Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
[SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues (Read 3147 times)
TheHellSite
Full Member
Posts: 231
Karma: 83
[SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues
«
on:
September 22, 2022, 03:15:48 pm »
Hello,
I just discovered some MTU issues with the WireGuard connection to my VPN provider.
Some insights
- OPNsense latest updates
- ISP requires PPPoE over VLAN_7 on WAN
- both WAN and LAN use IPv4 only
- local wg interface MTU=1432
- WireGuard kmod package installed
- selective routing to external VPN provider (AirVPN)
Since my WAN is using PPPoE and I am only using IPv4 I did set the local wireguard interface to MTU 1432.
Which should be totally fine:
https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html
My OPNsense connects to my external VPN provider as a "client" (peer) and routes all the traffic of my VPN-enabled_VLAN through this WireGuard tunnel.
MTU causing SSL issues
What I recently noticed is that ALL clients of the VPN-enabled_VLAN have issues with SSL connections when being routed through the WireGuard tunnel. So I started tweaking the MTU of the OPNsense WireGuard interface which didn't solve the issue.
I then stumbled across this post:
https://airvpn.org/forums/topic/49877-completed-wireguard-beta-testing-available/page/4/?tab=comments#comment-170785
The author is describing the exact same issue and said a workaround is to lower the MTU of the clients to 1392. So I tested this and it worked - no more SSL issues. I then raised the MTU until the problem occurred again.
Workaround
Set OPNsense WireGuard interface MTU=1412.
Question
Is there any other way of solving this without changing the MTU of each client device / VM that is using the VPN-enabled_VLAN?
Final solution
https://airvpn.org/forums/topic/49877-completed-wireguard-beta-testing-available/page/9/?tab=comments#comment-195875
1. Set the MTU value in the WireGuard tunnel configuration.
OPNsense --> VPN --> WireGuard --> Local --> NAME_OF_WG_TUNNEL --> MTU=1420
2. Create firewall normalization rule.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html#step-6a-create-normalization-rules
3. Note
I personally have to use MTU=1412 and MSS=1352 since my WAN requires PPPoE.
«
Last Edit: February 28, 2024, 05:45:01 pm by TheHellSite
»
Logged
All of my posts are submitted with the best of knowledge and belief.
My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating:
https://www.buymeacoffee.com/thehellsite
9axqe
Full Member
Posts: 201
Karma: 4
Re: [SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues
«
Reply #1 on:
August 10, 2023, 02:47:50 pm »
Hi,
are you saying that configuring MTU on wireguard intf and on the physical WAN intf removes the requirement for configuring MTU on each client?
If not, would configuring MTU = <WAN MTU> - (40+8+4+4+8+16) on the **LAN interface** remove the need to configure on each client?
Logged
9axqe
Full Member
Posts: 201
Karma: 4
Re: [SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues
«
Reply #2 on:
September 02, 2023, 06:25:40 pm »
It seems the max MTU I can get is 1300 somehow (tested using 'ping 1.1.1.1 -D -c 1 -s 1300'). Which is fine for me. The problem really remains that I have to manually configure it on each client. It's just not manageable on my home network...
Somehow I would have thought PMTU discovery would solve this but it does not (and I suspect it's a client issue, not an opnsense issue). Some clients at least to a path discovery per destination IP. I see the logic, but at some point when the MTU turns out to be 1300 for all IPs, the client should be smart enough to just do 1300 by default, at least until there's a network change event...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
[SOLVED] WireGuard tunnel to VPN provider - MTU causing SSL issues