1. Server has MSS = 1420.
Mikrotik configuration
Code: Select all
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=-snip- endpoint-port=51820 interface=wireguard1 persistent-keepalive=15s public-key="RvCiqqxCP3PD43ttnsoRNJsvDzs1Rb/IrRguzcpp6G4="
Code: Select all
20:10:13.877083 IP -snip-55118 > 151.101.65.67.https: Flags [S], seq 3727460725, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3017899 ecr 0], length 0
Code: Select all
20:10:13.952138 IP 151.101.65.67.https > -snip-: Flags [P.], seq 1449:2897, ack 518, win 285, options [nop,nop,TS val 3508144898 ecr 3017968], length 1448
20:10:13.952146 IP -snip- > 151.101.65.67: ICMP -snip- unreachable - need to frag (mtu 1420), length 176
Any client side MTU on wireguard1 is effectively ignored, packets are still mss=1460. On the other side, bumping wireguard interface to 1500 on server works, but with horrible performance, as everyhing is fragmented to hell.