View previous topic :: View next topic |
Author |
Message |
team25 n00b
Joined: 27 Jan 2023 Posts: 13
|
Posted: Fri Jan 27, 2023 7:37 pm Post subject: Can't visit https://gentoo.org when connected over NAT |
|
|
I have NAT configured on desktop for laptop to use. All is working except one thing: I cannot open https://gentoo.org. In `links` it hangs at "SSL negotiation. So, I guess this strange issue is related to SSL. All other HTTPS sites work fine.
NAT configuration on desktop:
Code: |
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
|
wg0: Internet interface of desktop
eth1: laptop is connected to this interface
`openssl s_client -connect www.gentoo.org:443 -prexit -debug` shows:
Code: |
CONNECTED(00000003)
write to 0x557ba3f68e50 [0x557ba3f78d70] (316 bytes => 316 (0x13C))
0000 - 16 03 01 01 37 01 00 01-33 03 03 ca da b4 c8 0d ....7...3.......
0010 - 7a 15 7b dc 4b cc 1b f9-1f 28 93 31 53 6b 6e 6f z.{.K....(.1Skno
0020 - 56 1d c2 df 06 b2 eb 35-a9 e8 56 20 c4 85 26 09 V......5..V ..&.
0030 - 1c 4b 8f d2 52 cb 76 a5-2c 06 2a da d8 a0 83 e2 .K..R.v.,.*.....
0040 - 64 53 87 5e ba 63 d1 d8-0e 25 24 d1 00 3e 13 02 dS.^.c...%$..>..
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 ac ...=.<.5./......
0090 - 00 00 00 13 00 11 00 00-0e 77 77 77 2e 67 65 6e .........www.gen
00a0 - 74 6f 6f 2e 6f 72 67 00-0b 00 04 03 00 01 02 00 too.org.........
00b0 - 0a 00 0c 00 0a 00 1d 00-17 00 1e 00 19 00 18 00 ................
00c0 - 23 00 00 00 16 00 00 00-17 00 00 00 0d 00 30 00 #.............0.
00d0 - 2e 04 03 05 03 06 03 08-07 08 08 08 09 08 0a 08 ................
00e0 - 0b 08 04 08 05 08 06 04-01 05 01 06 01 03 03 02 ................
00f0 - 03 03 01 02 01 03 02 02-02 04 02 05 02 06 02 00 ................
0100 - 2b 00 09 08 03 04 03 03-03 02 03 01 00 2d 00 02 +............-..
0110 - 01 01 00 33 00 26 00 24-00 1d 00 20 95 79 e4 57 ...3.&.$... .y.W
0120 - 04 d6 24 e3 cd 64 f7 16-89 f7 41 da dc 4d 12 45 ..$..d....A..M.E
0130 - 14 02 b5 b5 92 d0 f8 30-7a e0 cf 64 .......0z..d
|
and hangs. |
|
Back to top |
|
|
quilosaq Veteran
Joined: 22 Dec 2009 Posts: 1522
|
|
Back to top |
|
|
team25 n00b
Joined: 27 Jan 2023 Posts: 13
|
Posted: Sat Jan 28, 2023 7:54 am Post subject: |
|
|
I tried exact sequence of commands from that tutorial and nothing changed. All other HTTPS sites work fine, but not https://gentoo.org. This is strange. And I think the problem is at SSL layer. Does gentoo.org use different type of SSL or what? I am curious about this issue. I don't know much about SSL innerworkings.
Also, is this possible to somehow add wireguard to minimal-install-cd? emerge isn't available on minimal-install-cd. |
|
Back to top |
|
|
team25 n00b
Joined: 27 Jan 2023 Posts: 13
|
Posted: Sat Jan 28, 2023 1:09 pm Post subject: |
|
|
The problem was with broken pMTU. Internet connection on desktop used WireGuard which sets MTU to 1420. While laptop computer was connected with desktop computer with ethernet which uses MTU 1500 by default. I solved the problem with just one line:
Code: |
ifconfig enp3s0 mtu 1420 up`
|
on my laptop. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sat Jan 28, 2023 3:30 pm Post subject: |
|
|
That appears to be the problem from the troubleshooting section Home router: Incorrect MTU value. The better fix is to configure the desktop to forcibly adjust the MSS so that clients behind the desktop do not need to know about this limit. |
|
Back to top |
|
|
|