[SOLVED] Wireguard problems with 23.7.8 (TCP Retransmission, Ping works)

[robgnu]

Hello everyone,

I am aware of some problems with the current stable version of OPNsense. I had a well working Firewall on 23.7.7 but one of our team has some problems with openvpn. So I decided to install Wireguard. The plugin installation forced me to upgrade to 23.7.8 first. (This is not a nice thing. I think it should be possible to install a plugin with a version that is one or two minor releases behind.)

After installation I lost IPv6 connectivity, which could be solved with a command @franco posted here. (Thanks!)

Now the problem: After configuring and connecting via Wireguard, I am able to ping all machines through the tunnel behind the OPNsense. But when I try to connect via SSH or RDP to a machine, this does not work. It makes no difference between IPv4 or IPv6.

You can find a wireguard screenshot at this post:
- Lines 1-8 showing the working ping from the client (192.168.98.2) to a machine behind the firewall (192.168.100.250)
- Lines 9-34 showing the packets when I try to connect via SSH. The connection failed (timeout).

Any ideas what may be the problem here?

Thanks!
Robert

[jt-socal]

Try going into Firewall, NAT, Outbound and hit save.  I have a similar problem. 

[schmuessla]

Looks like the typical MTU problem.
Wireguard has overhead of 60 Bytes (IPv4) or 80 Bytes (IPv6) That's what you have to substract from regular Interface.
WG defaults to 1420 which is valid if your WAN has an MTU of 1500 Bytes (e.g. Cable connection).
But DSL over PPPoE has 1492 which makes it 1412 for wg when tunnel is established via IPv6. But you may even have to go further down. I have here a mobile network that operates on MTU=1472

[robgnu]

Hi schmuessla,

thank you for your hint. You are right!
I changed the MTU from (empty) to 1412 and the connection works fine. Thank you very much!

Nevertheless, there must have been a change recently, because other installations work without manual adjustment.

Best regards
Robert