wenil/amneziavpnphp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(awg2): clamp TCP MSS on server so traffic actually flows (issue #50)

Browse Source 
Final piece of "connects but no traffic": with the reduced client MTU (1280)
the upload direction fits, but full-size download packets (web pages, TLS
responses) still exceeded the AmneziaWG tunnel and were dropped — handshake
and small packets worked, browsing stalled. Confirmed on a live server: the
client's encrypted packets reached the server but large return packets never
made it back. Adding a server-side TCP MSS clamp to 1240 (= 1280 - 40) made
real traffic flow (verified: 1.6 MiB transferred, FORWARD/MASQUERADE counters
incrementing).

- VpnClient::addClientToServer(): after applying the peer, idempotently ensure
  net.ipv4.ip_forward=1 and a `mangle FORWARD ... TCPMSS --set-mss 1240` rule
  (-C then -A). Re-applied on every client creation, so it survives container
  restarts/reinstalls and covers adopted native Amnezia containers.
- migrations/072 + 064: add the same MSS clamp to the awg2 install script
  PostUp (and remove it in PostDown) for panel-installed servers.

Verified end-to-end: removing the rule and creating a client via the panel
re-adds it automatically; the live phone client now browses normally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
infosave
2026-05-29 15:33:11 +03:00
parent 222953049d
commit 24a6cb276f
3 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
inc/VpnClient.php
+16
View File
@@ -1290,6 +1290,22 @@ class VpnClient
// Without this, the interface uses standard WireGuard without Jc/S1/S2/H1-H4
$cmd5 = sprintf("docker exec -i %s sh -c 'ip link del %s 2>/dev/null || true; %s up %s/%s 2>&1'", $containerName, $ifaceName, $wgQuickTool, $configDir, $configFile);
self::executeServerCommand($serverData, $cmd5, true);
// 7. CRITICAL: Clamp TCP MSS so download-direction packets fit the reduced
// AmneziaWG tunnel MTU (clients use MTU 1280 -> MSS 1240). Without this the
// handshake succeeds and small packets flow, but large packets (web pages,
// TLS responses) exceed the tunnel and are silently dropped — the classic
// "connected but no traffic" symptom (issue #50). Idempotent (-C then -A),
// and ip_forward is ensured for good measure. Re-applied on every client
// creation so it survives container restarts/reinstalls.
$mssRule = "-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240";
$cmd6 = sprintf(
"docker exec -i %s sh -c 'sysctl -w net.ipv4.ip_forward=1 >/dev/null 2>&1 || true; iptables -t mangle -C FORWARD %s 2>/dev/null || iptables -t mangle -A FORWARD %s'",
$containerName,
$mssRule,
$mssRule
);
self::executeServerCommand($serverData, $cmd6, true);
}
/**