Development discussion of WireGuard
 help / color / mirror / Atom feed
* Wireguard packets over IPv6 are not fragmented to path MTU
@ 2023-01-28 13:20 Philipp S. Tiesel
  0 siblings, 0 replies; only message in thread
From: Philipp S. Tiesel @ 2023-01-28 13:20 UTC (permalink / raw)
  To: wireguard


I have an issue with Wireguard and IPv6 fragmentation where the kernel implementation keeps constantly emitting UDP packets which are too large for the path-MTU despite I see a correct path-MTU in the route cache.

Setup details:
- Tunnel endpoint A has an interface MTU of 9000
- Path between A and B does not block ICMPv6
- Path MTU is 1500
- First hop on the way from A to B hats an MTU of 9000 and correctly emits ICMPv6 Packet Too Big
- Tunnel endpoint B has an interface MTU of 1500

As I have some customer traffic through the tunnel that requires an MTU of 1500, I would like to have the tunnel endpoints to correctly fragment packets. This works as long as the interface MTU is equal to the path MTU, but fails otherwise.
If I switch from the Linux-kernel to the Go implementation, fragmentation also works as expected.

Does anyone have hint where to start digging why the Linux implementation does not correctly fragment the UDP frames of the Wireguard tunnel if the path-MTU is smaller than the interface-MTU?

Software version on endpoint A:
- Debian Bookworm
- Debian Kernel 6.1.0-1-cloud-amd64
- wireguard-tools v1.0.20210914

  Philipp S. Tiesel
Philipp S. Tiesel

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-02-07  4:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-28 13:20 Wireguard packets over IPv6 are not fragmented to path MTU Philipp S. Tiesel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).