Hi,
i have a problem with the wireguard handshake. It does not succeed anymore after switching WAN from DHCP to PPPoE.
My setup consists of a PPPoE connection inside a VLAN to the provider network. I use an externally visible IPv6 address to connect the client. The wireguard configuration should be ok as i used the same before when i had a fritzbox in front of the router.
If i look at the Wireguard port on the WAN-interface (pppoe0) i see incoming and outgoing UDP packets. But the outgoing packets do have a incorrect checksum. My current assumption is that this is the reason why the handshake answer does not reach the client.
Because of this i disabled all hardware offload features on that interface as i read that this may cause problems for tcpdump. But there is still a checksum error for the outgoing wireguard packets (UDP packets of other sources are valid).
If i look at the MTU of the wg0 interface i think the default value (1420) is not correct as it does not account for the 8 bytes of the PPPoE header (only 80 bytes for Wireguard).
Because of this i changed the tunnel MTU inside the Wireguard settings to 1412. Afterwards ifconfig shows that the wg0 interface respects the setting. Sadly this does not solve the checksum problem.
if i look at the available interfaces i see an additional interface ("--help") which is also a member of the "tun"-group. I did not find any information regarding this interface. But it still has a MTU of 1420 despite my change.
Therefore i have the following questions:
- Is it possible that the "incorrect checksum" from tcpdump is only an artifact from the packet flow and the way tcpdump interacts with it? Is it, with deactivated hardware offload, possible that the checksum is correct even if tcpdump has a different opinion?
- If tcpdump is right, is it reasonable to assume that the incorrect checksum causes the packets to be dropped by someone later in the chain (provider,...)?
- Is it reasonable to assume that a incorrect MTU could cause such problems?
- What is the "--help" tun interface and how does it interact with the Wireguard-Interface? Is it a problem if it has a different MTU as the wg0-Interface?
- Are there other possible sources for the incorrect checksum?