The fun called MTU and Wireguard (troubleshooting MTU issues)
After I started tunneling IPv4 AND IPv6, I have been seeing MTU issues with Wireguard. The issues would show themselves in a way that the HTTPS traffic wouldn’t work but HTTP might due to packet size differences.
If someone is not aware, Wireguard defaults to an MTU value of 1420 which means that I have had to clamp it to 1380 (v4) and 1360 (v6) so that the traffic would work fine.
Clamping on Linux is done like this for IPv4:
iptables -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
iptables -A OUTPUT -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
Same thing for IPv6:
ip6tables -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip6tables -A OUTPUT -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
Clamping on EdgeOS, when using Wireguard:
set firewall options mss-clamp interface-type wg
set firewall options mss-clamp mss 1380
set firewall options mss-clamp6 interface-type wg
set firewall options mss-clamp6 mss 1360
Troubleshooting
Easies way to troubleshoot is to ping with the “don’t fragment” bit set which is on Linux ping -m DO.
Even though it says do, it in fact is the opposite.
One other test you can use is:
curl 167.71.125.57:8080
It should show your IPv4 MTU.
Another test you can use to help you: http://www.letmecheck.it/mtu-test.php (requires ICMP pingable addresses)
Sources used:
- https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html
- https://keremerkan.net/posts/wireguard-mtu-fixes/
- BGPeople Discord Server
