Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Philipp S. Tiesel" <philipp@tiesel.net>
To: wireguard@lists.zx2c4.com
Subject: Wireguard packets over IPv6 are not fragmented to path MTU
Date: Sat, 28 Jan 2023 14:20:06 +0100	[thread overview]
Message-ID: <CA8508EC-5233-4DA4-B9FC-0301C2BA9593@tiesel.net> (raw)

Hi,

I have an issue with Wireguard and IPv6 fragmentation where the kernel implementation keeps constantly emitting UDP packets which are too large for the path-MTU despite I see a correct path-MTU in the route cache.

Setup details:
- Tunnel endpoint A has an interface MTU of 9000
- Path between A and B does not block ICMPv6
- Path MTU is 1500
- First hop on the way from A to B hats an MTU of 9000 and correctly emits ICMPv6 Packet Too Big
- Tunnel endpoint B has an interface MTU of 1500

As I have some customer traffic through the tunnel that requires an MTU of 1500, I would like to have the tunnel endpoints to correctly fragment packets. This works as long as the interface MTU is equal to the path MTU, but fails otherwise.
If I switch from the Linux-kernel to the Go implementation, fragmentation also works as expected.

Does anyone have hint where to start digging why the Linux implementation does not correctly fragment the UDP frames of the Wireguard tunnel if the path-MTU is smaller than the interface-MTU?

Software version on endpoint A:
- Debian Bookworm
- Debian Kernel 6.1.0-1-cloud-amd64
- wireguard-tools v1.0.20210914

AVE!
  Philipp S. Tiesel
--  
Philipp S. Tiesel
https://philipp.tiesel.net/




                 reply	other threads:[~2023-02-07  4:33 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA8508EC-5233-4DA4-B9FC-0301C2BA9593@tiesel.net \
    --to=philipp@tiesel.net \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).