Wireguard - Reworked wireguard s2s completely & added MTU + MSS to wireguard client #498
Conversation
|
@Monviech why "subtract at least 80 bytes from the Wireguard MTU" should that not be 40 bytes? or is there a reason for 80? |
|
You are right, I guess I mixed something up. The usual header size for ipv4 is 20 bytes and for ipv6 its 40 bytes. Wireguard header is 32 bytes. I just wanted to add some more margin for header extensions but they're not usually used and I dont have any actual numbers for them. Please give me feedback and I'll adjust the numbers in the PR. |
|
The default WireGuard MTU is 1420, since that'll work for both IPv4 and IPv6 with on a 1500 MTU interface Then to have a IPv4 TCP connection within the WireGuard tunnel, the highest MSS you can have is 1380, then for IPv6 TCP, it's 1360. Useful tool, you can keep adding the header sizes for what type of traffic that will be happening. |
|
Thats a really useful tool, thanks for sharing. I will double check everything. 👍 |
Monviech
changed the title
|
Really you should have two normalization rules one for IPv4 and one for IPv6, so you can squeeze the most out of the tunnel. Plus most people will be doing IPv4 anyways. I think setting IPv4 or IPv6 on the protocol would do it 🤔, I don't have IPv6 setup on my network at all, to test it. |
|
I mean you could also create different rules for udp and tcp because their header sizes differs too. My goal was more of a catch all rule in order to mitigate connections not establishing. For performance tweaking you could do a whole bunch of specialized rules, you are right there. |
|
Far as I'm aware you can only MSS clamp on TCP |
|
Yes you are right again. For UDP only the MTU seems to matter. I was just confused about the fact that you can choose multiple protocols in the normalization rules, but the same mask applies also for dscp etc... |
|
@FingerlessGlov3s
EDIT: Going back to draft until my discussion with FingerlessGlov3s about the changes are resolved. |
|
There's IPv6 on the list but not entirely sure if that's certain type of traffic or all IPv6. Feel like the IP Version is missing from that page, it should probably be there. I'd just do one rule saying to use 1360 (PPoE 1352) if you have IPv6 traffic or 1380 (PPoE 1372) if you only have IPv4 traffic. That's probably as good as it gets for now 🙂 |
Normalization rules should have different MSS values for either IPv4, or IPv4+IPv6. Changed the protocol back to any, since I'm unsure if selecting TCP only means IPv4 TCP, since there is also only IPv6 selectable.
- Omitted Source Port in Firewall rules - Added tip and note about dynamic WAN IP
- Changed Local to Instance - Changed Endpoint to Peer - Added information about CARP vhid tracking to mitigate HA problems. - Added note about Keepalive for NATed sites.
|
@mimugmail |
|
@Monviech thanks for incorporating the new GUI terminology of 23.7.6 already! came here to say that but now I can shut up :) |
|
@Monviech thanks! |
https://forum.opnsense.org/index.php?topic=35877.0
I've seen this a few times so I added a section to the Wireguard site2site and roadwarrior to guide users into configuring MTU and MSS.