Wireguard and MTU/MSS issues

JimKusz · April 13, 2024, 11:59pm

Hello:

I’m having a ton of issues with my Point to Point (P2P) wireguard configuration. Site description:
Hub (main) has public IPs, and is a main router for the org
Site B is a LTE-connected remote site with some devices that need direct routing in/out as well as an encrypted tunnel through the LTE network. All lan-side traffic is tunneled through the wireguard by setting an explicit route for the wireguard server through LTE and then changing the default route to be the HUB router.

Originally, the Hub router was a pfSense box, and with MTU and MSS set on the interface page, everything was working. The Hub pfSense router died recently, and was replaced with a Mikrotik CCR1016. Wireguard itself is working; traffic is tunneling, etc. However, there are some “random” failures happening.

The easiest test is duckduckgo will not load. This was the test the last time too, and once I got the MTU and MSS set on pfSense, the site loaded and all was good. There is another test, too: I have an EoIP tunnel for a HD HomeRun tv tuner located at the hub site (connected to an older Mikrotik router just doing the EoIP tunnel); the other end is the Mikrotik LTE router. I’ve set the MTU down to 1390 and checked “MSS clamping” option. These were working with the pfSense configuration.

I AM seeing the full expected speed across the wireguard tunnel. Just cannot access duckduckgo, bankofamerica, and some other sites (like ebay) have random page fail-to-load (a reload fixes it), and I’m unable to get a video stream to establish over the EoIP tunnel (which runes through the wireguard tunnel).

I think these are the relevant configurations from the HUB side:

> /interface/wireguard/print
Flags: X - disabled; R - running 
 0  R name="wireguard1" mtu=1420 listen-port=51820 

 > /ip/firewall/mangle/print
Flags: X - disabled, I - invalid; D - dynamic 
 0 X  chain=forward action=change-mss new-mss=1350 passthrough=yes tcp-flags=syn 
      protocol=tcp out-interface=wireguard1 tcp-mss=1351-65535 log=no

The “raw” internet at this HUB system is connected via ethernet to a raw fiber internet feed; MTU is 1500.

I’ve done a lot of work on this now, and can’t seem to get to the bottom of what’s going on. I’ve changed MTU multiple times, adjusting MSS, turned off MSS clamping, etc., and just can’t get this link to work as well as it did with pfSense on the “hub” end. Any suggestions/pointers?

rplant · April 15, 2024, 3:48am

A few (hopefully some helpful) thoughts.

If your hub is using pppoe, you will need to reduce the size of the wireguard vpn to 1412. (assuming MTU/MRU of 1492)

You should probably also have the MSS setting for traffic coming in from the wireguard vpn, and perhaps use PMTU MSS. (rather than fixed size)
Pmtu also on out through wireguard mss.

add action=change-mss chain=forward comment="Clamp MSS to PMTU" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp\
 tcp-flags=syn in-interface=wireguard1

For the eoip bridge, you can force its mtu to be 1500. (Less efficient perhaps, but often more useful)

You can also force set the wireguard mtu to 1500. (Less efficient)

Some/much of the above requires pmtu discovery to be working (enough…)