Mullvad Proxy-VMs suddenly stop working (except for mozilla.org, redcross.org and wikipedia.org)

tree · May 17, 2023, 12:48pm

So my proxy-vms have suddenly stopped working (again). They were working yesterday, but today they just don’t. I didn’t do anything I am aware of. A restart hasn’t helped.

I’m using Mullvad, connecting to two different servers using Wireguard. They were set up using Mullvad’s instructions and worked perfectly for a couple of weeks.

I can ping 8.8.8.8, www.google.com and 10.64.0.1 in proxy-vms and app-vms. But Firefox (in the app-vm) remains inoperative (connections time out).

Bizarre fact: For some reason, Firefox (in the app-vms) will connect to pages on www.mozilla.org, and only those pages.
Edit: it turns out wikipedia.org and redcross.org pages will also load, but not e.g. fedoramagazine.org, reddit.com, newyorktimes.com, etc.

I don’t understand any of this. I don’t understand how it could be happening again, I don’t understand how it happens suddenly, I don’t get how Mozilla gets through.

(Additionally, I cannot get Mullvad’s OpenVPN protocol working at all. For no reason I can see.)

Help and insights gratefully received.

ephile · May 17, 2023, 1:21pm

I experienced the same recently. Replacing my OpenVPN config files with new ones I downloaded from Mullvad was sufficient to reconnect. The IP addresses were the same, but they were using different port numbers. However, only changing the port numbers in my original config files didn’t make a difference. ymmv

tree · May 18, 2023, 12:58am

It may not be the VPN - It turns out some .org pages will load, but not anything else (see edits). Hard to see how config files will change that.

But thanks, I may try it later.

disp6252 · May 18, 2023, 2:28am

Try to reduce the MTU value in wireguard config.

tree · May 18, 2023, 6:56am

/etc/wireguard is empty. I don’t know if that means the Mullvad setup does is configuration elsewhere or what. Are you suggesting I make a wg0.conf file, (like here)?

Mullvad support suggested I try sudo ip link set dev eth0 mtu 1300 and similar - I also tried 600, 1000, 1400, 1500 and finally 1280 (based on this). Nothing seems to work.

Except now, not even the .org websites are loading.

taradiddles · May 18, 2023, 9:52am

If you’ve followed Mullvad’s doc, the config is in /home/user of your ProxyVM (eg. /home/user/se9-wireguard.conf). Also, per the doc - on the ProxyVM:

Run curl https://am.i.mullvad.net/connected
Run sudo wg and check for a WireGuard network interface and a peer handshake

And also make sure that DNS properly resolves hostnames there.

If everything works as expected on the ProxyVM you can then begin to debug issues between AppVM and your ProxyVM. Either you can reach the ProxyVM from your AppVM or you can’t - but since you say things partially work inter-vm connectivity should be OK. Your issue could be with the “DNS hijacking” stuff. And/or maybe the pages you can access are simply in your browser’s cache and wireguard is down.

If I were you I’d try to set Mullvad’s socks5 proxy and DoH in firefox’s proxy settings - that way you’ll bypass both the dns hijacking stuff (which seems a bit “fragile” to me) and potential default route issues in the ProxyVM.
[edit - you can also use “Proxy DNS when using SOCKS v5” instead of DoH; note that using both options disables DoH even if DoH is checked - at least that’s what I found out while debugging dns issues on recent versions of firefox]

tree · May 18, 2023, 12:52pm

thankyou @taradiddles, this is really helpful.

In ProxyVM:

sudo wg shows a recent handshake.
curl https://am.i.mullvad.net/connected is not successful.
nslookup and dig give answers that look sensible to me.

AppVM:

ping, nslookup and dig also work, so I think that confirms connectivity between ProxyVM and AppVM.

In the AppVM, I have used both with and without the SOCKS5 and Proxy DNS when using SOCKS v5, although not DoH. Since you say I can use either, I leave it at the SOCKS proxy. But it didn’t help, though.

The .org websites have stopped working too. When they did work, they couldn’t have been from a cache because I had never visited them in that VM (its new).

If you have any suggestions as to where to look next, I’d appreciate it.

taradiddles · May 18, 2023, 1:41pm

^ fix this first ?

I can’t really say what’s the issue on your side though - I’ve quickly created an ProxyVM, copied my wireguard config, wg-quick up ..., and it’s up and running without error (without the “DNS hijacking instructions” so in that case DNS requests from the AppVM don’t go through the vpn).

in both the ProxyVM and AppVM, curl https://am.i.mullvad.net/connected is OK:

You are connected to Mullvad (server <...>). Your IP address is <...>

And on both, pinging mullvad’s sock5 server is OK (ping 10.64.0.1).

Going further, configuring the socks5 proxy (10.64.0.1 / 1080) in firefox and ticking “Proxy DNS when using SOCKS v5” works: https://mullvad.net/en/check returns everything green and a “what is my ip” web search reports one of mullvad’s ip(v6).

Things that could help you compare with your setup (I recommend that you start from scratch)

on ProxyVM:

$ ip rule show
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

$ systemd-resolve --status
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: foreign
Current DNS Server: 10.139.1.1
        DNS Servers 10.139.1.1 10.139.1.2

Link 2 (eth0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.139.1.1
       DNS Servers: 10.139.1.1 10.139.1.2

Link 5 (vif12.0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 7 (wg-mullvad)
Current Scopes: DNS
     Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.64.0.23
    DNS Domain: ~.

On AppVM:

Hope this helps!

(btw this isn’t a qubes specific issue, maybe a mod will want to move the post to another category).

disp6252 · May 18, 2023, 4:26pm

You can change MTU in wireguard config:
WireGuard - ArchWiki
I think you can set it in mullvad app as well:
Using the Mullvad VPN app - Guides | Mullvad VPN

tree · May 19, 2023, 12:53am

Thanks again for your help.

I ran the tests you suggested. It was a bit different. I don’t have your Link 7 (wg-mullvad), I have Link 3 (us-nyc-wg-301) - that’s the target Mullvad server - and DNS Servers: 10.64.0.1 looks familiar from the SOCKS proxy stuff. I guess this is equivalent to yours, and neither yours nor mine shows a DNS Domain, so I guess this is okay.

my terminal output

$ ip rule show
0:	from all lookup local
32764:	from all lookup main suppress_prefixlength 0
32765:	not from all fwmark 0xca6c lookup 51820
32766:	from all lookup main
32767:	from all lookup default

$ systemd-resolve --status
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: foreign
Current DNS Server: 10.139.1.1
        DNS Servers 10.139.1.1 10.139.1.2

Link 2 (eth0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
     Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 10.139.1.1 10.139.1.2

Link 3 (us-nyc-wg-301)
Current Scopes: DNS
     Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 10.64.0.1
    DNS Domain: ~.

Link 4 (vif37.0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

So, from the ProxyVM terminal the problem seems to be signaled by cURL Could not resolve host: am.i.mullvad. Everything else works, (unless that systemd-resolve output indicates a problem).

The AppVM connects to the ProxyVM, has the SOCKS proxy set (with DNS, just like your picture), and nslookup and dig works fine. Just not the browser.

Yes, I am going to start again from scratch.

tree · May 19, 2023, 2:11am

Tried to set up a new Mullvad-VPN, followed their instructions until

$ curl https://am.i.mullvad.net/connected
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to am.i.mullvad.net:443

It pings fine, nslookup fine.

I don’t understand. Suddenly, every qube with a mullvad configuration fails to cURL.

taradiddles · May 19, 2023, 7:37am

10.64.0.1 is the socks5 server (when using wireguard), I’m not sure it’s supposed to be your configured DNS server - although it does resolve host names. So that shouldn’t be an issue, yet for some reason you can’t resolve am.i.mullvad.

Sorry - I can’t really help further. I’d suggest you download a new config file from Mullvad, this time with a different server (maybe us-nyc-wg-301 has a problem), and redo your ProxyVM.

@disp6252 also mentioned MTU. That might be an issue, but DNS requests are usually small packets so DNS should at least work - which isn’t your case. I never had problems with MTU with Mullvad but I had issues on my private wireguard connections - setting the interface’s mtu didn’t help, the only fix was to set TCP’s mss with an nftables/iptables rule. Since Mullvad’s tutorial is using iptables, you can add this to your ProxyVM:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

If you’re willing to put some time, learn how tcpdump works and this will tremendously help you debug any networking issues. At the very least, you could do sudo tcpdump -n -i <wireguard_interface> on your ProxyVM and see if something flows through the interface when you’re using firefox on your AppVM (with the socks proxy and DNS through proxy checked).

tree · May 20, 2023, 3:56am

I really appreciate the help, @taradiddles. However, I’m nearing the end of my rope. I am losing so much time on this.

I added that ^ iptables line to /rw/config/qubes-firewall-user-script (as per Mullvad protocol), restarted, and there’s no change. I’ve played with MTU also, to no effect.

Running tcpdump (I read a bit about it) on the interface yeilded an awful lot of traffic between 10.64.0.1.socks (<- I know that one) and 10.66.198.120.xxxxx (where xxxxx is a number). Those are internal IP addresses, right?

There is occasionally traffic to acouple of IP address that resolves to googleusercontent.com and a few mentions of mozilla - which makes sense, because Firefox in the AppVM is trying to load google.com.

None of that seems surprising to me. I don’t know what else to make of it. I can’t get the <details> thing to work properly, so a chunk of the tcpdump output it is in the detail at the end of this post.

All in all, something very odd is going on. When i sit back and look at this, here’s my history:

my Mica Leah VPN protocol proxyVMs suddenly stopped working. All three instances at once, no explanation. This was on a previous installation of Qubes - I reinstalled Qubes (to this version) to escape the problem.
Mullvad’s openvpn protocol has refused to work on this installation, from Day 1. The AppVM doesn’t work but proxyVM will curl. No idea why.
(I haven’t tried Mica Leah’s protocol again).
After working flawlessly for 3 weeks, these two wireguard proxy-vms both stopped without any action from me. (Apart from, strangely, those .org pages).
a new Mullvad wireguard ProxyVM fails at the first test of curl.
whatever it is, it has to be in the ‘Qubes layer’, becuase its common across qubes.

I may just do the ‘nuclear option’ again - reinstall Qubes - and see what survives. After that, I’m resigned to busting down to Ubuntu again. Not happy about that, but this is too much pain.

Two final questions that you might be able to help me with:

could this be hardware related?
could this be malicious interference?

```

$ sudo tcpdump -n -i us-nyc-wg-301
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on us-nyc-wg-301, link-type RAW (Raw IP), snapshot length 262144 bytes
13:30:31.158402 IP 10.64.0.1.socks > 10.66.198.120.52870: Flags [F.], seq 852999295, ack 608560783, win 84, length 0
13:30:31.158463 IP 10.64.0.1.socks > 10.66.198.120.52868: Flags [F.], seq 1410532481, ack 2731511530, win 84, length 0
13:30:31.158484 IP 10.64.0.1.socks > 10.66.198.120.52878: Flags [F.], seq 1949782828, ack 367523302, win 84, length 0
13:30:31.159524 IP 10.66.198.120.52870 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.159567 IP 10.66.198.120.52868 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.159611 IP 10.66.198.120.52878 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.383587 IP 10.64.0.1.socks > 10.66.198.120.52888: Flags [F.], seq 225119396, ack 2174453533, win 84, length 0
13:30:31.384220 IP 10.66.198.120.52888 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.422760 IP 10.64.0.1.socks > 10.66.198.120.52898: Flags [F.], seq 1038146121, ack 1780982289, win 84, length 0
13:30:31.423333 IP 10.66.198.120.52898 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.425375 IP 10.64.0.1.socks > 10.66.198.120.52886: Flags [F.], seq 3545125939, ack 4209747974, win 84, length 0
13:30:31.425913 IP 10.66.198.120.52886 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.430059 IP 10.64.0.1.socks > 10.66.198.120.52870: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:31.430102 IP 10.64.0.1.socks > 10.66.198.120.52868: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:31.430127 IP 10.64.0.1.socks > 10.66.198.120.52878: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:31.430711 IP 10.66.198.120.52878 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.430749 IP 10.66.198.120.52870 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.430790 IP 10.66.198.120.52868 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.654847 IP 10.64.0.1.socks > 10.66.198.120.52888: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:31.655904 IP 10.66.198.120.52888 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.664924 IP 10.64.0.1.socks > 10.66.198.120.52898: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:31.666693 IP 10.66.198.120.52898 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.671352 IP 10.64.0.1.socks > 10.66.198.120.52886: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:31.672063 IP 10.66.198.120.52886 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:31.732325 IP 34.160.144.191.https > 10.66.198.120.39946: Flags [F.], seq 2122196771, ack 91527001, win 261, length 0
13:30:31.733207 IP 10.66.198.120.39946 > 34.160.144.191.https: Flags [.], ack 4294962839, win 502, options [nop,nop,sack 1 {4294966979:1}], length 0
13:30:32.030090 IP 10.66.198.120.39954 > 34.160.144.191.https: Flags [.], ack 3203317313, win 502, options [nop,nop,sack 1 {4141:4458}], length 0
13:30:32.133547 IP 10.64.0.1.socks > 10.66.198.120.52958: Flags [F.], seq 1844613726, ack 619698795, win 83, length 0
13:30:32.133619 IP 10.64.0.1.socks > 10.66.198.120.52926: Flags [F.], seq 3093801233, ack 2839508172, win 83, length 0
13:30:32.133644 IP 10.64.0.1.socks > 10.66.198.120.52936: Flags [F.], seq 2704609712, ack 2409203344, win 83, length 0
13:30:32.133720 IP 34.160.144.191.https > 10.66.198.120.39954: Flags [F.], seq 4458, ack 1, win 261, length 0
13:30:32.133748 IP 10.64.0.1.socks > 10.66.198.120.52912: Flags [F.], seq 3136383358, ack 1144773169, win 83, length 0
13:30:32.133765 IP 10.64.0.1.socks > 10.66.198.120.52950: Flags [F.], seq 2363465133, ack 285056407, win 83, length 0
13:30:32.133781 IP 10.64.0.1.socks > 10.66.198.120.52940: Flags [F.], seq 1615356379, ack 4061041152, win 83, length 0
13:30:32.133798 IP 10.64.0.1.socks > 10.66.198.120.52954: Flags [F.], seq 191666518, ack 2911929556, win 83, length 0
13:30:32.135659 IP 10.66.198.120.52958 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:32.135694 IP 10.66.198.120.52950 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.135747 IP 10.66.198.120.52926 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.135773 IP 10.66.198.120.52912 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.135798 IP 10.66.198.120.52954 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.135864 IP 10.66.198.120.39954 > 34.160.144.191.https: Flags [.], ack 1, win 502, options [nop,nop,sack 1 {4141:4459}], length 0
13:30:32.135889 IP 10.66.198.120.52936 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.135914 IP 10.66.198.120.52940 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.135967 IP 10.64.0.1.socks > 10.66.198.120.52904: Flags [F.], seq 562045109, ack 789956770, win 84, length 0
13:30:32.137788 IP 10.66.198.120.52904 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:32.247563 IP 10.64.0.1.socks > 10.66.198.120.53026: Flags [F.], seq 2856982610, ack 2953013621, win 83, length 0
13:30:32.248440 IP 10.66.198.120.53026 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.277057 IP 10.64.0.1.socks > 10.66.198.120.52990: Flags [F.], seq 541956602, ack 3642453445, win 83, length 0
13:30:32.277542 IP 10.66.198.120.52990 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.283136 IP 10.64.0.1.socks > 10.66.198.120.53038: Flags [F.], seq 2960755756, ack 3275769497, win 83, length 0
13:30:32.283652 IP 10.66.198.120.53038 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.294523 IP 34.160.144.191.https > 10.66.198.120.39954: Flags [.], ack 1, win 261, length 0
13:30:32.295903 IP 10.64.0.1.socks > 10.66.198.120.53020: Flags [F.], seq 1295135072, ack 1535694127, win 83, length 0
13:30:32.296345 IP 10.66.198.120.53020 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.299934 IP 10.64.0.1.socks > 10.66.198.120.53052: Flags [F.], seq 2657362772, ack 3037593568, win 83, length 0
13:30:32.300297 IP 10.66.198.120.53052 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.313823 IP 10.64.0.1.socks > 10.66.198.120.52974: Flags [F.], seq 2029731282, ack 3234499495, win 84, length 0
13:30:32.315833 IP 10.66.198.120.52974 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:32.323524 IP 10.64.0.1.socks > 10.66.198.120.53004: Flags [F.], seq 3437557608, ack 2588029553, win 83, length 0
13:30:32.324413 IP 10.66.198.120.53004 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.345093 IP 10.64.0.1.socks > 10.66.198.120.53060: Flags [F.], seq 3464352900, ack 90436576, win 83, length 0
13:30:32.346934 IP 10.66.198.120.53060 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:32.398929 IP 10.64.0.1.socks > 10.66.198.120.52904: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:32.398994 IP 10.64.0.1.socks > 10.66.198.120.52958: Flags [P.], seq 4294966917:0, ack 1, win 83, length 379
13:30:32.399021 IP 10.64.0.1.socks > 10.66.198.120.52912: Flags [P.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.399735 IP 10.66.198.120.52904 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:32.399812 IP 10.66.198.120.52912 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.399847 IP 10.66.198.120.52958 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:32.402154 IP 10.64.0.1.socks > 10.66.198.120.52940: Flags [P.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.402193 IP 10.64.0.1.socks > 10.66.198.120.52936: Flags [P.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.402214 IP 10.64.0.1.socks > 10.66.198.120.52950: Flags [P.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.402236 IP 10.64.0.1.socks > 10.66.198.120.52926: Flags [P.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.402256 IP 10.64.0.1.socks > 10.66.198.120.52954: Flags [P.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.402967 IP 10.66.198.120.52950 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.402992 IP 10.66.198.120.52926 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.403023 IP 10.66.198.120.52954 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.403077 IP 10.66.198.120.52940 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.403089 IP 10.66.198.120.52936 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.513177 IP 10.64.0.1.socks > 10.66.198.120.53026: Flags [FP.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.513690 IP 10.66.198.120.53026 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.543549 IP 10.64.0.1.socks > 10.66.198.120.52990: Flags [FP.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.544166 IP 10.66.198.120.52990 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.552059 IP 10.64.0.1.socks > 10.66.198.120.53038: Flags [FP.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.553387 IP 10.66.198.120.53038 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.558260 IP 10.64.0.1.socks > 10.66.198.120.53020: Flags [FP.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.558853 IP 10.66.198.120.53020 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.563937 IP 10.64.0.1.socks > 10.66.198.120.53052: Flags [FP.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.564390 IP 10.66.198.120.53052 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.566454 IP 10.64.0.1.socks > 10.66.198.120.52974: Flags [FP.], seq 4294966618:0, ack 1, win 84, length 678
13:30:32.566927 IP 10.66.198.120.52974 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:32.597037 IP 10.64.0.1.socks > 10.66.198.120.53004: Flags [FP.], seq 4294966909:0, ack 1, win 83, length 387
13:30:32.597519 IP 10.66.198.120.53004 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:32.613900 IP 10.64.0.1.socks > 10.66.198.120.53060: Flags [FP.], seq 4294966917:0, ack 1, win 83, length 379
13:30:32.614741 IP 10.66.198.120.53060 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:35.102052 IP 10.66.198.120.33316 > 10.64.0.1.socks: Flags [.], ack 953623780, win 502, length 0
13:30:35.492769 IP 10.64.0.1.socks > 10.66.198.120.33316: Flags [.], ack 1, win 83, length 0
13:30:35.615264 IP 10.66.198.120.33322 > 10.64.0.1.socks: Flags [.], ack 1894544063, win 502, length 0
13:30:35.869551 IP 10.64.0.1.socks > 10.66.198.120.33322: Flags [.], ack 1, win 83, length 0
13:30:38.685977 IP 10.66.198.120.47106 > 10.64.0.1.socks: Flags [.], ack 1981456307, win 501, length 0
13:30:38.686087 IP 10.66.198.120.47092 > 10.64.0.1.socks: Flags [.], ack 966961080, win 501, length 0
13:30:38.686114 IP 10.66.198.120.46930 > 10.64.0.1.socks: Flags [.], ack 3115418471, win 501, length 0
13:30:38.686144 IP 10.66.198.120.44600 > 10.64.0.1.socks: Flags [.], ack 1384813094, win 501, length 0
13:30:39.013266 IP 10.64.0.1.socks > 10.66.198.120.47106: Flags [.], ack 1, win 84, length 0
13:30:39.013325 IP 10.64.0.1.socks > 10.66.198.120.47092: Flags [.], ack 1, win 84, length 0
13:30:39.013326 IP 10.64.0.1.socks > 10.66.198.120.44600: Flags [.], ack 1, win 84, length 0
13:30:39.013327 IP 10.64.0.1.socks > 10.66.198.120.46930: Flags [.], ack 1, win 84, length 0
13:30:40.360485 IP 10.66.198.120.34656 > 10.64.0.1.socks: Flags [S], seq 1589635149, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:40.510429 IP 10.66.198.120.34660 > 10.64.0.1.socks: Flags [S], seq 1462183464, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:40.669857 IP 10.64.0.1.socks > 10.66.198.120.34656: Flags [S.], seq 4091783280, ack 1589635150, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:40.672087 IP 10.66.198.120.34656 > 10.64.0.1.socks: Flags [R], seq 1589635150, win 0, length 0
13:30:40.672148 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [S], seq 387571028, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:40.758909 IP 10.64.0.1.socks > 10.66.198.120.34660: Flags [S.], seq 1497792078, ack 1462183465, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:40.759275 IP 10.66.198.120.34660 > 10.64.0.1.socks: Flags [R], seq 1462183465, win 0, length 0
13:30:40.921990 IP 10.66.198.120.34680 > 10.64.0.1.socks: Flags [S], seq 545628046, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:40.932764 IP 10.64.0.1.socks > 10.66.198.120.34664: Flags [S.], seq 3487263787, ack 387571029, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:40.933263 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:40.933401 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:41.252780 IP 10.64.0.1.socks > 10.66.198.120.34680: Flags [S.], seq 668975810, ack 545628047, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:41.253384 IP 10.66.198.120.34680 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:41.256124 IP 10.64.0.1.socks > 10.66.198.120.34664: Flags [.], ack 4, win 84, length 0
13:30:41.256247 IP 10.66.198.120.34680 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:41.256268 IP 10.64.0.1.socks > 10.66.198.120.34664: Flags [P.], seq 1:3, ack 4, win 84, length 2
13:30:41.258552 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [.], ack 3, win 502, length 0
13:30:41.258686 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [P.], seq 4:25, ack 3, win 502, length 21
13:30:41.275445 IP 10.66.198.120.34680 > 10.64.0.1.socks: Flags [F.], seq 4, ack 1, win 502, length 0
13:30:41.275538 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [F.], seq 25, ack 3, win 502, length 0
13:30:41.419568 IP 10.66.198.120.44600 > 10.64.0.1.socks: Flags [P.], seq 1:339, ack 1, win 501, length 338
13:30:41.574132 IP 10.64.0.1.socks > 10.66.198.120.34680: Flags [.], ack 4, win 84, length 0
13:30:41.574199 IP 10.64.0.1.socks > 10.66.198.120.34680: Flags [P.], seq 1:3, ack 4, win 84, length 2
13:30:41.574228 IP 10.64.0.1.socks > 10.66.198.120.34664: Flags [P.], seq 3:25, ack 25, win 84, length 22
13:30:41.574249 IP 10.64.0.1.socks > 10.66.198.120.34680: Flags [F.], seq 3, ack 5, win 84, length 0
13:30:41.574269 IP 10.64.0.1.socks > 10.66.198.120.34664: Flags [F.], seq 25, ack 26, win 84, length 0
13:30:41.576099 IP 10.66.198.120.34680 > 10.64.0.1.socks: Flags [R], seq 545628050, win 0, length 0
13:30:41.576133 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [R], seq 387571053, win 0, length 0
13:30:41.576173 IP 10.66.198.120.34680 > 10.64.0.1.socks: Flags [R], seq 545628051, win 0, length 0
13:30:41.576188 IP 10.66.198.120.34664 > 10.64.0.1.socks: Flags [R], seq 387571054, win 0, length 0
13:30:41.708846 IP 10.64.0.1.socks > 10.66.198.120.44600: Flags [P.], seq 1:1222, ack 339, win 84, length 1221
13:30:41.713830 IP 10.66.198.120.44600 > 10.64.0.1.socks: Flags [.], ack 1222, win 492, length 0
13:30:41.732042 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [S], seq 341763258, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:41.758040 IP 10.66.198.120.39946 > 34.160.144.191.https: Flags [.], ack 4294962839, win 502, options [nop,nop,sack 1 {4294966979:1}], length 0
13:30:41.758066 IP 10.66.198.120.52888 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:41.758081 IP 10.66.198.120.52886 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:41.758086 IP 10.66.198.120.52898 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:41.758113 IP 10.66.198.120.52878 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:41.758119 IP 10.66.198.120.52868 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:41.758125 IP 10.66.198.120.52870 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:41.984612 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [S], seq 1082260843, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:42.053981 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [S.], seq 1454936887, ack 341763259, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:42.054044 IP 34.160.144.191.https > 10.66.198.120.39946: Flags [.], ack 1, win 261, length 0
13:30:42.054077 IP 10.64.0.1.socks > 10.66.198.120.52886: Flags [.], ack 1, win 84, length 0
13:30:42.054098 IP 10.64.0.1.socks > 10.66.198.120.52898: Flags [.], ack 1, win 84, length 0
13:30:42.054115 IP 10.64.0.1.socks > 10.66.198.120.52888: Flags [.], ack 1, win 84, length 0
13:30:42.054132 IP 10.64.0.1.socks > 10.66.198.120.52878: Flags [.], ack 1, win 84, length 0
13:30:42.054147 IP 10.64.0.1.socks > 10.66.198.120.52868: Flags [.], ack 1, win 84, length 0
13:30:42.054163 IP 10.64.0.1.socks > 10.66.198.120.52870: Flags [.], ack 1, win 84, length 0
13:30:42.055589 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:42.055802 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:42.373742 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [S.], seq 3878893701, ack 1082260844, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:42.373833 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [.], ack 4, win 84, length 0
13:30:42.373834 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [P.], seq 1:3, ack 4, win 84, length 2
13:30:42.374426 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:42.374515 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [.], ack 3, win 502, length 0
13:30:42.374558 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [P.], seq 4:25, ack 3, win 502, length 21
13:30:42.374640 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:42.406014 IP 10.66.198.120.52940 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.406065 IP 10.66.198.120.52904 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:42.406279 IP 10.66.198.120.52954 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.406298 IP 10.66.198.120.52950 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.406327 IP 10.66.198.120.52926 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.406354 IP 10.66.198.120.52912 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.406399 IP 10.66.198.120.52936 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.693938 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [.], ack 4, win 84, length 0
13:30:42.693940 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [P.], seq 1:3, ack 4, win 84, length 2
13:30:42.694033 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [P.], seq 3:25, ack 25, win 84, length 22
13:30:42.694034 IP 10.64.0.1.socks > 10.66.198.120.52940: Flags [.], ack 1, win 83, length 0
13:30:42.694034 IP 10.64.0.1.socks > 10.66.198.120.52904: Flags [.], ack 1, win 84, length 0
13:30:42.694035 IP 10.64.0.1.socks > 10.66.198.120.52954: Flags [.], ack 1, win 83, length 0
13:30:42.694035 IP 10.64.0.1.socks > 10.66.198.120.52950: Flags [.], ack 1, win 83, length 0
13:30:42.694700 IP 10.64.0.1.socks > 10.66.198.120.52926: Flags [.], ack 1, win 83, length 0
13:30:42.694700 IP 10.64.0.1.socks > 10.66.198.120.52912: Flags [.], ack 1, win 83, length 0
13:30:42.694743 IP 10.64.0.1.socks > 10.66.198.120.52936: Flags [.], ack 1, win 83, length 0
13:30:42.696261 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [.], ack 3, win 502, length 0
13:30:42.696314 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [P.], seq 4:25, ack 3, win 502, length 21
13:30:42.709300 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [P.], seq 25:542, ack 25, win 502, length 517
13:30:42.784049 IP 10.66.198.120.39954 > 34.160.144.191.https: Flags [.], ack 1, win 502, options [nop,nop,sack 1 {4141:4459}], length 0
13:30:42.784081 IP 10.66.198.120.53060 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:42.784108 IP 10.66.198.120.52974 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:42.784118 IP 10.66.198.120.53052 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.784128 IP 10.66.198.120.53038 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.784137 IP 10.66.198.120.53020 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.784191 IP 10.66.198.120.52958 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:42.784199 IP 10.66.198.120.52990 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.784207 IP 10.66.198.120.53026 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:42.784215 IP 10.66.198.120.53004 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:43.015848 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [P.], seq 3:25, ack 25, win 84, length 22
13:30:43.015908 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [P.], seq 4165:4312, ack 542, win 83, length 147
13:30:43.016853 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [.], ack 25, win 502, length 0
13:30:43.025379 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [P.], seq 25:542, ack 25, win 502, length 517
13:30:43.037182 IP 34.160.144.191.https > 10.66.198.120.39954: Flags [.], ack 1, win 261, length 0
13:30:43.041320 IP 10.64.0.1.socks > 10.66.198.120.52974: Flags [.], ack 1, win 84, length 0
13:30:43.041387 IP 10.64.0.1.socks > 10.66.198.120.53052: Flags [.], ack 1, win 83, length 0
13:30:43.041388 IP 10.64.0.1.socks > 10.66.198.120.53020: Flags [.], ack 1, win 83, length 0
13:30:43.041389 IP 10.64.0.1.socks > 10.66.198.120.53004: Flags [.], ack 1, win 83, length 0
13:30:43.041389 IP 10.64.0.1.socks > 10.66.198.120.53060: Flags [.], ack 1, win 83, length 0
13:30:43.041390 IP 10.64.0.1.socks > 10.66.198.120.53038: Flags [.], ack 1, win 83, length 0
13:30:43.041391 IP 10.64.0.1.socks > 10.66.198.120.52958: Flags [.], ack 1, win 83, length 0
13:30:43.041391 IP 10.64.0.1.socks > 10.66.198.120.52990: Flags [.], ack 1, win 83, length 0
13:30:43.049838 IP 10.64.0.1.socks > 10.66.198.120.53026: Flags [.], ack 1, win 83, length 0
13:30:43.332816 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [P.], seq 4165:4312, ack 542, win 83, length 147
13:30:43.333314 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [.], ack 25, win 502, length 0
13:30:45.854319 IP 10.66.198.120.33316 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:46.212359 IP 10.64.0.1.socks > 10.66.198.120.33316: Flags [.], ack 1, win 83, length 0
13:30:46.366018 IP 10.66.198.120.33322 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:46.696178 IP 10.64.0.1.socks > 10.66.198.120.33322: Flags [.], ack 1, win 83, length 0
13:30:49.438020 IP 10.66.198.120.47106 > 10.64.0.1.socks: Flags [.], ack 1, win 501, length 0
13:30:49.438117 IP 10.66.198.120.47092 > 10.64.0.1.socks: Flags [.], ack 1, win 501, length 0
13:30:49.438141 IP 10.66.198.120.46930 > 10.64.0.1.socks: Flags [.], ack 1, win 501, length 0
13:30:49.735723 IP 10.64.0.1.socks > 10.66.198.120.47106: Flags [.], ack 1, win 84, length 0
13:30:49.735797 IP 10.64.0.1.socks > 10.66.198.120.47092: Flags [.], ack 1, win 84, length 0
13:30:49.735797 IP 10.64.0.1.socks > 10.66.198.120.46930: Flags [.], ack 1, win 84, length 0
13:30:51.742002 IP 10.66.198.120.44600 > 10.64.0.1.socks: Flags [.], ack 1222, win 501, length 0
13:30:52.133710 IP 10.64.0.1.socks > 10.66.198.120.44600: Flags [.], ack 339, win 84, length 0
13:30:52.511130 IP 10.66.198.120.39946 > 34.160.144.191.https: Flags [.], ack 4294962839, win 502, options [nop,nop,sack 1 {4294966979:1}], length 0
13:30:52.511196 IP 10.66.198.120.52888 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:52.511221 IP 10.66.198.120.52886 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:52.511236 IP 10.66.198.120.52898 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:52.511305 IP 10.66.198.120.52878 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:52.511335 IP 10.66.198.120.52868 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:52.511347 IP 10.66.198.120.52870 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:52.641893 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [F.], seq 4312, ack 542, win 83, length 0
13:30:52.642592 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [.], ack 25, win 502, length 0
13:30:52.773117 IP 34.160.144.191.https > 10.66.198.120.39946: Flags [.], ack 1, win 261, length 0
13:30:52.773173 IP 10.64.0.1.socks > 10.66.198.120.52886: Flags [.], ack 1, win 84, length 0
13:30:52.773196 IP 10.64.0.1.socks > 10.66.198.120.52898: Flags [.], ack 1, win 84, length 0
13:30:52.773217 IP 10.64.0.1.socks > 10.66.198.120.52888: Flags [.], ack 1, win 84, length 0
13:30:52.776429 IP 10.64.0.1.socks > 10.66.198.120.52878: Flags [.], ack 1, win 84, length 0
13:30:52.776471 IP 10.64.0.1.socks > 10.66.198.120.52868: Flags [.], ack 1, win 84, length 0
13:30:52.776493 IP 10.64.0.1.socks > 10.66.198.120.52870: Flags [.], ack 1, win 84, length 0
13:30:52.908376 IP 10.64.0.1.socks > 10.66.198.120.34682: Flags [FP.], seq 4165:4312, ack 542, win 83, length 147
13:30:52.908943 IP 10.66.198.120.34682 > 10.64.0.1.socks: Flags [.], ack 25, win 502, length 0
13:30:52.958053 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [F.], seq 4312, ack 542, win 83, length 0
13:30:52.958786 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [.], ack 25, win 502, length 0
13:30:53.022394 IP 10.66.198.120.52940 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.022455 IP 10.66.198.120.52904 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:53.022480 IP 10.66.198.120.52936 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.022560 IP 10.66.198.120.52954 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.022574 IP 10.66.198.120.52950 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.022603 IP 10.66.198.120.52926 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.022631 IP 10.66.198.120.52912 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.252776 IP 10.64.0.1.socks > 10.66.198.120.34692: Flags [FP.], seq 4165:4312, ack 542, win 83, length 147
13:30:53.255979 IP 10.66.198.120.34692 > 10.64.0.1.socks: Flags [.], ack 25, win 502, length 0
13:30:53.267972 IP 10.64.0.1.socks > 10.66.198.120.52940: Flags [.], ack 1, win 83, length 0
13:30:53.274626 IP 10.64.0.1.socks > 10.66.198.120.52904: Flags [.], ack 1, win 84, length 0
13:30:53.274747 IP 10.64.0.1.socks > 10.66.198.120.52954: Flags [.], ack 1, win 83, length 0
13:30:53.274748 IP 10.64.0.1.socks > 10.66.198.120.52950: Flags [.], ack 1, win 83, length 0
13:30:53.274749 IP 10.64.0.1.socks > 10.66.198.120.52926: Flags [.], ack 1, win 83, length 0
13:30:53.274750 IP 10.64.0.1.socks > 10.66.198.120.52936: Flags [.], ack 1, win 83, length 0
13:30:53.276697 IP 10.64.0.1.socks > 10.66.198.120.52912: Flags [.], ack 1, win 83, length 0
13:30:53.533968 IP 10.66.198.120.39954 > 34.160.144.191.https: Flags [.], ack 1, win 502, options [nop,nop,sack 1 {4141:4459}], length 0
13:30:53.534087 IP 10.66.198.120.52958 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:53.534113 IP 10.66.198.120.52990 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.534142 IP 10.66.198.120.53026 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.534157 IP 10.66.198.120.53004 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.534240 IP 10.66.198.120.53060 > 10.64.0.1.socks: Flags [.], ack 4294962777, win 502, length 0
13:30:53.534254 IP 10.66.198.120.52974 > 10.64.0.1.socks: Flags [.], ack 4294963858, win 502, length 0
13:30:53.534304 IP 10.66.198.120.53052 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.534330 IP 10.66.198.120.53038 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.534354 IP 10.66.198.120.53020 > 10.64.0.1.socks: Flags [.], ack 4294962769, win 502, length 0
13:30:53.628581 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [S], seq 240504264, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:53.878699 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [S], seq 363897148, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:53.894347 IP 34.160.144.191.https > 10.66.198.120.39954: Flags [.], ack 1, win 261, length 0
13:30:53.894348 IP 10.64.0.1.socks > 10.66.198.120.53004: Flags [.], ack 1, win 83, length 0
13:30:53.894423 IP 10.64.0.1.socks > 10.66.198.120.52974: Flags [.], ack 1, win 84, length 0
13:30:53.894424 IP 10.64.0.1.socks > 10.66.198.120.53052: Flags [.], ack 1, win 83, length 0
13:30:53.894424 IP 10.64.0.1.socks > 10.66.198.120.53020: Flags [.], ack 1, win 83, length 0
13:30:53.894425 IP 10.64.0.1.socks > 10.66.198.120.52958: Flags [.], ack 1, win 83, length 0
13:30:53.894426 IP 10.64.0.1.socks > 10.66.198.120.52990: Flags [.], ack 1, win 83, length 0
13:30:53.894426 IP 10.64.0.1.socks > 10.66.198.120.53026: Flags [.], ack 1, win 83, length 0
13:30:53.896021 IP 10.64.0.1.socks > 10.66.198.120.53060: Flags [.], ack 1, win 83, length 0
13:30:53.896059 IP 10.64.0.1.socks > 10.66.198.120.53038: Flags [.], ack 1, win 83, length 0
13:30:53.907466 IP 10.64.0.1.socks > 10.66.198.120.60758: Flags [S.], seq 1696240004, ack 240504265, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:53.907953 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:53.908102 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.215147 IP 10.64.0.1.socks > 10.66.198.120.60770: Flags [S.], seq 4095481414, ack 363897149, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.215148 IP 10.64.0.1.socks > 10.66.198.120.60758: Flags [.], ack 4, win 84, length 0
13:30:54.215245 IP 10.64.0.1.socks > 10.66.198.120.60758: Flags [P.], seq 1:3, ack 4, win 84, length 2
13:30:54.215844 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.215894 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [.], ack 3, win 502, length 0
13:30:54.216001 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [P.], seq 4:36, ack 3, win 502, length 32
13:30:54.216056 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.535633 IP 10.64.0.1.socks > 10.66.198.120.60770: Flags [.], ack 4, win 84, length 0
13:30:54.535634 IP 10.64.0.1.socks > 10.66.198.120.60770: Flags [P.], seq 1:3, ack 4, win 84, length 2
13:30:54.535772 IP 10.64.0.1.socks > 10.66.198.120.60758: Flags [P.], seq 3:13, ack 36, win 84, length 10
13:30:54.539241 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [.], ack 3, win 502, length 0
13:30:54.539301 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [P.], seq 4:36, ack 3, win 502, length 32
13:30:54.545311 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [P.], seq 36:553, ack 13, win 502, length 517
13:30:54.630433 IP 10.66.198.120.53004 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.630594 IP 10.66.198.120.53020 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.631202 IP 10.66.198.120.53026 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.636693 IP 10.66.198.120.53038 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.636756 IP 10.66.198.120.53052 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.636784 IP 10.66.198.120.52974 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.636798 IP 10.66.198.120.52904 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.636880 IP 10.66.198.120.52990 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.636913 IP 10.66.198.120.39946 > 34.160.144.191.https: Flags [F.], seq 1, ack 4294962839, win 502, options [nop,nop,sack 1 {4294966979:1}], length 0
13:30:54.636926 IP 10.66.198.120.52958 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962777, win 502, length 0
13:30:54.636952 IP 10.66.198.120.52912 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.636978 IP 10.66.198.120.52926 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.637998 IP 10.66.198.120.52936 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.638036 IP 10.66.198.120.52940 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.638121 IP 10.66.198.120.52950 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.638206 IP 10.66.198.120.52954 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962769, win 502, length 0
13:30:54.638720 IP 10.66.198.120.52898 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.638756 IP 10.66.198.120.52886 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.638802 IP 10.66.198.120.39954 > 34.160.144.191.https: Flags [F.], seq 1, ack 1, win 502, options [nop,nop,sack 1 {4141:4459}], length 0
13:30:54.638890 IP 10.66.198.120.52888 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.639046 IP 10.66.198.120.33316 > 10.64.0.1.socks: Flags [F.], seq 1, ack 1, win 502, length 0
13:30:54.639645 IP 10.66.198.120.53060 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294962777, win 502, length 0
13:30:54.646926 IP 10.66.198.120.52868 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.646954 IP 10.66.198.120.33322 > 10.64.0.1.socks: Flags [F.], seq 1, ack 1, win 502, length 0
13:30:54.646977 IP 10.66.198.120.52878 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.646984 IP 10.66.198.120.52870 > 10.64.0.1.socks: Flags [F.], seq 1, ack 4294963858, win 502, length 0
13:30:54.647819 IP 10.66.198.120.60776 > 10.64.0.1.socks: Flags [S], seq 3564343542, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647844 IP 10.66.198.120.60820 > 10.64.0.1.socks: Flags [S], seq 1767273262, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647869 IP 10.66.198.120.60850 > 10.64.0.1.socks: Flags [S], seq 1897207555, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647915 IP 10.66.198.120.60790 > 10.64.0.1.socks: Flags [S], seq 1200444066, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647935 IP 10.66.198.120.60798 > 10.64.0.1.socks: Flags [S], seq 2311782882, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647944 IP 10.66.198.120.60814 > 10.64.0.1.socks: Flags [S], seq 2424513126, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647953 IP 10.66.198.120.60832 > 10.64.0.1.socks: Flags [S], seq 667513956, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647967 IP 10.66.198.120.60842 > 10.64.0.1.socks: Flags [S], seq 1854170428, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.647978 IP 10.66.198.120.60854 > 10.64.0.1.socks: Flags [S], seq 2569171453, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.691856 IP 10.66.198.120.60862 > 10.64.0.1.socks: Flags [S], seq 1860517291, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.700902 IP 10.66.198.120.56172 > 10.139.1.1.domain: 58204+ [1au] AAAA? incoming.telemetry.mozilla.org. (59)
13:30:54.700930 IP 10.66.198.120.57795 > 10.139.1.1.domain: 35156+ [1au] A? incoming.telemetry.mozilla.org. (59)
13:30:54.700949 IP 10.66.198.120.46643 > 10.139.1.1.domain: 30127+ [1au] A? incoming.telemetry.mozilla.org. (59)
13:30:54.700983 IP 10.66.198.120.48609 > 10.139.1.1.domain: 27936+ [1au] AAAA? incoming.telemetry.mozilla.org. (59)
13:30:54.700999 IP 10.66.198.120.48688 > 34.160.144.191.https: Flags [S], seq 628118502, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.701008 IP 10.66.198.120.60870 > 10.64.0.1.socks: Flags [S], seq 2233600122, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.708497 IP 10.66.198.120.60872 > 10.64.0.1.socks: Flags [S], seq 4247294765, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.717183 IP 10.66.198.120.47426 > 10.139.1.1.domain: 53258+ [1au] A? content-signature-2.cdn.mozilla.net. (64)
13:30:54.717221 IP 10.66.198.120.53802 > 10.139.1.1.domain: 34169+ [1au] A? prod.content-signature-chains.prod.webservices.mozgcp.net. (86)
13:30:54.722999 IP 10.66.198.120.60878 > 10.64.0.1.socks: Flags [S], seq 3101104061, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.852982 IP 10.64.0.1.socks > 10.66.198.120.60770: Flags [P.], seq 3:13, ack 36, win 84, length 10
13:30:54.853048 IP 10.64.0.1.socks > 10.66.198.120.60758: Flags [P.], seq 4153:4532, ack 553, win 83, length 379
13:30:54.856157 IP 10.66.198.120.60758 > 10.64.0.1.socks: Flags [.], ack 13, win 502, length 0
13:30:54.861838 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [P.], seq 36:553, ack 13, win 502, length 517
13:30:54.877134 IP 10.64.0.1.socks > 10.66.198.120.53004: Flags [.], ack 2, win 83, length 0
13:30:54.880666 IP 10.64.0.1.socks > 10.66.198.120.53020: Flags [.], ack 2, win 83, length 0
13:30:54.883491 IP 10.64.0.1.socks > 10.66.198.120.53026: Flags [.], ack 2, win 83, length 0
13:30:54.906194 IP 10.64.0.1.socks > 10.66.198.120.53038: Flags [.], ack 2, win 83, length 0
13:30:54.906252 IP 10.64.0.1.socks > 10.66.198.120.52990: Flags [.], ack 2, win 83, length 0
13:30:54.909222 IP 10.66.198.120.60886 > 10.64.0.1.socks: Flags [S], seq 151262521, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.909332 IP 10.66.198.120.60902 > 10.64.0.1.socks: Flags [S], seq 1846096659, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.909428 IP 10.66.198.120.60894 > 10.64.0.1.socks: Flags [S], seq 4230512325, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.909453 IP 10.66.198.120.60918 > 10.64.0.1.socks: Flags [S], seq 455749531, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.909485 IP 10.66.198.120.60932 > 10.64.0.1.socks: Flags [S], seq 1375440884, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.910555 IP 10.66.198.120.60934 > 10.64.0.1.socks: Flags [S], seq 159976976, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.910597 IP 10.66.198.120.60948 > 10.64.0.1.socks: Flags [S], seq 29108129, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.910624 IP 10.66.198.120.60954 > 10.64.0.1.socks: Flags [S], seq 404013389, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.910713 IP 10.66.198.120.60938 > 10.64.0.1.socks: Flags [S], seq 2652082780, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.915549 IP 10.64.0.1.socks > 10.66.198.120.52958: Flags [.], ack 2, win 83, length 0
13:30:54.915624 IP 10.64.0.1.socks > 10.66.198.120.52912: Flags [.], ack 2, win 83, length 0
13:30:54.915625 IP 10.64.0.1.socks > 10.66.198.120.53052: Flags [.], ack 2, win 83, length 0
13:30:54.915625 IP 10.64.0.1.socks > 10.66.198.120.52974: Flags [.], ack 2, win 84, length 0
13:30:54.915626 IP 10.64.0.1.socks > 10.66.198.120.52904: Flags [.], ack 2, win 84, length 0
13:30:54.915627 IP 10.64.0.1.socks > 10.66.198.120.52926: Flags [.], ack 2, win 83, length 0
13:30:54.915627 IP 10.64.0.1.socks > 10.66.198.120.52936: Flags [.], ack 2, win 83, length 0
13:30:54.915739 IP 10.64.0.1.socks > 10.66.198.120.52940: Flags [.], ack 2, win 83, length 0
13:30:54.915770 IP 10.64.0.1.socks > 10.66.198.120.52950: Flags [.], ack 2, win 83, length 0
13:30:54.915771 IP 10.64.0.1.socks > 10.66.198.120.52954: Flags [.], ack 2, win 83, length 0
13:30:54.915771 IP 10.64.0.1.socks > 10.66.198.120.52898: Flags [.], ack 2, win 84, length 0
13:30:54.915772 IP 10.64.0.1.socks > 10.66.198.120.52886: Flags [.], ack 2, win 84, length 0
13:30:54.915772 IP 10.64.0.1.socks > 10.66.198.120.33316: Flags [.], ack 2, win 83, length 0
13:30:54.915773 IP 10.64.0.1.socks > 10.66.198.120.52888: Flags [.], ack 2, win 84, length 0
13:30:54.915773 IP 10.64.0.1.socks > 10.66.198.120.53060: Flags [.], ack 2, win 83, length 0
13:30:54.915774 IP 10.64.0.1.socks > 10.66.198.120.52868: Flags [.], ack 2, win 84, length 0
13:30:54.915854 IP 10.64.0.1.socks > 10.66.198.120.52878: Flags [.], ack 2, win 84, length 0
13:30:54.915854 IP 10.64.0.1.socks > 10.66.198.120.52870: Flags [.], ack 2, win 84, length 0
13:30:54.915855 IP 10.64.0.1.socks > 10.66.198.120.33322: Flags [.], ack 2, win 83, length 0
13:30:54.915856 IP 10.64.0.1.socks > 10.66.198.120.60776: Flags [S.], seq 1549669655, ack 3564343543, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.916879 IP 10.66.198.120.60776 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.919696 IP 34.160.144.191.https > 10.66.198.120.39946: Flags [.], ack 2, win 261, length 0
13:30:54.919743 IP 34.160.144.191.https > 10.66.198.120.39954: Flags [.], ack 2, win 261, length 0
13:30:54.927282 IP 10.66.198.120.60776 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.927321 IP 10.64.0.1.socks > 10.66.198.120.60850: Flags [S.], seq 1481271449, ack 1897207556, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927348 IP 10.64.0.1.socks > 10.66.198.120.60790: Flags [S.], seq 732377874, ack 1200444067, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927359 IP 10.64.0.1.socks > 10.66.198.120.60832: Flags [S.], seq 248917698, ack 667513957, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927367 IP 10.64.0.1.socks > 10.66.198.120.60854: Flags [S.], seq 235300265, ack 2569171454, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927375 IP 10.64.0.1.socks > 10.66.198.120.60820: Flags [S.], seq 2127589503, ack 1767273263, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927385 IP 10.64.0.1.socks > 10.66.198.120.60798: Flags [S.], seq 3257484443, ack 2311782883, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927392 IP 10.64.0.1.socks > 10.66.198.120.60814: Flags [S.], seq 2907667558, ack 2424513127, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.927400 IP 10.64.0.1.socks > 10.66.198.120.60842: Flags [S.], seq 2303244279, ack 1854170429, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.928313 IP 10.66.198.120.60850 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928333 IP 10.66.198.120.60820 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928382 IP 10.66.198.120.60790 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928394 IP 10.66.198.120.60832 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928401 IP 10.66.198.120.60854 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928407 IP 10.66.198.120.60798 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928418 IP 10.66.198.120.60814 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.928429 IP 10.66.198.120.60842 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.929451 IP 10.66.198.120.60854 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929477 IP 10.66.198.120.60842 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929489 IP 10.66.198.120.60832 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929496 IP 10.66.198.120.60814 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929503 IP 10.66.198.120.60798 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929519 IP 10.66.198.120.60790 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929544 IP 10.66.198.120.60850 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.929557 IP 10.66.198.120.60820 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.942165 IP 10.66.198.120.60968 > 10.64.0.1.socks: Flags [S], seq 3200147546, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.949514 IP 10.66.198.120.48696 > 34.160.144.191.https: Flags [S], seq 2466578910, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.951027 IP 10.66.198.120.60982 > 10.64.0.1.socks: Flags [S], seq 1215656712, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.956110 IP 10.64.0.1.socks > 10.66.198.120.60862: Flags [S.], seq 1613481183, ack 1860517292, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.956437 IP 10.66.198.120.60862 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.956543 IP 10.66.198.120.60862 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.958712 IP 10.66.198.120.60994 > 10.64.0.1.socks: Flags [S], seq 1009894277, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.959516 IP 10.139.1.1.domain > 10.66.198.120.46643: 30127 3/0/1 CNAME telemetry-incoming.r53-2.services.mozilla.com., CNAME prod.ingestion-edge.prod.dataops.mozgcp.net., A 34.120.208.123 (191)
13:30:54.962302 IP 10.64.0.1.socks > 10.66.198.120.60870: Flags [S.], seq 401435267, ack 2233600123, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.963186 IP 10.66.198.120.60870 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.963381 IP 10.66.198.120.60870 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.965442 IP 10.64.0.1.socks > 10.66.198.120.60872: Flags [S.], seq 1976755944, ack 4247294766, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.965483 IP 10.139.1.1.domain > 10.66.198.120.48609: 27936 2/1/1 CNAME telemetry-incoming.r53-2.services.mozilla.com., CNAME prod.ingestion-edge.prod.dataops.mozgcp.net. (271)
13:30:54.965483 IP 10.139.1.1.domain > 10.66.198.120.56172: 58204 2/1/1 CNAME telemetry-incoming.r53-2.services.mozilla.com., CNAME prod.ingestion-edge.prod.dataops.mozgcp.net. (271)
13:30:54.965484 IP 10.139.1.1.domain > 10.66.198.120.57795: 35156 3/0/1 CNAME telemetry-incoming.r53-2.services.mozilla.com., CNAME prod.ingestion-edge.prod.dataops.mozgcp.net., A 34.120.208.123 (191)
13:30:54.965888 IP 10.66.198.120.60872 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.966674 IP 10.66.198.120.57885 > 10.139.1.1.domain: 26043+ [1au] A? prod.ingestion-edge.prod.dataops.mozgcp.net. (72)
13:30:54.967726 IP 10.66.198.120.38135 > 10.139.1.1.domain: 62109+ [1au] AAAA? prod.ingestion-edge.prod.dataops.mozgcp.net. (72)
13:30:54.967760 IP 10.66.198.120.37414 > 10.139.1.1.domain: 38051+ [1au] AAAA? prod.ingestion-edge.prod.dataops.mozgcp.net. (72)
13:30:54.967779 IP 10.66.198.120.60872 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:54.968907 IP 34.160.144.191.https > 10.66.198.120.48688: Flags [S.], seq 682198871, ack 628118503, win 65535, options [mss 1380,nop,nop,sackOK,nop,wscale 8], length 0
13:30:54.968963 IP 10.139.1.1.domain > 10.66.198.120.47426: 53258 3/0/1 CNAME content-signature-chains.prod.autograph.services.mozaws.net., CNAME prod.content-signature-chains.prod.webservices.mozgcp.net., A 34.160.144.191 (224)
13:30:54.972477 IP 10.66.198.120.48688 > 34.160.144.191.https: Flags [.], ack 1, win 502, length 0
13:30:54.976646 IP 10.66.198.120.48688 > 34.160.144.191.https: Flags [P.], seq 1:213, ack 1, win 502, length 212
13:30:54.976774 IP 10.66.198.120.filenet-pa > 10.64.0.1.socks: Flags [S], seq 2544834035, win 64240, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0
13:30:54.976889 IP 10.64.0.1.socks > 10.66.198.120.60878: Flags [S.], seq 2648016750, ack 3101104062, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:54.976946 IP 10.139.1.1.domain > 10.66.198.120.53802: 34169 1/0/1 A 34.160.144.191 (102)
13:30:54.978921 IP 10.66.198.120.60878 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:54.979001 IP 10.66.198.120.60878 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:55.173170 IP 10.64.0.1.socks > 10.66.198.120.60770: Flags [P.], seq 4153:4532, ack 553, win 83, length 379
13:30:55.173245 IP 10.64.0.1.socks > 10.66.198.120.60886: Flags [S.], seq 3425664773, ack 151262522, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.173246 IP 10.64.0.1.socks > 10.66.198.120.60902: Flags [S.], seq 1132814371, ack 1846096660, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.173247 IP 10.64.0.1.socks > 10.66.198.120.60918: Flags [S.], seq 2375731050, ack 455749532, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.173247 IP 10.64.0.1.socks > 10.66.198.120.60932: Flags [S.], seq 3608895825, ack 1375440885, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.173248 IP 10.64.0.1.socks > 10.66.198.120.60894: Flags [S.], seq 1848122203, ack 4230512326, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.175646 IP 10.66.198.120.60770 > 10.64.0.1.socks: Flags [.], ack 13, win 502, length 0
13:30:55.175696 IP 10.66.198.120.60902 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:55.175722 IP 10.66.198.120.60902 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:55.175837 IP 10.66.198.120.60886 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:55.175852 IP 10.66.198.120.60918 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:55.175865 IP 10.66.198.120.60894 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:55.175885 IP 10.66.198.120.60932 > 10.64.0.1.socks: Flags [.], ack 1, win 502, length 0
13:30:55.175898 IP 10.66.198.120.60886 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:55.175910 IP 10.66.198.120.60932 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:55.175922 IP 10.66.198.120.60918 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:55.175933 IP 10.66.198.120.60894 > 10.64.0.1.socks: Flags [P.], seq 1:4, ack 1, win 502, length 3
13:30:55.176087 IP 10.64.0.1.socks > 10.66.198.120.60934: Flags [S.], seq 4278665404, ack 159976977, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.176088 IP 10.64.0.1.socks > 10.66.198.120.60948: Flags [S.], seq 4189835227, ack 29108130, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.177708 IP 10.64.0.1.socks > 10.66.198.120.60954: Flags [S.], seq 3812241130, ack 404013390, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.177753 IP 10.64.0.1.socks > 10.66.198.120.60938: Flags [S.], seq 3149143109, ack 2652082781, win 42780, options [mss 1380,nop,wscale 9], length 0
13:30:55.177776 IP 10.64.0.1.socks > 10.66.198.120.60776: Flags [.], ack 4, win 84, length 0

</details>

disp6252 · May 20, 2023, 5:19am

I can suggest you to create a test HVM, attach your network controller to it, connect to VPN in it and check if firefox will work there with no problem.

disp6252 · May 20, 2023, 5:49am

My final choice would be to go for clamp-mss-to-pmtu just before MASQUERADING in proxyvms and netvms.

This issue is still active. My current solution is to add to /rw/config/rc.local of my wireguard VPN VM:
iptables -t nat -I POSTROUTING 3 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Path MTU discovery does not work when using WireGuard VPN · Issue #5264 · QubesOS/qubes-issues · GitHub

taradiddles · May 21, 2023, 6:52am

yes, 10.66.198.120 is you qube’s ip address (xxxx is the source port).

Well - in light of your rather odd issue, you can’t exclude either; I doubt there’s “malicious interference”. It could be hardware related but that would also be very unlikely since you’re able to establish the vpn, and network connectivity works.

I’m a bit at a loss to find what could cause your issue. If you’re not too fed up with trying and stuff and haven’t switched to ubuntu, you should try to isolate and test each part of your setup, eg.

run firefox (with a clean profile) in a regular AppVM, without any ProxyVM
if OK, set up and start Mullvad VPN in the AppVM, and run firefox
if OK, set mullvad’s socks proxy + “dns over socks” in firefox (still in the AppVM).
if you got there, then create a ProxyVM but don’t configure mullvad yet. Configure your AppVM’s networkvm to use ProxyVM
in your AppVM, temporary unset the proxy/dns stuff. Check that you have access to web sites.
if OK, set up mullvad in your ProxyVM.

tree · May 22, 2023, 12:25am

Thanks for your input, disp6252. however, I am embarrassed to say I don’t understand what this means. You mean sys-firewall or sys-net or…?
HVM (with Mullvad set up in it) → sys-net ?
or
HVM → Proxy → sys-firewall → sys-net?

What would that achieve?

tree · May 22, 2023, 12:48am

Unfortunately, adding that iptables line does not work: Firefox says “proxy server is refusing connections”.

Thanks though.

disp6252 · May 22, 2023, 4:59am

I mean to say that you can create a copy of sys-net with your network controller in it, set up mullvad in it and check if firefox will work inside this VM. That way you can check the setup without MTU problem.

I still think this is 100% MTU problem. What’s you current connection looks like? Like this?
sys-net -> sys-firewall -> sys-mullvad -> firefox-appvm (firefox with socks5 or without?)
Or do you have something more like VPN over VPN setup?
Try to find the MTU values for your VMs with ping:
ping x.x.x.x -s yyyy -M do
Where x.x.x.x - any reachable downstream IP address for this VM and yyyy - size of the packet (MSS).
So the calculations are like this:
MTU = MSS + packet headers (IP header + protocol header (udp/tcp/icmp/etc) + metadata header )(vpn/socks/etc)
If you have default interface MTU in sys-net set to 1500 then when you ping with 1472 packet size (1500 - 20 (IP header) - 8 (icmp header)) then ping should be successful.
Then check ping in sys-mullvad/firefox-appvm but reduce the packet size by wireguard overhead. For IPv4 only wireguard connection the overhead is 60 bytes = 20 (IP header) + 8 (icmp header) + 32 (wireguard metadata header) for IPv6 it’s 80 (40 + 8 + 32) but I’ll assume you’ll only use IPv4. So for sys-mullvad/firefox-appvm MTU should be 1500-20-8-32=1440 and MSS for ping should be 1440-20-8=1412. So the ping with 1412 packet size in sys-mullvad/firefox-appvm should work.
You can also find out the value of MTU with curl:
curl https://browserleaks.com/ip | grep MTU
or
curl 167.71.125.57:8080

tree · May 23, 2023, 2:21am

@disp6252 , I really appreciate your efforts but I have to be honest. I’ve hit my technical limit. You could be speaking another language here, its just beyond me.

That’s exactly what my setup has looked like (all 7 times, with OpenVPN or Wireguard).

I get (in my appVM):

[user@test4 ~]$ ping 8.8.8.8 -s 1412 -M do
PING 8.8.8.8 (8.8.8.8) 1412(1440) bytes of data.
From 10.137.0.34 icmp_seq=1 Frag needed and DF set (mtu = 1420)
ping: local error: message too long, mtu=1420

but 20 less on the MTU:

[user@test4 ~]$ ping 8.8.8.8 -s 1392 -M do
PING 8.8.8.8 (8.8.8.8) 1392(1420) bytes of data.
76 bytes from 8.8.8.8: icmp_seq=1 ttl=117 (truncated)

I don’t know what to do with this information - is it banal or significant?
In any case, I cannot curl from this VM.