Hi,
I have WireGuard client setup on my Mikrotik router at home for specific IP in the LAN only: (http://forum.mikrotik.com/t/routing-specific-ip-only-via-the-vpn-routing-mark-doesnt-work/156492/1)
My MT router has its WAN connection via the PPPoE with MTU set to 1480 automatically. IP/device routed via the VPN link can’t open basically any https website. It always hangs on TLS handshaking.
I’ve tried to lower the MTU on WG interface to 1392, 1372, 1280 from default 1420 but with no luck. It doesn’t look like it is a problem with WG server itself as I can connect to it from my mobile or laptop while being behind the MT and it works fine. Any idea what should I set and where to make it working?
Try raising it to 1500, (ensure both sides of the tunnel have the same MTU setting).
if wireguard interface is member of a bridge, check bridge MTU setting.
I’ve tried with 1500 on PPPoE and 1440 on WG but it didn’t make any difference.
It is not a Bridge interface member.
As per conversation with MikroTik support I have changed tcp-mss value to 1360 and MTU on WG interface to 1400. That didn’t work so then I remembered that long time ago I’ve set MTU to 9000 and txqueuelen to 10000 on Debian running WG server. Changing back to 1500 and 1000 in conjunction with MT Support advise:
/ip firewall/mangle/ add out-interface=pppoe-out1 protocol=tcp tcp-flags=syn action=change-mss new-mss=1360 chain=forward tcp-mss=1301-65535
https://help.mikrotik.com/docs/display/ROS/Mangle#Mangle-ChangeMSS
Did the trick. Thanks.
Dude, you saved my life!!! I spent 2 days trying to find where is my issue 