After I started tunneling IPv4 AND IPv6, I have been seeing MTU issues with Wireguard. The issues would show themselves in a way that the HTTPS traffic wouldn’t work but HTTP might due to packet size differences.
If someone is not aware, Wireguard defaults to an MTU value of 1420 which means that I have had to clamp it to 1380 (v4) and 1360 (v6) so that the traffic would work fine.
Clamping on Linux is done like this for IPv4:
iptables -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380 iptables -A OUTPUT -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
Same thing for IPv6:
ip6tables -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 ip6tables -A OUTPUT -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
Clamping on EdgeOS, when using Wireguard:
set firewall options mss-clamp interface-type wg set firewall options mss-clamp mss 1380 set firewall options mss-clamp6 interface-type wg set firewall options mss-clamp6 mss 1360
Easies way to troubleshoot is to ping with the “don’t fragment” bit set which is on Linux
ping -m DO.
Even though it says do, it in fact is the opposite.
One other test you can use is:
It should show your IPv4 MTU.
Another test you can use to help you: http://www.letmecheck.it/mtu-test.php (requires ICMP pingable addresses)
- BGPeople Discord Server