Wireguard site2site MTU setting advice?

[jwest]

I have two locations. For each one there is a roadwarrior (wireguard) setup which is instance 1. Then there is a site to site VPN set up between the two (wireguard) which is instance 2. All this works well, but I'm curious about a point in the instructions maybe someone can advise on.

In the official opnsense wireguard site2site instructions (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html) under step 4A and 4B there is a section that mentions setting up a normalization rule to prevent wireguard from trying to stuff 1500 bytes inside a 1500 byte packet. I omitted that step on each side. Not the whole step, I did add the rule to allow traffic, just the normalization rule I skipped.

It seems to work fine, but I noticed that when I look at the site2site interfaces they list 1420 as the MTU. Would this not indicate that without the rule, something is already smart enough to reduce the MTU? Or am I missing something still necessary? 1420 sounds about right, but the doc page says use less than or equal to 1380. I feel like I'm missing some understanding.... Any thoughts MOST appreciated!

[Monviech (Cedrik)]

You can read about it here:
https://github.com/opnsense/docs/pull/498

The MTU (packet size with headers) should be 1420 or below, and the MSS (payload inside the packet) should be 40-60 bytes lower.

[jwest]

Ah thanks for the link, read it all and I'm off and running. Thanks so much!