Wireguard not opening websites even with MSS Clamping

I am trying to figure out why there's some websites I can't open on my openwrt wireguard client, which sends all the traffic generated by my devices through my vpn. I know it's not an issue with my vpn since this is not a problem when I use their app, it was also not a problem when I used vpn policy based routing with both wireguard and openvpn.

Enabling MSS Clamping worked for many sites, but it didn't seem to work for nyaa and probably debian.

below are my configuration files, I wish I had more information though.

/etc/config/network

 config interface 'loopback'
 3         option device 'lo'
 4         option proto 'static'
 5         option ipaddr '127.0.0.1'
 6         option netmask '255.0.0.0'
 7
 8 config globals 'globals'
 9         option ula_prefix 'fdea:0a2e:f44b::/48'
10
11 config device
12         option name 'br-lan'
13         option type 'bridge'
14         list ports 'eth1.1'
15
16 config interface 'lan'
17         option device 'br-lan'
18         option proto 'static'
19         option netmask '255.255.255.0'
20         option ip6assign '60'
21         option ipaddr '192.168.2.1'
22         list dns '192.168.2.15'

24 config interface 'wan'
25         option device 'eth0.2'
26         option proto 'dhcp'
27
28 config interface 'wan6'
29         option device 'eth0.2'
30         option proto 'dhcpv6'
31         option auto '0'
32         option reqaddress 'try'
33         option reqprefix 'auto'
34
35 config switch
36         option name 'switch0'
37         option reset '1'
38         option enable_vlan '1'
39
40 config switch_vlan
41         option device 'switch0'
42         option vlan '1'
43         option ports '2 3 4 5 0t'
44
45 config switch_vlan
46         option device 'switch0'
47         option vlan '2'
48         option ports '1 6t'
49
50 config interface 'wwan'
51         option proto 'dhcp'
52         option peerdns '0'
53         list dns '192.168.2.15'

 config interface 'wgclient'
56         option proto 'wireguard'
57         option private_key 'FISJHFSOMEPRIVATEKEYANKJSDNF='
58         list addresses '100.120.156.107/32'
59         list dns '8.8.8.8'
60
61 config wireguard_wgclient
62         option public_key 'FGSDIUFSIFJSNTYESDSHSJFN='
63         option preshared_key 'SNSIDFSBSFSIOMEPREHSAHRED='
64         option endpoint_host 'bos-298-wg.whiskergalaxy.com'
65         option endpoint_port '1194'
66         option description 'WSMIT'
67         list allowed_ips '0.0.0.0/0'
68         list allowed_ips '::/0'
69         option persistent_keepalive '25'
70         option route_allowed_ips '1'
71
83
84 config interface 'Link'
85         option proto 'static'
86         list ipaddr '192.168.1.2/24'
87
88 config route
89         option target '192.168.1.0/24'
90         option gateway '192.168.2.2'

/etc/config/firewall

config defaults
  3         option input 'ACCEPT'
  4         option output 'ACCEPT'
  5         option synflood_protect '1'
  6         option forward 'REJECT'
  7
  8 config zone
  9         option name 'lan'
 10         option input 'ACCEPT'
 11         option output 'ACCEPT'
 12         option forward 'ACCEPT'
 13         list network 'lan'
 14         list network 'Link'
 15
 16 config zone
 17         option name 'wan'
 18         option output 'ACCEPT'
 19         option masq '1'
 20         option mtu_fix '1'
 21         list network 'wan'
 22         list network 'wan6'
 25         list network 'wwan'
 26         option input 'REJECT'
 27         option forward 'REJECT'
 28
 29 config forwarding
 30         option src 'lan'
 31         option dest 'wan'
 32
 33 config rule
 34         option name 'Allow-DHCP-Renew'
 35         option src 'wan'
 36         option proto 'udp'
 37         option dest_port '68'
 38         option target 'ACCEPT'
 39         option family 'ipv4'

config rule
 42         option name 'Allow-Ping'
 43         option src 'wan'
 44         option proto 'icmp'
 45         option icmp_type 'echo-request'
 46         option family 'ipv4'
 47         option target 'ACCEPT'
 48
 49 config rule
 50         option name 'Allow-IGMP'
 51         option src 'wan'
 52         option proto 'igmp'
 53         option family 'ipv4'
 54         option target 'ACCEPT'
 55
 56 config rule
 57         option name 'Allow-DHCPv6'
 58         option src 'wan'
 59         option proto 'udp'
 60         option dest_port '546'
 61         option family 'ipv6'
 62         option target 'ACCEPT'
 63
 64 config rule
 65         option name 'Allow-MLD'
 66         option src 'wan'
 67         option proto 'icmp'
 68         option src_ip 'fe80::/10'
 69         list icmp_type '130/0'
 70         list icmp_type '131/0'
 71         list icmp_type '132/0'
 72         list icmp_type '143/0'
 73         option family 'ipv6'
 74         option target 'ACCEPT'

config rule
 77         option name 'Allow-ICMPv6-Input'
 78         option src 'wan'
 79         option proto 'icmp'
 80         list icmp_type 'echo-request'
 81         list icmp_type 'echo-reply'
 82         list icmp_type 'destination-unreachable'
 83         list icmp_type 'packet-too-big'
 84         list icmp_type 'time-exceeded'
 85         list icmp_type 'bad-header'
 86         list icmp_type 'unknown-header-type'
 87         list icmp_type 'router-solicitation'
 88         list icmp_type 'neighbour-solicitation'
 89         list icmp_type 'router-advertisement'
 90         list icmp_type 'neighbour-advertisement'
 91         option limit '1000/sec'
 92         option family 'ipv6'
 93         option target 'ACCEPT'
 94
 95 config rule
 96         option name 'Allow-ICMPv6-Forward'
 97         option src 'wan'
 98         option dest '*'
 99         option proto 'icmp'
100         list icmp_type 'echo-request'
101         list icmp_type 'echo-reply'
102         list icmp_type 'destination-unreachable'
103         list icmp_type 'packet-too-big'
104         list icmp_type 'time-exceeded'
105         list icmp_type 'bad-header'
106         list icmp_type 'unknown-header-type'
107         option limit '1000/sec'
108         option family 'ipv6'
109         option target 'ACCEPT'

 config rule
112         option name 'Allow-IPSec-ESP'
113         option src 'wan'
114         option dest 'lan'
115         option proto 'esp'
116         option target 'ACCEPT'
117
118 config rule
119         option name 'Allow-ISAKMP'
120         option src 'wan'
121         option dest 'lan'
122         option dest_port '500'
123         option proto 'udp'
124         option target 'ACCEPT'
125
126 config zone
127         option name 'wgclient'
128         option output 'ACCEPT'
129         option masq '1'
130         list network 'wgclient'
131         option mtu_fix '1'
132         option input 'REJECT'
133         option forward 'REJECT'
134
135 config forwarding
136         option src 'lan'
137         option dest 'wgclient'
138
139 config redirect 'dns_int'
140         option src 'lan'
141         option src_dport '53'
142         option proto 'tcp udp'
143         option target 'DNAT'
144         option family 'any'
145         option src_mac '!00:E0:99:00:64:31'
146         option name 'Redirect-DNS'
147         option src_ip '!192.168.2.15'
148         option dest_ip '192.168.2.15'

config ipset 'doh'
151         option name 'doh'
152         option family 'ipv4'
153         option match 'net'
154         option loadfile '/var/ipset-doh'
155
156 config rule 'doh_fwd'
157         option name 'Deny-DoH'
158         option src 'lan'
159         option dest 'wan'
160         option dest_port '443'
161         option proto 'tcp udp'
162         option family 'ipv4'
163         option ipset 'doh dest'
164         option target 'REJECT'
165
166 config ipset 'doh6'
167         option name 'doh6'
168         option family 'ipv6'
169         option match 'net'
170         option loadfile '/var/ipset-doh6'
171
172 config rule 'doh6_fwd'
173         option name 'Deny-DoH'
174         option src 'lan'
175         option dest 'wan'
176         option dest_port '443'
177         option proto 'tcp udp'
178         option family 'ipv6'
179         option ipset 'doh6 dest'
180         option target 'REJECT'
181
182 config rule 'dot_fwd'
183         option name 'Deny-DoT'
184         option src 'lan'
185         option dest 'wan'
186         option dest_port '853'
config rule 'dot_fwd'
183         option name 'Deny-DoT'
184         option src 'lan'
185         option dest 'wan'
186         option dest_port '853'
187         option proto 'tcp udp'
188         option target 'REJECT'
189
190 config nat 'dns_masq'
191         option name 'Masquerade-DNS'
192         option src 'lan'
193         option dest_ip '192.168.2.15'
194         option dest_port '53'
195         option proto 'tcp udp'
196         option target 'MASQUERADE'
197
198 config rule
199         option name 'Allow-Roc'
200         list src_ip '192.168.1.0/24'
201         option dest '*'
202         option target 'ACCEPT'
203         list proto 'all'
204         option src '*'
205         option enabled '0'

Try a different endpoint to bypass regional restrictions.
Make sure that your DNS traffic is routed over the VPN.
If the issue persists, you can also try a lower MTU.

2 Likes

that will have to wait since I bricked my archer c7 v2 while restoring a backup...

I can confirm that it was both my vpn and virtualbox.

Virtualbox was misconfigured since it was using the configuration of my windows machine on Linux. I did a bunch of things, not exactly sure what. I always use the bridged network adapter, but under advanced I now use the PCnet adapter type (both of them should work).

My vpn didn't have a port open for seeding, and qbittorrent was not configured to use this port.

And when I tried to see if it was my vpn, I was very unlucky to see that the endpoints I chose were working, but inside openwrt the ones I chose were banned.

A combination of these things and mainly the last one was what prevented me from accessing sites like nyaa.si

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.