algo icon indicating copy to clipboard operation
algo copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

No internet on certain WiFi connection

Open codedmon opened this issue 5 years ago • 11 comments

Setup:

  • Running Algo on an DigitalOcean droplet. Connect to it via WireGuard Android app.

Issue:

  • I am able to connect to my Algo VPN via my mobile connection (Verizon) and my home WiFi, no issues. My work has (2) wireless access points (WAP). The first WAP is for company owned devices and the second is a "guest" WAP that visitors can use. Employees also use the second WAP with their personal devices. When I connect to the WAP, I have no internet connection. The WireGuard Android app is very plain, not many features and options. I don't even see a real-time log so I can see what might be going on when connected to this particular WAP.

I suspect that this WAP is blocking the connection to my VPN (port?). Any suggestions on troubleshooting this?

codedmon avatar Jan 23 '20 04:01 codedmon

I don't have any experience with the Android WireGuard app. The iOS app has an option in the settings screen to "View log".

What if you try using an IPsec client?

TC1977 avatar Jan 24 '20 21:01 TC1977

I don't have any experience with the Android WireGuard app. The iOS app has an option in the settings screen to "View log".

What if you try using an IPsec client?

I read on another thread that IPSEC support was depreciated for Android.

codedmon avatar Jan 24 '20 21:01 codedmon

Try to switch WireGuard to 443 or 80 port

jackivanov avatar Jan 27 '20 07:01 jackivanov

Try to switch WireGuard to 443 or 80 port

How would i go about doing this? Does this require a new server to be setup or can i edit existing files via SSH?

codedmon avatar Jan 27 '20 12:01 codedmon

Check #1707 for an up-to-date discussion of how to do this with an existing server.

But since (I've heard) it's not uncommon for hostile networks to block UDP/51820 or even all UDP, you might be better off trying IPsec (which uses UDP/500 and 4500) or Open VPN (which uses TCP/1194, and can be changed). WireGuard only uses UDP ports, so switching to UDP/80 or UDP/443 might not help much.

TC1977 avatar Jan 27 '20 18:01 TC1977

Check #1707 for an up-to-date discussion of how to do this with an existing server.

WireGuard only uses UDP ports, so switching to UDP/80 or UDP/443 might not help much.

Thanks for the link. I can run a netstat command to see which ports are open.

codedmon avatar Jan 27 '20 20:01 codedmon

Running netstat on your Android will only tell you that WireGuard isn't passing a connection out. Netstat would help a lot more if you can run it on the WAP, to determine that it's actually passing a WireGuard connection through. But if you can run netstat on the WAP...

TC1977 avatar Jan 27 '20 21:01 TC1977

Running netstat on your Android will only tell you that WireGuard isn't passing a connection out. Netstat would help a lot more if you can run it on the WAP, to determine that it's actually passing a WireGuard connection through. But if you can run netstat on the WAP...

I'm a newb when I'm comes to networking. I googled how to see which ports are open and assumed i could run the netstat command on a Windows machine hooked to the WAP. Is there another way to find if the WAP allows UDP connections?

codedmon avatar Jan 27 '20 21:01 codedmon

Well, WhatsApp and FaceTime (to give two examples) use UDP for streaming. Are those blocked?

TC1977 avatar Jan 28 '20 03:01 TC1977

I have the same problem, ipsec ike isn't blocked on the network but Wireguard and Openvpn etc are all blocked. This means a macbook can get on the vpn. But my windows machine I can't get to work. Strongswan supports windows, but algo doesn't.

Thomvh avatar Jan 28 '20 10:01 Thomvh

Well, WhatsApp and FaceTime (to give two examples) use UDP for streaming. Are those blocked?

I don't use either of those apps. I did run the netstat command on the network and none of the UDP ports mentioned were shown.

codedmon avatar Jan 29 '20 04:01 codedmon