pfSense » pfSense Docs

@viktor or Christian McDonald — What should the MTU be set to? 1420?

I recently spent a few hours troubleshooting a slow site-to-site WG VPN, and in the end it seemed to boil down to needing to manually set the MTU to 1420 on the interfaces of each side of the tunnel.

I notice this used to be automatically set (see https://github.com/pfsense/pfsense/commit/8b9d2275015be7bf8febb1714f8a979d7c5f2beb) but was removed in https://github.com/pfsense/pfsense/commit/281dede0421a0b80183ce5d0305de695eca43b7e and does not appear to have been put back.

https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html

- 20-byte IPv4 header or 40 byte IPv6 header
- 8-byte UDP header
- 4-byte type
- 4-byte key index
- 8-byte nonce
- N-byte encrypted data
- 16-byte authentication tag

1420 for IPv6, 1440 for IPv4.

I've seen multiple statements that the Wireguard default MTU is 1420. However I can't find that specified in any WG documentation.
The man page for `wg-quick` states:

MTU — if not specified, the MTU is automatically determined from
the endpoint addresses or the system default route, which is
usually a sane choice. However, to manually specify an MTU to
override this automatic discovery, this value may be specified
explicitly.

Nonetheless. I agree it would be good to add a Note to the Netgate wireguard documentation that fragmentation may occur with the default MTU of 1500 for assigned wireguard interfaces, and that a reasonable MTU for IPv4 would be `1440` and `1420` for IPv6.

docs:
https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html#assign-a-wireguard-interface
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html#assign-interface
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html#assign-interface
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2ms.html#assign-interface