Project

General

Profile

Actions

New Content #14508

open

Optimizing MTU for VPN Tunnels

Added by Marcos M over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
VPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Interfaces with suboptimal MTU values can degrade VPN performance; a document that provides examples/steps to optimize the MTU of different VPN types would help resolve the issue. The doc should contain information on common VPN types available in pfSense software:
  • OpenVPN
  • IPsec (routed/policy)
  • WireGuard

The following assumes a WAN link MTU of 1500. Further testing, e.g. using ping, can be done to optimize the value. Examples of this testing should be provided. The optimized value is set on the interface assignment configuration.

OpenVPN
Setting the MTU on the assigned interface (Interfaces > Assignments) will not work correctly since the OpenVPN daemon sets the MTU to 1500 explicitly. Instead, the value should be configured as a custom option in the server/client configuration. The suggested value is tun-mtu 1428 to account for IPv6 + UDP + OpenVPN Data headers.

IPsec VTI
A starting MTU value of 1400 is used by default which accounts for most tunnel configurations.

WireGuard
Similarly to IPsec VTI, a the starting MTU value of 1420 is used by default.

Actions

Also available in: Atom PDF