Hello,
I am getting a wired issue with my site to site connection with wiregard over internet.
I have connected 2 sites with wiregard and used iBGP to exchange some routes between 2 sites over internet.
I got everything working but I found some websites are not working but most problematic of which is github.
wireguard wg10 {
address xxx.xxx.xx.5/30 # This is a Public ipv4 address
description VPN-to-failover-BGP
mtu 1420
peer bubun {
allowed-ips 0.0.0.0/0
public-key xxxxxxxxxxxxxxxxxxxxxx
}
port 13231
private-key xxxxxxxxxxxxxxxxxxxxxx
}
I found the problem is related to MTU. Increasing the to 1500 inside the wg10 interface fixes the issue but doing so, also drops the internet speed to 1/10th
Is there any way of fixing the issue without decreasing the mtu?
I connect to my home router using Wireguard when travelling and had an issue where duckduckgo.com didn’t load. Just when using the tunnel. Setting adjust-mss (TCP MSS clamping) to MTU-40 solved it for me:
The issue with mtu changes is that you will depend on icmp “packet to big” messages for every ip that you need to change mtu on. this is not always trivial to get correct, and will often result in some sites not been reachable. This happens because your client thinks that all links are 1500b in size every time and your router needs to tell it that it won’t work every time…
The reason for your preformance drop when setting wireguard mtu to 1500, is because then vyos needs to fragment every packet(split them in two) it sends that exceeds 1500b on the wire. While this works, it does not scale for performance.
To solve this vyos supports functionality to inspect each packet and change the MSS(Max segment Size) reported in the tcp sessions by your clients. this can be activated by using set interfaces wireguard wg10 ip adjust-mss clamp-mss-to-pmtu or set interfaces wireguard wg10 ip adjust-mss 1380 this will intercept the tcp session startup packets from your clients and change the value to the value your specify before sending them trough the tunnel.
As for the mtu size, when changing the default mtu size ensure that you use the same mtu size on both sides of your tunnel. using different size’s on both ends will give you more trouble and is quite hard to troubleshoot. eg. some systems will drop incomming packets exceeding the configured max mtu even if they’re large enough to fit trough the interface.)
Thank you @runar and @patient0
I tried added both set interface wireguard wg10 ip adjust-mss '1380' and set interfaces wireguard wg10 ip adjust-mss clamp-mss-to-pmtu but it didn’t fixed the problem
I had to add a mangle rule in client side. and it did worked. In client side I am using Mikrotik RouterOS 7.16
