No ruleset for wireguard + mtu question

Started by christianw, December 27, 2019, 09:52:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 27, 2019, 09:52:26 AM
Hi,

I can't believe, that I'm the first one with this issue, so it's probably rather a problem between my keyboard and my chair...

After I installed WireGuard, there ist no ruleset (Firewall --> rules) for wireguard Interface. When I manually add a new Interface "WireGuard", there will be two rulesets "WireGuard". After removing of just added wireguard interface, everything seems okay, so there ist only one ruleset left.

Is that the intended workflow? :-)

And...

We have some udp traffic from collectd through wireguard tunnel. Unfortunately about 50% of those packets will not pass the tunnel, because wireguard mtu ist 1392 and those packets are > 1392.
Code Select
IP 10.10.0.1.51518 > 172.16.200.6.2003: UDP, bad length 1393 > 1392

Has anybody an idea for best practice? I think of UDP fragmentation, adjust collectd packet size (possible?) or wireguard mtu changes.

Best regards...
December 27, 2019, 04:27:18 PM #1
WireGuard MTU can be changed in local instance configuration. Normally the Firewall should frag those packets when they arent set with DF bit. If DF is set, change your local clients.

Don't assign an interface and label it WireGuard .. use something like WG0.
If the firewall tab doesn't apprear after enabling wireguard, go to a firewall rule (no matter which one), edit and save without changes, then it's there
January 02, 2020, 05:28:16 AM #2
Hi mimugmail,

thank you. I'll try turning UDP fragmentation on at client side.
The hint with saving some rules is what I was looking for. :-)
Print
Go Up Pages1
User actions