wenil/amneziavpnphp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(awg2): restore client MTU=1280 (connects but no traffic)

Browse Source 
Issue #50: AWG2 clients connect (handshake OK) but no traffic flows. The
awg2 client output_template lost its "MTU = 1280" line when migration 064
rewrote it (migration 058 had it). With no explicit MTU the client defaults
to 1420, which is too large once AmneziaWG obfuscation overhead (Jc junk
packets, S1/S2 padding) is added on top of WireGuard's: small packets (the
handshake) pass, larger packets (TLS, web pages) are dropped — tunnel
"connected" but unusable. 1280 is the official Amnezia app default.

- migrations/071: add "MTU = 1280" to the awg2 output_template (existing DBs).
- migrations/064: add the MTU line to the template source (fresh installs).
- buildClientConfig(): emit MTU = 1280 in the fallback path too.

Server-side NAT/forwarding/ip_forward were verified correct on a live server,
so this is purely a client-config regression. Generated client config now
contains "MTU = 1280" and mirrors the server's obfuscation params exactly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
infosave
2026-05-29 14:23:41 +03:00
parent d771af866c
commit 222953049d
3 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
migrations/071_fix_awg2_client_mtu.sql
+23
View File
@@ -0,0 +1,23 @@
-- =====================================================================
-- Migration 071: Restore client MTU for AmneziaWG 2.0 (awg2)
--
-- Issue #50: clients connect (handshake succeeds) but no traffic flows.
-- Root cause: the awg2 client output_template lost its "MTU = 1280" line
-- when migration 064 rewrote it (migration 058 had it). With no explicit
-- MTU the client defaults to 1420, which is too large once AmneziaWG
-- obfuscation overhead (Jc junk packets, S1/S2 padding) is added on top of
-- WireGuard's own overhead: the handshake (small packets) succeeds, but
-- larger packets (TLS, web pages) exceed the path and are dropped — so the
-- tunnel is "connected" yet carries no usable traffic. 1280 is the value the
-- official Amnezia app uses for AmneziaWG clients.
-- =====================================================================
UPDATE protocols
SET output_template = REPLACE(
output_template,
'PrivateKey = {{private_key}}\n',
'PrivateKey = {{private_key}}\nMTU = 1280\n'
)
WHERE slug = 'awg2'
AND output_template LIKE '%PrivateKey = {{private_key}}%'
AND output_template NOT LIKE '%MTU%';