Automated build from blog source

github-actions[bot] · github-actions[bot] · commit 5d4eb49e9466 · 2025-08-29T07:12:29.000Z
diff --git a/tech_blog.html b/tech_blog.html
@@ -44,6 +44,7 @@ <h1 id="titl"></h1>
 
     <script>
         const blogs_map = [
+            [5, "What you dont know (in networking) can hurt you", "28 Aug 2025"],
             [4, "Be careful of Python for loops (or Python in general)", "29 Jul 2025"],
             [3, "Downsides of Alpine linux", "27 Jun 2025"],
             [2, "Create a custom ORM", "27 Jun 2025"],
diff --git a/tech_blog/5.html b/tech_blog/5.html
@@ -0,0 +1,147 @@
+<p>I wanted to create my first wireguard tunnel so I can learn more
+about networking and tunneling and host my own data center. It actually
+worked pretty well except for some things. This was back in March. It
+was not until now that I was able to fix those things.</p>
+<p>So I resigned myself to try to be as simple as possible just so I
+could get a proof of concept working. I wanted to have a cloud VPS with
+a public IP be the server/router and have all the client traffic go
+through that.</p>
+<h2 id="issues">Issues</h2>
+<p>I got it set up and was able to do just about everything except for
+three things: - ssh into servers not connected to the VPN or the VPN ip
+itself (it just hangs) - push things to git servers - In a SSH session
+from client to client, typing things in for example it is really jumpy
+and laggy</p>
+<h2 id="configuration">Configuration</h2>
+<p>Server</p>
+<pre><code>[Interface]
+PrivateKey = &lt;server_private_key&gt;
+Address = 10.66.66.1/24
+ListenPort = &lt;port&gt;
+PostUp = iptables -I INPUT -p udp --dport &lt;port&gt; -j ACCEPT
+PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
+PostUp = iptables -I FORWARD -i &lt;physical_interface_name&gt; -o wg0 -j ACCEPT
+PostUp = iptables -t nat -A POSTROUTING -o &lt;physical_interface_name&gt; -j MASQUERADE
+
+PostDown = iptables -D INPUT -p udp --dport $port -j ACCEPT
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
+PostDown = iptables -D FORWARD -i &lt;physical_interface_name&gt; -o wg0 -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -o &lt;physical_interface_name&gt; -j MASQUERADE
+
+[Peer]
+PublicKey = &lt;client1_pub_key&gt;
+AllowedIPs = 10.66.66.2/32
+
+[Peer]
+PublicKey = &lt;client2_pub_key&gt;
+AllowedIPs = 10.66.66.3/32</code></pre>
+<p>client1</p>
+<pre><code>[Interface]
+PrivateKey = &lt;client1_private_key&gt;
+Address = 10.66.66.2/32
+
+[Peer]
+PublicKey = &lt;server_pub_key&gt;
+AllowedIPs = 0.0.0.0
+Endpoint = &lt;server_physical_ip&gt;:&lt;port&gt;</code></pre>
+<p>client2</p>
+<pre><code>[Interface]
+PrivateKey = &lt;client2_private_key&gt;
+Address = 10.66.66.3/32
+
+[Peer]
+PublicKey = &lt;server_pub_key&gt;
+AllowedIPs = 0.0.0.0
+Endpoint = &lt;server_physical_ip&gt;:&lt;port&gt;</code></pre>
+<p>If you are experienced at networking and/or tunnels you may know the
+issue. In order to investigate the issue of the ssh issues I tried ssh
+-v</p>
+<pre><code>$ ssh -v &lt;username&gt;@&lt;vpn_server_vpn_ip&gt;
+... connection established
+... authenticating
+... loading keys
+... algorithm negotiation
+expecting SSH2_MSG_KEX_ECDH_REPLY
+&lt;hangs&gt;</code></pre>
+<p>Hmm, am I breaking the ssh server where it is not sending back the
+ecdh reply? The server is still up</p>
+<p>I guess this is ok because I can ssh off the VPN.</p>
+<p>For the second issue, pushing things using git, I had no idea what to
+do, so I moved onto the third issue which I thought would be more fun to
+debug, the jumpyness.</p>
+<h2 id="jumpyness">Jumpyness</h2>
+<p>Doing a simple ping from client to client, I see, I see weird
+things</p>
+<p>From client1</p>
+<pre><code>$ ping client2
+64 bytes from &lt;ip&gt;: icmp_seq=1 ttl=61 time=219 ms
+64 bytes from &lt;ip&gt;: icmp_seq=2 ttl=61 time=136 ms
+64 bytes from &lt;ip&gt;: icmp_seq=3 ttl=61 time=363 ms
+64 bytes from &lt;ip&gt;: icmp_seq=4 ttl=61 time=107 ms
+64 bytes from &lt;ip&gt;: icmp_seq=5 ttl=61 time=105 ms
+64 bytes from &lt;ip&gt;: icmp_seq=6 ttl=61 time=125 ms
+64 bytes from &lt;ip&gt;: icmp_seq=7 ttl=61 time=250 ms
+64 bytes from &lt;ip&gt;: icmp_seq=9 ttl=61 time=496 ms</code></pre>
+<p>Yeah my eyes and fingers are not deceiving me,there is definitely
+something wrong. One ping 1 second different than the other takes 5
+times the amount of time, which is not normal</p>
+<p>One thing I thought of is that it was quite a circuotus route, like
+the traffic goes from the Pacific Northwest to the bay area and back so
+there could be a lot of network congestion there compared to if I just
+hosted the VPN server in Oregon or something. This turned out to not be
+true, because of this:</p>
+<p>From client1</p>
+<pre><code>$ ping vpn_server_private_ip
+64 bytes from 10.66.67.1: icmp_seq=1 ttl=62 time=36.6 ms
+64 bytes from 10.66.67.1: icmp_seq=2 ttl=62 time=33.8 ms
+64 bytes from 10.66.67.1: icmp_seq=3 ttl=62 time=37.4 ms
+64 bytes from 10.66.67.1: icmp_seq=4 ttl=62 time=34.7 ms
+64 bytes from 10.66.67.1: icmp_seq=5 ttl=62 time=34.2 ms
+64 bytes from 10.66.67.1: icmp_seq=6 ttl=62 time=34.2 ms</code></pre>
+<p>Pinging the VPN server takes the same round trip since both clients
+are in the pacific northwest, so why is client to client jumpier?</p>
+<p>Could it be routing rules? I dont have much experience in this, so I
+wanted to rule everything out that I knew how to measure first.</p>
+<h2 id="speedtest">speedtest</h2>
+<p>If you have access to two servers, you can do a speed test between
+them. I used iperf3. Here is a speedtest from client to client</p>
+<pre><code>Interval         Transfer      Bitrate        Retr  Cwnd
+0.00-1.00   sec  1.30 MBytes  10.9 Mbits/sec    0    146 KBytes       
+1.00-2.00   sec  2.58 MBytes  21.6 Mbits/sec    0    258 KBytes       
+2.00-3.00   sec  4.23 MBytes  35.5 Mbits/sec    0    440 KBytes       
+3.00-4.00   sec  5.52 MBytes  46.3 Mbits/sec    0    684 KBytes       
+4.00-5.00   sec  4.25 MBytes  35.6 Mbits/sec   22    395 KBytes       
+5.00-6.00   sec  2.74 MBytes  23.0 Mbits/sec    5    306 KBytes       
+6.00-7.00   sec  3.74 MBytes  31.4 Mbits/sec    0    325 KBytes       
+7.00-8.00   sec  3.68 MBytes  30.9 Mbits/sec    0    335 KBytes       
+8.00-9.00   sec  3.86 MBytes  32.4 Mbits/sec    3    236 KBytes       
+9.00-10.00  sec  2.70 MBytes  22.6 Mbits/sec    0    281 KBytes</code></pre>
+<p>If I am interpreting the data right, I am seeing around 30Mb/s
+average? That is kind of slow because on speedtest.net I get 300Mb/s.
+Now I dont know if these tests are apples and oranges, but I suspect
+that this is still slow.</p>
+<h2 id="packet-fragmentation">Packet Fragmentation</h2>
+<p>Looking more into wireguard and the options it has, I discovered the
+MTU option. Apparently if a packet is too big to go through a network
+hop’s width, it will get split (fragmented). How to test this is to send
+messages with nofrag flag and see if you get responses. If you get no
+responses, the message got dropped because it could not fit through nor
+fragmented.</p>
+<p>Here is a ping test sending the do not fragment flag between a client
+and the server</p>
+<pre><code>$ ping -M do -s 1393 10.66.67.1
+PING 10.66.67.1 (10.66.67.1) 1393(1421) bytes of data.
+ping: local error: message too long, mtu=1420
+ping: local error: message too long, mtu=1420</code></pre>
+<p>Looks like the max MTU of the network is 1420</p>
+<pre><code>PING 10.66.67.1 (10.66.67.1) 1392(1420) bytes of data.
+1400 bytes from 10.66.67.1: icmp_seq=1 ttl=62 time=33.2 ms
+1400 bytes from 10.66.67.1: icmp_seq=2 ttl=62 time=33.4 ms</code></pre>
+<p>The default MTU wireguard sets is 1420, which seems correct since
+packets will not be fragmented if sent or received with a MTU of
+1420.</p>
+<p>Trying the client to client test, we get the same MTU discovery, but
+with the usual worse ping results.</p>
+<h1 id="conclusion">Conclusion</h1>
+<p>Currently I dont know something about networking and/or tunnels, and
+it is killing me.</p>
