Setup is as follows
ISP: Starlink (CGNAT)
Router: pfSense
VPS at Linode with Wireguard
There is a WG tunnel setup between pfSense and my linode. On pfSense, the WG Tunnel has been setup as an interface and a gateway.
I use the VPS to acess all of my external services behind cgnat and that works perfectly. I have also hosted a PBX behind cgnat using the same setup with no dramas.
I have policy based routing where all of the Traffic from a certain IP, in my case, my Unraid server goes out over the WG Tunnel. From the surface everything looks A ok and everything is functioning as it should. Where it comes unstuck is when my Unraid box tries to access anything hosted at a github domain / server.
Which in my case, is everytime i click on the community applications tab, or go to the docker tab or the Dashboard tab (i think its all the docker icons it downloads)
I can replicate it just by running
wget https://raw.githubusercontent/pathtogithubfile
it gets hung up like this and wont progress
To make things even more strange i have another WG tunnel setup to another site and if i send my unraid box out that one the wget download also completed succesfully.
Are you using any kind of DNS filtering? I’ve had problems in the past with github getting blocked (or more specifically AWS) by a DNS filter I was using. adding .aws.amazon.com and .amazonaws.com to the white list fixed it.
One of the first things I tried was changing from my pi-holes just to Google DNS… It made no difference unfortunately. I’m not running pfBlocker or anything on pfSense either.
Out of interest I just chucked my workstation through the same tunnel with the same results
I’m glad there are more of us … ha ha! It’s got me scratching my head.
The wierd thing is as mention in my OP, if I SSH direct to my VPS instance I can run the wget command and the download works fine directly to my instance. Got me stumped
What MTU are you using for the wireguard interface? e.g. is your firewall dropping any ICMP?
BTW you can try using curl with --resolve option to ensure you’re always attempting to contact the same IP while debugging - it’d allow you to handily capture tcpdumps by IP address
MTU is default so 1500 i believe… and yes this was the problem!
I went back and watched a Christian McDonald video on WG tunnel i remember him talking about the MTU value, which i had not set or worried about … clearly until now.
i have set MTU and MSS both to 1420. Everything that was not working is now working A Ok !
@risk Thanks again mate, you have helped me a second time
I also looked at my second WG tunnbel which was working and low and behold, the MTU and MSS values are already set to 1420! DOh!
@FunnyPossum would have a look at these options for your issue also.