Yes, true. Without a full unmasked config, this is just guessing, not debugging… I am happy that we were able to identify at least one problem.
In VyOS 1.3 MSS clamping is done in the forward hook, so we can use the output interface as a classifier for packets. It looks like this (displayed only related to MSS part):
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
counter packets 0 bytes 0 jump VYOS_FW_OPTIONS
}
chain VYOS_FW_OPTIONS {
oifname "tun0" meta l4proto tcp tcp flags & (syn|rst) == syn counter packets 0 bytes 0 tcp option maxseg size set 1436
}
}