Persistant MTU change for Wireguard Site-to-Site VPN
Hi Firewalla Community,
I've diagnosed an issue on my Wireguard Site-to-Site VPN between two Firewalla Golds down to the default MTU setting on the VPN pipe. The default 1412 is too high and manually setting this to 1300 resolves my dropped packet issue between the two sites.
I can manually change the MTU on the VPN pipe once it is up with:
sudo ip link set dev wg0 mtu 1300
equivalent command on the other end
But I need to persist this between Firewalla reboots and between the VPN dropping and reconnecting. I'm familiar with custom scripting for Firewalla (https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting) but am not sure about how best to tie into resetting the MTU when the VPN tunnel is reconnected. I tried creating a script and placing it in /etc/network/if-up.d but the script isn't getting called with the VPN tunnel comes back up. I could setup a cron job that runs every few minutes, but that feels a bit too hackish.
Any suggestions on how best to tie into network interface changes on the Firewalla device?
Thanks,
Alan
-
I have a separate support ticket (87028) that has been open working through this issue. And based on additional testing on my part have clearly nailed down the problem with the MTU on the VPN Tunnel. And I've confirmed that manually setting the MTU to 1300 on each end of the tunnel resolves all the problems I've had. Comcast on one end and Comcast Community wifi on the other end. And yes there are other Wireguard VPNs on these Firewallas.
So I know MTU is the issue and solution. Now I just need to figure out the best way to persist a change.
-
I ended up making a user cron job that runs every 5 minutes on each firewall to set the MTU on the connection. This is working and the site-to-site VPN is functional. I have SNMP enabled on my firewalls and do see a higher number of packet errors than I'd like on the server side of the site-to-site VPN -- but it doesn't appear to be impacting functionality.
-
If you use IPv6 you'll find that your minimum MTU should be around 1280 or a little north of that, I've found 1320 to work best in almost every case with a travel router behind 2-3 different mobile providers.
https://blog.cloudflare.com/increasing-ipv6-mtu/
I had support update the MTU on my mesh at one point and it was working great, but apparently a reboot (happens frequently with the travel router) or touching other configuration related to the Mesh VPN (like adding a new device) can reset the MTU to the higher default that doesn't function.
-
I'm not usually a fan of macOS for networking, but the fact that you can adjust the packet size of ping easily allowed me to send arbitrarily sized packets across the mesh VPN connection and determine when things were breaking, and 1320 as the MTU was successful 100% of the time in my testing.
Please sign in to leave a comment.
Comments
7 comments