44Net Connect trouble

I have followed the newest directions in the manual and have the pi connected to the 44Net tunnel via wireguard however it will not register or connect to the allstar repo. I have the firewall zone for 44NetConnect configured for iax2 and echolink. Echolink is up and working fine but cannot connect to allstar.

wget -4q -O- https://www.allstarlink.org/myip.php
44.27.129.117

rpt show registrations
Host Username Perceived Refresh State
52.44.147.201:443 64839 0 Not Registered
1 HTTP registration.

********** AllStarLink [ASL] Version Info **********

OS : Debian GNU/Linux 13 (trixie)
OS Kernel : 6.12.62+rpt-rpi-v8

Asterisk : 22.7.0+asl3-3.7.1-1.deb13
ASL [app_rpt] : 3.7.1

Please provide the output of asl-node-auth-check.

asl-node-auth-check

-----===== AllStarLink Node Authentication Check =====-----

Checking configuration:
Info: Skipping evaluation of private node 1996
Info: rpt.conf has configuration for: 64839
Info: /etc/asterisk/iax.conf contains no registration lines.
Info: /etc/asterisk/rpt_http_registrations.conf contains 1 registration line(s)
Info: Registrations present for configured node(s): 64839
Warning: IP test to htt ps://conntest-east1.allstarlink.org/ip failed
Warning: IP test to htt ps://conntest-west1.allstarlink.org/ip failed
Warning: IP test to htt ps://conntest-west2.allstarlink.org/ip failed
Warning: IP test to udp://conntest-east1.allstarlink.org:4570 failed
Info: IP from udp://conntest-west1.allstarlink.org:4569 reports: 44.27.129.117
Info: IP from udp://conntest-west2.allstarlink.org:4569 reports: 44.27.129.117
Error: HTTP IP probes DO NOT have consensus on the same perceived IP! CGNAT?
OK: IAX IP probes have consensus on the same perceived IP

Testing node 64839:
OK: Node registration config is well-formed
OK: Node registration type is HTTP
Error: register.allstarlink org is unreachable (via HTTP)
Error: HTTP registration state is Not Registered
Info: Stopping node checks due to registration failure
Info: as further information will be unreliable

 Error: Node 64839 has 1 error(s)!

Changing registration from HTTP to IAX seems to be working at the moment the node is using a 44net IP and I can connect to my cloud hub as well as have incoming echolink connections however it will not connect to asl servers for updates.

EDIT: Also seeing asl-telemetry failing to start.

Cannot reconcile configuration as removing /etc/asterisk/rpt_http_registrations.conf contains 1 registration line(s) removes the node password from the node setup. IAX registration is incomplete and only partially working at this time. Switching back to HTTP registration. I hope you guys get this sorted soon!

-----===== AllStarLink Node Authentication Check =====-----

Checking configuration:
Info: Skipping evaluation of private node 1997
Info: rpt.conf has configuration for: 64839
Info: /etc/asterisk/iax.conf contains 1 registration line(s)
Info: /etc/asterisk/rpt_http_registrations.conf contains 1 registration line(s)
Info: Registrations present for configured node(s): 64839, 64839
Error: Duplicated HTTP and IAX registrations for: 64839
Error: Cannot continue; reconcile configuration before proceeding

sudo apt update
Hit:1 Index of /debian trixie InRelease
Get:2 Index of /debian trixie-updates InRelease [47.3 kB]
Get:3 Index of /debian-security trixie-security InRelease [43.4 kB]
Get:4 Index of /debian trixie InRelease [54.9 kB]
Get:5 Index of /debian-security trixie-security/main arm64 Packages [119 kB]
Get:6 Index of /debian-security trixie-security/main Translation-en [74.1 kB]
Get:7 Index of /debian trixie/main arm64 Packages [424 kB]
Ign:8 Index of /public/ trixie InRelease
Ign:8 Index of /public/ trixie InRelease
Ign:8 Index of /public/ trixie InRelease
Err:8 Index of /public/ trixie InRelease
SSL connection failed: error:0A000126:SSL routines::unexpected eof while reading / Success [IP: 104.21.40.206 443]
Fetched 762 kB in 1min 8s (11.2 kB/s)
21 packages can be upgraded. Run 'apt list --upgradable' to see them.
Warning: Failed to fetch https://repo.allstarlink.org/public/dists/trixie/InRelease SSL connection failed: error:0A000126:SSL routines::unexpected eof while reading / Success [IP: 104.21.40.206 443]
Warning: Some index files failed to download. They have been ignored, or old ones used instead.

My first guess is that the MTU size of your Wireguard interface is too large. I’ve seen this problem before, particularly with mobile connections. This generally tends to break anything requiring SSL.

This is not an AllStarLink issue. You have at least two problems - one of general network connectivity and you have dueling IAX and HTTP registrations configured. The latter is likely you hand-editing configuration files. Remove the IAX registration line from iax.conf.

The other one about package downloads I cannot replicate. that's the Cloudflare CDN and it seems to be fine. Do you have any sort of odd routing or overriding of allstarlink.org domains in DNS or something?

MTU size is 1380 per the 44net wg-quick configuration.

The problem is HTTP is not working at all with wireguard to the 44net IP. Switching to IAX creates the duplicate registration problem but partially solves the usability problem as this makes inbound connections work for other nodes and echolink however it does not fully register with allstar breaking updates and other things. Removing HTTP from /etc/asterisk//rpt_http_registrations.conf removes the password from the node setup but resolves the duplicate registration however will not connect to asl servers. So are you telling me there is no proper way to switch to IAX registration? Because removing IAX registration lines as you propose defaults to HTTP which does not work. So please explain it to me like I’m retarded, how do I use a 44net connect tunnel with asl3 to allow inbound traffic to get past CGNAT?

To determine whether MTU is the problem, try this.

While connected to 44net, ping a remote host, such as google.com, specifying flags for size and not to fragment packets. Subtract 28 for your target MTU size. For example, a size of 1500 would be 1472. If the size is too large, then you’ll see errors. Keep subtracting the size by 10 until it works.

Here is example output from one of my systems. I am starting with something that is outside the range on purpose.

I’m doing this using Tailscale and an exit node, not 44net, so results will probably be different.

```
asl@pt-shari:~ $ ping google.com -c 10 -M do -s 1472

PING google.com (172.253.122.101) 1472(1500) bytes of data.
ping: sendmsg: Message too long
^C
--- google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

asl@pt-shari:~ $ ping google.com -c 10 -M do -s 1462
PING google.com (142.251.45.174) 1462(1490) bytes of data.
ping: sendmsg: Message too long
^C
--- google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

asl@pt-shari:~ $ ping google.com -c 10 -M do -s 1322
PING google.com (142.250.72.14) 1322(1350) bytes of data.
ping: sendmsg: Message too long
^C
--- google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

asl@pt-shari:~ $ ping google.com -c 10 -M do -s 1302
PING google.com (172.253.115.101) 1302(1330) bytes of data.
ping: sendmsg: Message too long
^C
--- google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

asl@pt-shari:~ $ ping google.com -c 10 -M do -s 1262
PING google.com (172.253.122.113) 1262(1290) bytes of data.
ping: sendmsg: Message too long
^C
--- google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

asl@pt-shari:~ $ ping google.com -c 10 -M do -s 1252
PING google.com (172.253.115.101) 1252(1280) bytes of data.
1260 bytes from bg-in-f101.1e100.net (172.253.115.101): icmp_seq=1 ttl=100 time=29.3 ms
1260 bytes from bg-in-f101.1e100.net (172.253.115.101): icmp_seq=2 ttl=100 time=29.4 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 29.269/29.346/29.424/0.077 ms
asl@pt-shari:~ $

```
So, from this, I can determine that the optimal MTU size on this particular link is 1280, since 1252 is the size that finally worked without packet fragmentation.

If I were to try that same thing off of the Tailscale configuration, I would get an optimal MTU of 1500, at least with this fiber ISP.

Your http registration not working is a symptom of another network-related problem. It will work on 44net under normal conditions, and should be used. See my previous post(s) for a possible solution.

1420 is max mtu when using wiregaurd, it requires 80 bytes by default.

WireGuard is an encapsulation protocol. This means it takes your original data packet and wraps it inside a new, encrypted packet. This wrapping process requires space for extra headers:

IPv4/IPv6 Header: 20 bytes (IPv4) or 40 bytes (IPv6).

UDP Header: 8 bytes.

WireGuard Specific Headers: 32 bytes (includes Type, Receiver Index, Nonce, and Authentication Tag).

To ensure compatibility with both IPv4 and IPv6, WireGuard typically accounts for the larger 40-byte IPv6 header.

40 (IPv6)+8 (UDP)+32 (WireGuard)=80 bytes of overhead

For registration, you didn't "Switch" - you duplicated. If you want to use IAX reg, that's fine but comment out the registration line in rpt_http_registrations.conf then. However if IAX reg is working and HTTP is not, then most likely non of your traffic is really using 44Net properly.

I sincerely doubt it's an MTU issue. @KB9VKQ - Did you setup Wireguard exactly as described in 44Net Connect for ASL - AllStarLink Manual? If not, how are you matching/routing traffic to use the 44Net tunnel.

If you will read my previous post I did remove the http registration there and it completely wiped the node password from the node setup.

Also yes wire guard setup was done per the latest instructions that were updated around the first part of March so unless something has changed since it should be correct. I have a ham VoIP image that runs perfectly through another 44net tunnel. This tunnel is set at router level and is not using wire guard on the pi.

I'm not sure how you're doing it, but you cannot use asl-menu if that's what you doing. If you want IAX registration only for certain, then do this

1. Edit /etc/asterisk/iax.conf and make sure your register => line is present with the password
2. Edit /etc/asterisk/modules.conf and change the line require = res_rpt_http_registrations.so to noload = res_rpt_http_registrations.so
3. Completely restart asterisk
4. Observe the output of iax2 show registrations and rpt show registrations in the console. You should see ONLY a registration (attempt) from IAX
5. Run asl-node-auth-check and see what it reports.

You also didn't answer the other part of my questions.