pfSense » pfSense Docs

Interfaces with suboptimal MTU values can degrade VPN performance; a document that provides examples/steps to optimize the MTU of different VPN types would help resolve the issue. The doc should contain information on common VPN types available in pfSense software:

• OpenVPN
• IPsec (routed/policy)
• WireGuard

The following assumes a WAN link MTU of 1500. Further testing, e.g. using ping, can be done to optimize the value. Examples of this testing should be provided. The optimized value is set on the interface assignment configuration.

OpenVPN
Setting the MTU on the assigned interface (Interfaces > Assignments) will not work correctly since the OpenVPN daemon sets the MTU to 1500 explicitly. Instead, the value should be configured as a custom option in the server/client configuration. The suggested value is tun-mtu 1428 to account for IPv6 + UDP + OpenVPN Data headers.

IPsec VTI
A starting MTU value of 1400 is used by default which accounts for most tunnel configurations.

WireGuard
Similarly to IPsec VTI, a the starting MTU value of 1420 is used by default.