Persistant MTU change for Wireguard Site-to-Site VPN

Comments

7 comments

  • Avatar
    Firewalla

    Most of the time you shouldn't need to change the MTU between the client and the server side. May I know what ISP are you using? (or the protocol being used on the WAN side of both sites?)

    Are you running other VPN protocols over the WireGuard VPN?

     

    0
    Comment actions Permalink
  • Avatar
    Alan

    I have a separate support ticket (87028) that has been open working through this issue. And based on additional testing on my part have clearly nailed down the problem with the MTU on the VPN Tunnel. And I've confirmed that manually setting the MTU to 1300 on each end of the tunnel resolves all the problems I've had. Comcast on one end and Comcast Community wifi on the other end. And yes there are other Wireguard VPNs on these Firewallas. 

    So I know MTU is the issue and solution. Now I just need to figure out the best way to persist a change.

    0
    Comment actions Permalink
  • Avatar
    Firewalla Team

    Our engineer will work with you on support ticket 87028.

    0
    Comment actions Permalink
  • Avatar
    tahoe250

    Is there any update to this?  I am also looking to adjust the MTU.

    0
    Comment actions Permalink
  • Avatar
    Alan

    I ended up making a user cron job that runs every 5 minutes on each firewall to set the MTU on the connection. This is working and the site-to-site VPN is functional. I have SNMP enabled on my firewalls and do see a higher number of packet errors than I'd like on the server side of the site-to-site VPN -- but it doesn't appear to be impacting functionality. 

    0
    Comment actions Permalink
  • Avatar
    Ethan S

    If you use IPv6 you'll find that your minimum MTU should be around 1280 or a little north of that, I've found 1320 to work best in almost every case with a travel router behind 2-3 different mobile providers.

    https://blog.cloudflare.com/increasing-ipv6-mtu/

    I had support update the MTU on my mesh at one point and it was working great, but apparently a reboot (happens frequently with the travel router) or touching other configuration related to the Mesh VPN (like adding a new device) can reset the MTU to the higher default that doesn't function.

    0
    Comment actions Permalink
  • Avatar
    Ethan S

    I'm not usually a fan of macOS for networking, but the fact that you can adjust the packet size of ping easily allowed me to send arbitrarily sized packets across the mesh VPN connection and determine when things were breaking, and 1320 as the MTU was successful 100% of the time in my testing.

    0
    Comment actions Permalink

Please sign in to leave a comment.