Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    wireguard / protonvpn MSS/MTU config issues.

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 185 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4 Offline
      4o4rh
      last edited by 4o4rh

      I previously had wireguard working for a long time already on a dual wan failover and a wireguard to openvpn failover for with the original settings below

      WAN1 igb0 -> eth to Fritzbox -> PPPoE fibre
      WAN2 igb1 -> eth to cable modem

      Original MTU/MSS settings that worked
      pppoe MTU (default i.e. 1500)
      pppoe MSS 1452 (-40)
      tun_wg0 MTU 1412
      maxmss 1452
      opnvpn tun-mtu 1500
      opnvpn tun-mtu-extra 32
      opnvpn mssfix 1452

      wireguard has been playing up for about a week, and chatgpt gives me the below calculations

      pppoe MTU 1492
      pppoe MSS 1492 (-40)
      tun_wg0 MTU 1412
      maxmss 1452
      opnvpn tun-mtu 1480
      opnvpn mssfix 1452

      openvpn and the wan seems to be working fine.

      from a client

      curl -vk https://scmp.com
* Host scmp.com:443 was resolved.
* IPv6: 2606:4700::6812:cc2b, 2606:4700::6812:cd2b
* IPv4: 104.18.204.43, 104.18.205.43
*   Trying [2606:4700::6812:cc2b]:443...
* Immediate connect fail for 2606:4700::6812:cc2b: Cannot assign requested address
*   Trying [2606:4700::6812:cd2b]:443...
* Immediate connect fail for 2606:4700::6812:cd2b: Cannot assign requested address
*   Trying 104.18.204.43:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (OUT), TLS alert, decode error (562):
* TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
* closing connection #0
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading

      ping from pfsense over the wireguard interface works fine. I have tried lowering the MTU for wireguard, but i can't seem to get a value that actually works

      T 1 Reply Last reply Reply Quote 0
      • T Offline
        TheNarc @4o4rh
        last edited by

        @4o4rh How low did you try? I have a wireguard connection to ProtonVPN and set MTU and MSS to 1420 (for the wireguard interface) and have never had an issue.

        4 1 Reply Last reply Reply Quote 0
        • 4 Offline
          4o4rh @TheNarc
          last edited by 4o4rh

          I set MTU 1472 and MSS to 1432 on both links.
          I have tried a range of mtu-tun for wireguard down to 1320.
          everything causes SSL error

          An error occurred during a connection to thermalright.com. PR_END_OF_FILE_ERROR
Error code: PR_END_OF_FILE_ERROR
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

          just started about 2 weeks ago. have tried switching to configs from different countries, routing through different wans. nothing works

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.