From 222953049d6272607fd24209976a0ec89418ebc9 Mon Sep 17 00:00:00 2001 From: infosave Date: Fri, 29 May 2026 14:23:41 +0300 Subject: [PATCH] fix(awg2): restore client MTU=1280 (connects but no traffic) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue #50: AWG2 clients connect (handshake OK) but no traffic flows. The awg2 client output_template lost its "MTU = 1280" line when migration 064 rewrote it (migration 058 had it). With no explicit MTU the client defaults to 1420, which is too large once AmneziaWG obfuscation overhead (Jc junk packets, S1/S2 padding) is added on top of WireGuard's: small packets (the handshake) pass, larger packets (TLS, web pages) are dropped — tunnel "connected" but unusable. 1280 is the official Amnezia app default. - migrations/071: add "MTU = 1280" to the awg2 output_template (existing DBs). - migrations/064: add the MTU line to the template source (fresh installs). - buildClientConfig(): emit MTU = 1280 in the fallback path too. Server-side NAT/forwarding/ip_forward were verified correct on a live server, so this is purely a client-config regression. Generated client config now contains "MTU = 1280" and mirrors the server's obfuscation params exactly. Co-Authored-By: Claude Opus 4.8 (1M context) --- inc/VpnClient.php | 4 ++++ .../064_complete_awg2_original_params.sql | 1 + migrations/071_fix_awg2_client_mtu.sql | 23 +++++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 migrations/071_fix_awg2_client_mtu.sql diff --git a/inc/VpnClient.php b/inc/VpnClient.php index d90ea2b..5dd1e59 100644 --- a/inc/VpnClient.php +++ b/inc/VpnClient.php @@ -1182,6 +1182,10 @@ class VpnClient $config .= "Address = {$clientIP}/32\n"; $config .= "DNS = 1.1.1.1, 1.0.0.1\n"; $config .= "PrivateKey = {$privateKey}\n"; + // AmneziaWG obfuscation adds per-packet overhead; without a reduced MTU + // the tunnel connects but large packets are dropped (no usable traffic). + // 1280 matches the official Amnezia app default. (issue #50) + $config .= "MTU = 1280\n"; // Add AWG parameters (in the order used by Amnezia app) // For awg2 include I1-I5, S3, S4; for regular awg only H1-H4, Jc, Jmin, Jmax, S1, S2 diff --git a/migrations/064_complete_awg2_original_params.sql b/migrations/064_complete_awg2_original_params.sql index 1f7b64e..0d23745 100644 --- a/migrations/064_complete_awg2_original_params.sql +++ b/migrations/064_complete_awg2_original_params.sql @@ -5,6 +5,7 @@ SET output_template = '[Interface] Address = {{client_ip}}/32 DNS = {{dns_servers}} PrivateKey = {{private_key}} +MTU = 1280 Jc = {{Jc}} Jmin = {{Jmin}} Jmax = {{Jmax}} diff --git a/migrations/071_fix_awg2_client_mtu.sql b/migrations/071_fix_awg2_client_mtu.sql new file mode 100644 index 0000000..92f0b53 --- /dev/null +++ b/migrations/071_fix_awg2_client_mtu.sql @@ -0,0 +1,23 @@ +-- ===================================================================== +-- Migration 071: Restore client MTU for AmneziaWG 2.0 (awg2) +-- +-- Issue #50: clients connect (handshake succeeds) but no traffic flows. +-- Root cause: the awg2 client output_template lost its "MTU = 1280" line +-- when migration 064 rewrote it (migration 058 had it). With no explicit +-- MTU the client defaults to 1420, which is too large once AmneziaWG +-- obfuscation overhead (Jc junk packets, S1/S2 padding) is added on top of +-- WireGuard's own overhead: the handshake (small packets) succeeds, but +-- larger packets (TLS, web pages) exceed the path and are dropped — so the +-- tunnel is "connected" yet carries no usable traffic. 1280 is the value the +-- official Amnezia app uses for AmneziaWG clients. +-- ===================================================================== + +UPDATE protocols +SET output_template = REPLACE( + output_template, + 'PrivateKey = {{private_key}}\n', + 'PrivateKey = {{private_key}}\nMTU = 1280\n' +) +WHERE slug = 'awg2' + AND output_template LIKE '%PrivateKey = {{private_key}}%' + AND output_template NOT LIKE '%MTU%';