Project

General

Profile

Actions

Todo #12756

open

Add information on correct MTU to use with WireGuard

Added by Viktor Gurov about 2 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Category:
WireGuard
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Page: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html

Feedback:

In all four Wireguard configuration recepies, there is no mention of changing the MTU and MSS values

Actions #1

Updated by → luckman212 almost 2 years ago

@viktor or Christian McDonald — What should the MTU be set to? 1420?

I recently spent a few hours troubleshooting a slow site-to-site WG VPN, and in the end it seemed to boil down to needing to manually set the MTU to 1420 on the interfaces of each side of the tunnel.

I notice this used to be automatically set (see https://github.com/pfsense/pfsense/commit/8b9d2275015be7bf8febb1714f8a979d7c5f2beb) but was removed in https://github.com/pfsense/pfsense/commit/281dede0421a0b80183ce5d0305de695eca43b7e and does not appear to have been put back.

Actions #2

Updated by Marcos M almost 2 years ago

https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html

- 20-byte IPv4 header or 40 byte IPv6 header
- 8-byte UDP header
- 4-byte type
- 4-byte key index
- 8-byte nonce
- N-byte encrypted data
- 16-byte authentication tag

1420 for IPv6, 1440 for IPv4.

Actions #3

Updated by Jim Pingle over 1 year ago

  • Subject changed from Feedback on pfSense Configuration Recipes — WireGuard Remote Access VPN Configuration Example to Add information on correct MTU to use with WireGuard
Actions

Also available in: Atom PDF