Can't connect internet with vpn profile
yusyel opened this issue · comments
I can use ssh connect with wg configuration but cannot use internet. Is this expected behavior?
Sounds like a DNS issue. Can you access https://1.1.1.1/ ?
I can't really help you because I don't have this issue and I guess from the looks of it other users don't. Could you try and see if it happens when using the official WARP client?
@rany2 I'm using iphone with wireguard client. And I tried 500, 1701 and 4500 port. But still cannot connect internet.
There is no issue zero trust app.
Main reason I want to use wireguard profile; nextdns. But even default warp.sh conf file still cannot connect internet.
Edit: Also tested with debian. I get ssl error.
@yusyel so you're using warp.sh to generate a config with your zero trust organization?
Edit: Also tested with debian. I get ssl error.
By SSL error, do you mean you get an invalid certificate or does the connection just not work?
BTW when you mentioned that ssh worked, can you confirm that a simple ICMP ping works? Maybe it's not going through the VPN.. it doesn't make sense for it to only work for SSH traffic but everything else doesn't work.
When you test it, make sure to specify the interface you want to bind to with -I so for example, ping -I cfwarp 1.1.1.1. Also, the output of wg as root should be helpful. Personally, I think that it is an issue with some kind of wireguard blocking on your end. In case you're wondering why the Cloudflare WARP client works but not warp.sh, it's because the official WARP client is slightly modified version of Wireguard, for example HS1 and HS2 are merged into one and they use some of the reserve bits in wireguard's initial handshare to fill it with client ID for analytics.
Personally, I think that it is an issue with some kind of wireguard blocking on your end. In case you're wondering why the Cloudflare WARP client works but not warp.sh, it's because the official WARP client is slightly modified version of Wireguard, for example HS1 and HS2 are merged into one and they use some of the reserve bits in wireguard's initial handshare to fill it with client ID for analytics.
What that basically means is that DPI would not be able to detect WARP properly unless they specifically targeted WARP. So it doesn't get blocked.
Closing because there isn't anything I can do as it works properly (both zero trust and unregistered) but we can keep the conversation going.
#By SSL error, do you mean you get an invalid certificate or does the connection just not work?
Yes, I get invalid certificate. Before that "not secure connection". I tested ssh with my mobile network not home my home network. So ssh connection is working.
On my laptop warp-cli already register. Should I unregister and re-register then try again? But in cloudflared dashboard I can see un-named device.
Seems like wireguard configuration is working for you. Can you use another dns address?
Seems like wireguard configuration is working for you. Can you use another dns address?
Yes, other DNS servers work fine. I really don't know what's the issue on your end.
Yes, I get invalid certificate.
I'm pretty sure WARP never does that, it has to be something else on your network. What do you get if you ignore the SSL error and continue anyway? If your browser doesn't let you do that because of HSTS, what's the output of curl -kv https://1.1.1.1 when connecting to the VPN?
When you test it, make sure to specify the interface you want to bind to with
-Iso for example,ping -I cfwarp_interface_name 1.1.1.1. Also, the output ofwgas root should be helpful.
Please respond to the above so we know that the connection at least works. I'm suspecting that your ssh connection is not going through the VPN for whatever reason.
$ curl -kv https://1.1.1.1
* Trying 1.1.1.1:443...
* Failed to set TCP_KEEPIDLE on fd 5
* Failed to set TCP_KEEPINTVL on fd 5
$ nslookup google.com
Server: 2606:4700:4700::1111
Address: [2606:4700:4700::1111]:53
Non-authoritative answer:
Name: google.com
Address: 216.58.213.110
Non-authoritative answer:
Name: google.com
Address: 2a00:1450:4017:805::200e
$ curl -kv https://1.1.1.1
* Trying 1.1.1.1:443...
* Failed to set TCP_KEEPIDLE on fd 5
* Failed to set TCP_KEEPINTVL on fd 5
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=1.1.1.1
* start date: Dec 23 02:55:00 2023 GMT
* expire date: Apr 9 19:11:24 2024 GMT
* issuer: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; OU=Gateway Intermediate ECC Certificate Authority
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
İm mobile right know. I will try on laptop.
This is when I try zero trust
$ curl -kv https://1.1.1.1
* Trying 1.1.1.1:443...
* Failed to set TCP_KEEPIDLE on fd 5
* Failed to set TCP_KEEPINTVL on fd 5
* connect to 1.1.1.1 port 443 failed: Host is unreachable
* Failed to connect to 1.1.1.1 port 443 after 60 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443 after 60 ms: Couldn't connect to server
yusuf-iPhoneu:~# curl -kv https://1.1.1.1
* Trying 1.1.1.1:443...
* Failed to set TCP_KEEPIDLE on fd 5
* Failed to set TCP_KEEPINTVL on fd 5
* connect to 1.1.1.1 port 443 failed: Host is unreachable
* Failed to connect to 1.1.1.1 port 443 after 43 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443 after 43 ms: Couldn't connect to server
issuer: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; OU=Gateway Intermediate ECC Certificate Authority
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
Yes I noticed that. Already downloaded.
Looks like it works fine then? You just have trouble installing that certificate?
This when I try zero trust.
curl -kv https://1.1.1.1
- Trying 1.1.1.1:443...
- Failed to set TCP_KEEPIDLE on fd 5
- Failed to set TCP_KEEPINTVL on fd 5
- connect to 1.1.1.1 port 443 failed: Host is unreachable
- Failed to connect to 1.1.1.1 port 443 after 329 ms: Couldn't connect to server
- Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443 after 329 ms: Couldn't connect to server
this warp sh config.
curl -kv https://1.1.1.1
- Trying 1.1.1.1:443...
- Failed to set TCP_KEEPIDLE on fd 5
- Failed to set TCP_KEEPINTVL on fd 5
- connect to 1.1.1.1 port 443 failed: Host is unreachable
- Failed to connect to 1.1.1.1 port 443 after 1825 ms: Couldn't connect to server
- Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443 after 1825 ms: Couldn't connect to server
yusuf-iPhoneu:~# curl -kv https://1.1.1.1 - Trying 1.1.1.1:443...
- Failed to set TCP_KEEPIDLE on fd 5
- Failed to set TCP_KEEPINTVL on fd 5
- Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
- ALPN: offers h2,http/1.1
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
- ALPN: server accepted h2
- Server certificate:
- subject: CN=1.1.1.1
This proton vpn conf.
curl -kv https://1.1.1.1
- Trying 1.1.1.1:443...
- Failed to set TCP_KEEPIDLE on fd 5
- Failed to set TCP_KEEPINTVL on fd 5
- Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
- ALPN: offers h2,http/1.1
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 1.1.1.1:443
- Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 1.1.1.1:443
Sorry, I meant I noticed that yesterday. Still cannot connect with WireGuard config
Connected mobile network.(just to make sure ssh to host works) On debian system installed certificate. wg up for wap conf file.
curl -kv https://1.1.1.1
* Trying 1.1.1.1:443...
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=1.1.1.1
* start date: Dec 21 03:06:00 2023 GMT
* expire date: May 15 03:44:16 2024 GMT
* issuer: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; OU=Gateway Intermediate ECC Certificate Authority
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: 1.1.1.1]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5649499e0c80)
> GET / HTTP/2
> Host: 1.1.1.1
> user-agent: curl/7.88.1
> accept: */*
This is the sign of worked?
Following firefox guide:
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
I still get invalid certificate error.
- issuer: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; OU=Gateway Intermediate ECC Certificate Authority
- SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
I guess not :D
Why do you want cloudflare to intercept your https traffic anyway? Seems like a not so worthwhile effort. Just disable that feature
I don't know why wireguard connection very unstable for me. Can you share your setup like are you using cloudflare dns?
On mobile did you edit wireguard configuraiton?