wenil/amneziavpnphp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
baa3ef5f76b29800faef0dfb61a92d9c492c7d0d
amneziavpnphp/migrations/072_awg2_mss_clamp.sql
T
infosave 24a6cb276f fix(awg2): clamp TCP MSS on server so traffic actually flows (issue #50) 
Final piece of "connects but no traffic": with the reduced client MTU (1280)
the upload direction fits, but full-size download packets (web pages, TLS
responses) still exceeded the AmneziaWG tunnel and were dropped — handshake
and small packets worked, browsing stalled. Confirmed on a live server: the
client's encrypted packets reached the server but large return packets never
made it back. Adding a server-side TCP MSS clamp to 1240 (= 1280 - 40) made
real traffic flow (verified: 1.6 MiB transferred, FORWARD/MASQUERADE counters
incrementing).

- VpnClient::addClientToServer(): after applying the peer, idempotently ensure
  net.ipv4.ip_forward=1 and a `mangle FORWARD ... TCPMSS --set-mss 1240` rule
  (-C then -A). Re-applied on every client creation, so it survives container
  restarts/reinstalls and covers adopted native Amnezia containers.
- migrations/072 + 064: add the same MSS clamp to the awg2 install script
  PostUp (and remove it in PostDown) for panel-installed servers.

Verified end-to-end: removing the rule and creating a client via the panel
re-adds it automatically; the live phone client now browses normally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 15:33:11 +03:00

26 lines
1.3 KiB
SQL
Raw Blame History

-- =====================================================================
-- Migration 072: TCP MSS clamping for AmneziaWG 2.0 (awg2)
--
-- Issue #50: clients connect (handshake OK) but no traffic flows. With the
-- reduced tunnel MTU (clients use 1280), TCP must also negotiate a small
-- enough MSS, otherwise full-size download packets (web pages, TLS responses)
-- exceed the tunnel and are dropped — the handshake and small packets work,
-- but browsing stalls. Clamping MSS to 1240 (1280 - 40) on the server's
-- FORWARD path fixes the download direction.
--
-- This appends the clamp to the awg2 install script's PostUp so panel-installed
-- servers get it on every interface bring-up. (Adopted native containers are
-- handled at runtime by VpnClient::addClientToServer(), which applies the same
-- rule idempotently on each client creation.)
-- =====================================================================
UPDATE protocols
SET install_script = REPLACE(
install_script,
'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE',
'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240'
)
WHERE slug = 'awg2'
AND install_script LIKE '%-A POSTROUTING -o eth0 -j MASQUERADE%'
AND install_script NOT LIKE '%TCPMSS%';
Reference in New Issue View Git Blame Copy Permalink