AskOverflow.Dev

AskOverflow.Dev Logo AskOverflow.Dev Logo

AskOverflow.Dev Navigation

  • 主页
  • 系统&网络
  • Ubuntu
  • Unix
  • DBA
  • Computer
  • Coding
  • LangChain

Mobile menu

Close
  • 主页
  • 系统&网络
    • 最新
    • 热门
    • 标签
  • Ubuntu
    • 最新
    • 热门
    • 标签
  • Unix
    • 最新
    • 标签
  • DBA
    • 最新
    • 标签
  • Computer
    • 最新
    • 标签
  • Coding
    • 最新
    • 标签
主页 / computer / 问题 / 1537638
Accepted
pgcudahy
pgcudahy
Asked: 2020-04-01 12:07:45 +0800 CST2020-04-01 12:07:45 +0800 CST 2020-04-01 12:07:45 +0800 CST

Wireguard 隧道缓慢且断断续续

  • 772

问完这个问题后,我得到了一个wireguard vpn 设置,它将所有流量从我的本地局域网转发到远程服务器。从wireguard 客户端主机连接很快。但是,来自局域网上的客户端的连接要慢得多,并且会断开很多连接。Traceroutes 显示客户端和 LAN 客户端都通过 VPN 连接并正确退出

在wireguard客户端主机上,我得到一个糟糕的ping,但速度不错

curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -
Retrieving speedtest.net configuration...
Testing from Spectrum (68.187.109.97)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Bertram Communications (Iron Ridge, WI) [185.33 km]: 598.9 ms
Testing download speed................................................................................
Download: 4.65 Mbit/s
Testing upload speed................................................................................................
Upload: 4.97 Mbit/s

但是这段代码只是挂在局域网客户端上,它甚至无法下载运行所需的脚本。一些简单的网站将加载,但任何实质性的超时。

我该如何开始调试呢?我的第一个问题是我的 iptables 规则可能配置错误


# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:84:56:f5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.104/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fe84:56f5/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether b8:27:eb:d1:03:a0 brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether b8:27:eb:84:56:f5 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global noprefixroute eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fe84:56f5/64 scope link 
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1120 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.99.17/24 scope global wg0
       valid_lft forever preferred_lft forever

# ip -4 route show table all
default dev wg0 table 51820 scope link 
default via 192.168.1.1 dev eth0 src 192.168.1.104 metric 202 mtu 1200 
10.0.0.0/24 dev eth0.2 proto dhcp scope link src 10.0.0.1 metric 204 mtu 1200 
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.104 metric 202 mtu 1200 
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.17 
broadcast 10.0.0.0 dev eth0.2 table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev eth0.2 table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev eth0.2 table local proto kernel scope link src 10.0.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.104 
local 192.168.1.104 dev eth0 table local proto kernel scope host src 192.168.1.104 
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.104 
broadcast 192.168.99.0 dev wg0 table local proto kernel scope link src 192.168.99.17 
local 192.168.99.17 dev wg0 table local proto kernel scope host src 192.168.99.17 
broadcast 192.168.99.255 dev wg0 table local proto kernel scope link src 192.168.99.17 

# ip -4 rule show
0:  from all lookup local 
32764:  from all lookup main suppress_prefixlength 0 
32765:  not from all fwmark 0xca6c lookup 51820 
32766:  from all lookup main 
32767:  from all lookup default 

# ip -6 route show table all
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:fe84:56f5 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:fe84:56f5 dev eth0 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium

# ip -6 rule show
0:  from all lookup local 
32766:  from all lookup main 

# wg
interface: wg0
  public key: XR9UASLZXCjRZKa9MnmBxebfP6jxfBaaQOa5BJEFsX8=
  private key: (hidden)
  listening port: 48767
  fwmark: 0xca6c

peer: M37O/lE0ZWZ0uzYVGu17ZAZmdbnLyd5RuiAVvF/bqwE=
  endpoint: 68.187.109.97:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 20 seconds ago
  transfer: 2.42 MiB received, 8.45 MiB sent

# ip netconf
inet lo forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet eth0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet wlan0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet eth0.2 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet wg0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet all forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet default forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet6 lo forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet6 eth0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet6 wlan0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet6 eth0.2 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet6 all forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 
inet6 default forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off 

# iptables-save
# Generated by xtables-save v1.8.2 on Thu Apr  2 19:11:02 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.99.17/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP
COMMIT
# Completed on Thu Apr  2 19:11:02 2020
# Generated by xtables-save v1.8.2 on Thu Apr  2 19:11:02 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Apr  2 19:11:02 2020
# Generated by xtables-save v1.8.2 on Thu Apr  2 19:11:02 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i wg0 -o eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0.2 -o wg0 -j ACCEPT
COMMIT
# Completed on Thu Apr  2 19:11:02 2020
# Generated by xtables-save v1.8.2 on Thu Apr  2 19:11:02 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wg0 -j MASQUERADE
COMMIT
# Completed on Thu Apr  2 19:11:02 2020
vpn wireguard
  • 2 2 个回答
  • 22016 Views

2 个回答

  • Voted
  1. Best Answer
    harrymc
    2020-04-04T04:54:04+08:002020-04-04T04:54:04+08:00

    WireGuard 的默认 MTU 为 1420,而其他设备的通常大小为 1492 或 1500。

    这将导致任何认为它正在向 WireGuard 发送完整数据包的设备实际上发送多个 WireGuard 数据包,因为数据包将被分成两个,第二个几乎是空的。

    由于 TCP/IP 中的主要因素是数据包的数量,因为每个都需要同步和确认,这将减慢所有通信。

    解决方案是将 WireGuard 设置为与网络其余部分相同的 MTU 大小。

    有关更多信息,请参阅:

    • 维基百科:IP分片
    • 思科:使用 GRE 和 IPsec 解决 IPv4 分段、MTU、MSS 和 PMTUD 问题
    • 7
  2. T-Dawg
    2020-09-15T11:20:46+08:002020-09-15T11:20:46+08:00

    对我来说,我不得不将我的 MTU 设置得更低(至 1400)。

    我使用的命令是:

    sudo ip link set dev wg0 mtu 1400
    

    此外,如果您想检查您是否有 MTU 错误并且您通过双栈连接 (= IPv4 + IPv6) 连接使用 IPv6 而不是 IPv4,那么 - 如果其 MTU 相关 - 问题不应该再出现。

    • 2

相关问题

  • 为什么 Little Snitch 拒绝从 vpn.btguard.com 到 openvpn 的传入连接?

  • Cisco anyconnect 不断断开连接并重新连接

  • 802.1X 绕过/MAC 欺骗预防

  • 任何设备上的 OpenVPN - 仅转发 DNS

  • OpenVPN 可以连接,流量有效但我不在本地网络中

Sidebar

Stats

  • 问题 205573
  • 回答 270741
  • 最佳答案 135370
  • 用户 68524
  • 热门
  • 回答
  • Marko Smith

    如何减少“vmmem”进程的消耗?

    • 11 个回答
  • Marko Smith

    从 Microsoft Stream 下载视频

    • 4 个回答
  • Marko Smith

    Google Chrome DevTools 无法解析 SourceMap:chrome-extension

    • 6 个回答
  • Marko Smith

    Windows 照片查看器因为内存不足而无法运行?

    • 5 个回答
  • Marko Smith

    支持结束后如何激活 WindowsXP?

    • 6 个回答
  • Marko Smith

    远程桌面间歇性冻结

    • 7 个回答
  • Marko Smith

    子网掩码 /32 是什么意思?

    • 6 个回答
  • Marko Smith

    鼠标指针在 Windows 中按下的箭头键上移动?

    • 1 个回答
  • Marko Smith

    VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

    • 8 个回答
  • Marko Smith

    应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

    • 5 个回答
  • Martin Hope
    CiaranWelsh 如何减少“vmmem”进程的消耗? 2020-06-10 02:06:58 +0800 CST
  • Martin Hope
    Jim Windows 10 搜索未加载,显示空白窗口 2020-02-06 03:28:26 +0800 CST
  • Martin Hope
    v15 为什么通过电缆(同轴电缆)的千兆位/秒 Internet 连接不能像光纤一样提供对称速度? 2020-01-25 08:53:31 +0800 CST
  • Martin Hope
    fixer1234 “HTTPS Everywhere”仍然相关吗? 2019-10-27 18:06:25 +0800 CST
  • Martin Hope
    andre_ss6 远程桌面间歇性冻结 2019-09-11 12:56:40 +0800 CST
  • Martin Hope
    Riley Carney 为什么在 URL 后面加一个点会删除登录信息? 2019-08-06 10:59:24 +0800 CST
  • Martin Hope
    zdimension 鼠标指针在 Windows 中按下的箭头键上移动? 2019-08-04 06:39:57 +0800 CST
  • Martin Hope
    jonsca 我所有的 Firefox 附加组件突然被禁用了,我该如何重新启用它们? 2019-05-04 17:58:52 +0800 CST
  • Martin Hope
    MCK 是否可以使用文本创建二维码? 2019-04-02 06:32:14 +0800 CST
  • Martin Hope
    SoniEx2 更改 git init 默认分支名称 2019-04-01 06:16:56 +0800 CST

热门标签

windows-10 linux windows microsoft-excel networking ubuntu worksheet-function bash command-line hard-drive

Explore

  • 主页
  • 问题
    • 最新
    • 热门
  • 标签
  • 帮助

Footer

AskOverflow.Dev

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

Language

  • Pt
  • Server
  • Unix

© 2023 AskOverflow.DEV All Rights Reserve