216.239.54.180 (216.239.54.180)  60.699 ms
10  108.170.253.85 (108.170.253.85)  62.825 ms 108.170.253.51 (108.170.253.51)  70.185 ms 108.170.253.34 (108.170.253.34)  70.114 ms
11  216.239.57.218 (216.239.57.218)  70.104 ms  71.512 ms 216.239.63.49 (216.239.63.49)  33.072 ms
12  172.253.50.100 (172.253.50.100)  33.307 ms  39.791 ms 172.253.51.198 (172.253.51.198)  36.697 ms
13  72.14.233.247 (72.14.233.247)  39.807 ms 72.14.234.11 (72.14.234.11)  42.340 ms  42.666 ms
14  209.85.241.230 (209.85.241.230)  41.078 ms 209.85.245.31 (209.85.245.31)  55.573 ms 209.85.241.230 (209.85.241.230)  55.301 ms
15  108.170.251.193 (108.170.251.193)  56.489 ms 108.170.252.65 (108.170.252.65)  59.293 ms  57.634 ms
16  172.253.73.155 (172.253.73.155)  36.135 ms  37.519 ms 172.253.73.153 (172.253.73.153)  33.742 ms
17  mil04s23-in-f14.1e100.net (172.217.23.110)  35.885 ms  35.788 ms  33.103 ms

Linux, Router, IPv4

traceroute to google.com (172.217.20.78), 30 hops max, 60 byte packets
 1  _gateway (192.168.99.1)  0.925 ms  0.978 ms  1.324 ms
 2  x (x)  35.747 ms  35.732 ms  36.216 ms
 3  x.se (x)  36.432 ms  37.055 ms  37.157 ms
 4  core2.ams.net.google.com (80.249.209.100)  37.555 ms  37.548 ms  37.520 ms
 5  108.170.241.161 (108.170.241.161)  37.492 ms  37.469 ms  37.430 ms
 6  108.170.235.133 (108.170.235.133)  35.904 ms 108.170.235.135 (108.170.235.135)  30.545 ms 108.170.235.133 (108.170.235.133)  30.673 ms
 7  ams15s33-in-f14.1e100.net (172.217.20.78)  30.621 ms  30.872 ms  31.190 ms
11

Yes, it seems so.
If you don't need IPv6 right now, turn it off on lan interface (remove option ip6assign)
Otherwise you'll need to configure IPv6 from Mulvad.

1 Like
12

I don't need it and disabled it as you suggested, however the problem persists. Should I also remove the WAN6 interface? ifconfig shows that my computer still receives an IPv6 address from the router.

13

Did you restart networking?
What is the output of ifstatus lan ?

14

I rebooted the router altogether. Here's ifstatus lan:

root@OpenWrt:~# ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 8947,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.99.1",
			"mask": 24
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		
	],
	"dns-server": [
		
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		
	}
}

Here's ifconfig on my computer:

enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.99.249  netmask 255.255.255.0  broadcast 192.168.99.255
        inet6 fe80::223d:2036:69ca:68b6  prefixlen 64  scopeid 0x20<link>
        inet6 fdd3:ef5d:b266:0:faf6:67c0:ff46:7993  prefixlen 64  scopeid 0x0<global>
        inet6 fdd3:ef5d:b266:0:d4e6:bb52:85bd:7039  prefixlen 64  scopeid 0x0<global>
        ether 30:85:a9:9d:5c:dc  txqueuelen 1000  (Ethernet)
        RX packets 11764985  bytes 14588082958 (14.5 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6339071  bytes 468237451 (468.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
15

The link locals are stale entries. Do a restart of the pc interface and they will be gone.

16

I'm not so sure about that. I tried restarting the computer and the interface, still the same. I removed option ip6assign, however other remnants of IPv6 are still present. DHCP6 is still active in the LAN interface, in "server" mode. WAN6 is also still there. Could that be a problem?

17

I was under the impression that it would not advertise anything if there is no ipv6 address/prefix. Turn them off under lan and check.

18

I disabled everything I could find related to IPv6, rebooted the router then the PC, reset the ethernet connection, I am still receiving an IPv6 address. Could the modem be assigning the address over the router? Assuming IPv6 is the source of the connectivity problems, wouldn't it be possible to simply deactivate it on the computer's side? That would solve the problem

19

Completely disabling the IPv6 is not anymore a supported function.
I would start a tcpdump in one of the lan hosts to verify where are the RAs coming from. I remember a topic some time ago, where a dumbAP in the lan kept advertising ULAs.

20

I thought about IPv6 at first, but github.com seem to have no IPv6 address.
And I also can't reach it with traceroute, but ping and web work fine.

@CreeperLava, check out this:

curl -I github.com
curl -I -L github.com
curl -L github.com | head

In addition, I'd recommend to use a public DNS provider like Google or Cloudflare, since small-scale DNS providers more often have issues like outdated cache, missing or incorrect EDNS or DNSSEC support.

21

Looks about the same on Windows and Linux.

u42@u42-CX62-6QD:~$ curl -I github.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://github.com/

u42@u42-CX62-6QD:~$ curl -I -L github.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://github.com/

HTTP/1.1 200 OK
date: Fri, 24 Jul 2020 21:58:31 GMT
content-type: text/html; charset=utf-8
server: GitHub.com
status: 200 OK
vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
etag: W/"0a5e91fb1e374db3f9198b530879989a"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
Set-Cookie: _gh_sess=zsn0BvnJmEmPhts9S2JFqx6Gtjf8XeU0S8Wm%2FqMXuYj7jbyqwfk%2BNKnkYxGSNL1SM03XoN7vBUdvNo8xlonKVFIz0epzFexH1UZoOHYz0zRoz%2Bfr5D3PzNX%2FmOCYf1DQcgi0czpx%2Bz8NIXlPVb52dzs%2B8BAWLz%2FZmsqhYH%2BpuTZqVq0gk34vgkw27GSmiGDAR005DqnskaKixJX%2F3v9YOJRTmsRNexAIMbBEFpXGVVfbeZpY9dFLSHTSDm9OL00o%2BFaAtSz3jX7KNiVadA9XHQ%3D%3D--TXhzV1TNvr16%2Bxqn--9uhssQJ8iZieMfsrFwhTGw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1737202611.1595627919; Path=/; Domain=github.com; Expires=Sat, 24 Jul 2021 21:58:39 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 24 Jul 2021 21:58:39 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
X-GitHub-Request-Id: 9216:8211:51227F:7634C6:5F1B598F

u42@u42-CX62-6QD:~$ curl -L github.com | head
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  
4
1
02 
 <!DOCTYPE html>
 <html lang="en">
   <head>
0    <meta charset="utf-8">
   <link rel="dns-prefetch" href="https://github.githubassets.com">
 4  <link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
100  6842    0  6842    0     0  25818      0 --:--:-- --:--:-- --:--:--  157k
curl: (23) Failed writing body (1350 != 1370)
22

What am I looking for exactly? I tried disabling IPv6 from Linux Mint's network manager, and while ifconfig doesn't show an inet6 entry anymore, the problem with github and posting on this forum, among others, persists.

23

Well, GitHub seems to work for you with cURL.
So, try to use another browser.
Try to enable/disable DNS over HTTPS in the browser.

24

That is so weird. I can in fact load the homepage of github.com on Google Chrome. I can't login though, I get a timeout. DNS over HTTPS is already disabled. Enabling it doesn't change anything.

25

tcpdump -i br-lan -evn 'icmp6 && ip6[40] == 136'
This will show the RAs. But it is not connected to your problem with github.

26

Here's the result of tcpdump:

sudo tcpdump -i enp3s0 -evn 'icmp6 && ip6[40] == 136'
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:30:22.832631 3a:19:88:66:78:88 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::c473:a9a6:7822:7e53 > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::c473:a9a6:7822:7e53, Flags [override]
	  destination link-address option (2), length 8 (1): 3a:19:88:66:78:88
12:31:30.333770 d8:cb:8a:f1:fa:00 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::dd8b:2a78:cfbb:f920 > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::dd8b:2a78:cfbb:f920, Flags [override]
	  destination link-address option (2), length 8 (1): d8:cb:8a:f1:fa:00

I also found this post that corresponds to my problem. I tried the fix described by changing the MTU for enp3s0 to 1420, but the problem persists. I do experience the exact same symptoms though, even the Frag needed and DF set (mtu = 1420) message on pings.

1 Like
27

136 is the neighbour advertisement, 134 is the router. Sorry my bad. Try to run it again and compare the sending mac address with the mac of the router.

You don't need to change the MTU of the PC adapter. Leave it 1500 as the br-lan is.
The wireguard tunnel has already MTU 1420.

Ask your VPN provider if 1420 is the right value.

28

I finally have a solution. Setting the MTU to 1380 in the WireGuard interface solves the problem. Bloody hell was this difficult to troubleshoot. Thank you so much for your help, trendy, I really appreciate it. I learned a bunch of things about networking along the way, so this wasn't entirely pointless :slight_smile:

I'll leave the IPv6 as it is since it doesn't cause any issues.

2 Likes
29

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.