[SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues

[TheHellSite]

Hello,

I just discovered some MTU issues with the WireGuard connection to my VPN provider.

Some insights
- OPNsense latest updates
- ISP requires PPPoE over VLAN_7 on WAN
- both WAN and LAN use IPv4 only
- local wg interface MTU=1432
- WireGuard kmod package installed
- selective routing to external VPN provider (AirVPN)

Since my WAN is using PPPoE and I am only using IPv4 I did set the local wireguard interface to MTU 1432.
Which should be totally fine: https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html

My OPNsense connects to my external VPN provider as a "client" (peer) and routes all the traffic of my VPN-enabled_VLAN through this WireGuard tunnel.

MTU causing SSL issues
What I recently noticed is that ALL clients of the VPN-enabled_VLAN have issues with SSL connections when being routed through the WireGuard tunnel. So I started tweaking the MTU of the OPNsense WireGuard interface which didn't solve the issue.

I then stumbled across this post: https://airvpn.org/forums/topic/49877-completed-wireguard-beta-testing-available/page/4/?tab=comments#comment-170785
The author is describing the exact same issue and said a workaround is to lower the MTU of the clients to 1392. So I tested this and it worked - no more SSL issues. I then raised the MTU until the problem occurred again.

Workaround
Set OPNsense WireGuard interface MTU=1412.

Question
Is there any other way of solving this without changing the MTU of each client device / VM that is using the VPN-enabled_VLAN?


Final solution

https://airvpn.org/forums/topic/49877-completed-wireguard-beta-testing-available/page/9/?tab=comments#comment-195875

1. Set the MTU value in the WireGuard tunnel configuration.
OPNsense --> VPN --> WireGuard --> Local --> NAME_OF_WG_TUNNEL --> MTU=1420

2. Create firewall normalization rule.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html#step-6a-create-normalization-rules

3. Note
I personally have to use MTU=1412 and MSS=1352 since my WAN requires PPPoE.

[9axqe]

Hi,

are you saying that configuring MTU on wireguard intf and on the physical WAN intf removes the requirement for configuring MTU on each client?

If not, would configuring MTU = <WAN MTU> - (40+8+4+4+8+16) on the **LAN interface** remove the need to configure on each client?

[9axqe]

It seems the max MTU I can get is 1300 somehow (tested using 'ping 1.1.1.1 -D -c 1 -s 1300'). Which is fine for me. The problem really remains that I have to manually configure it on each client. It's just not manageable on my home network...

Somehow I would have thought PMTU discovery would solve this but it does not (and I suspect it's a client issue, not an opnsense issue). Some clients at least to a path discovery per destination IP. I see the logic, but at some point when the MTU turns out to be 1300 for all IPs, the client should be smart enough to just do 1300 by default, at least until there's a network change event...