On Tue, 22 Aug 2023 17:39:23 -0300 Luiz Angelo Daros de Luca wrote: > Hello, > > We noticed an issue with clients that use PPPoE and connect to WG > using IPv6. Both sides start to fragment the encrypted packet leading > to a severe degradation in performance. We reduced the wireguard MTU > from the default 1420 to 1400 and the issue was solved. However, I > wonder if it could be fixed with MSSFIX (in my case, nftables > equivalent). PPPoE adds 8 bytes of overhead so that an MTU of 1432 can be used. I also have to do this at home with my DSL line for example. The MTU should be set on each side (on both peers) for this to work. > The server does know that the remote address has a smaller MTU as it > fragments the packet accordingly when any VPN peer sends some traffic. Presumably the OS on the server does this and not WireGuard itself. I could imagine that the server first receives an ICMP Too big message and only then performs the fragmentation. > The traffic inside the VPN does adjust the TCP MSS to fit into vpn > interface MTU (1420 by default, now 1400). Keep in mind that TCP MSSFIX only applies to TCP and other Layer 4 protocols like UDP might still have problems. > I could dynamically add firewall rules to clamp MSS per authorized_ips > but, theoretically, the kernel has all the info to do that > automatically. I wonder if MSSFIX could detect the best MTU for a > specific address through the wireguard. It should consider the > peer-to-peer PMTU, the IP protocol wireguard is using and the normal > wireguard headers. As far as I know WireGuard does not do PMTU. -- Marek Küthe m.k@mk16.de er/ihm he/him