Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netflix Issues over WireGuard

    Scheduled Pinned Locked Moved WireGuard
    50 Posts 7 Posters 13.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @arrmo
      last edited by

      Not really that long ;)

      Yeah I find this stuff fun - but I have been doing IT for like 30 years.. And do it for a living as well. I am senior network engineer for a global 100 company.. More of operations manager as of late ;)

      But yeah a puzzle/problem is what drives me.. So give me a few days after 2.5 drops and will be much better suited to answer any wg questions.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      arrmoA 1 Reply Last reply Reply Quote 1
      • arrmoA
        arrmo @johnpoz
        last edited by

        @johnpoz Sounds great! And we need to talk. We sound very similar - I have an RF background, wireless R&D for network equipment, for about 30 years now also ... 😆. Sadly, I remember the days of Nortel, used to work there ... a bit back now of course!

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @arrmo
          last edited by johnpoz

          RF you say ;) guess what I did in the Navy.. HF comms, most specific the SRC-16, but also URT-23s and some crypto..

          That was back before computers were really even thing..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          arrmoA 1 Reply Last reply Reply Quote 1
          • arrmoA
            arrmo @johnpoz
            last edited by

            @johnpoz Nice! Sounds very cool. And yes, computers were real boat anchors back then 😉. I started in optical fiber amplifiers. Man, takes me back!

            A 1 Reply Last reply Reply Quote 0
            • A
              AB5G @arrmo
              last edited by

              @arrmo Your issue may be related to this - https://www.reddit.com/r/WireGuard/comments/ef1hhj/mturelated_problems_when_using_a_lan_gateway_to/

              I'm taking a guess here but only Netflix not working points to the MTU issues.

              arrmoA G 2 Replies Last reply Reply Quote 1
              • arrmoA
                arrmo @AB5G
                last edited by

                @ab5g said in Netflix Issues over WireGuard:

                I'm taking a guess here but only Netflix not working points to the MTU issues.

                It may be! I had other issues before, that may have been "hiding" this. Hmmm ... let me read this one over a couple times - wondering where I need to set the MTU (i.e. just on OpenWrt "client"). It's funny, but two different DHCP clients hanging off that OW router - one works, the other doesn't ... LOL.

                Thanks!

                1 Reply Last reply Reply Quote 0
                • G
                  Griffo @AB5G
                  last edited by Griffo

                  @ab5g Given your prompt I just went and did the old ping test to determine MTU on some of my WG tunnels. The highest i could get was 1392 without a fragmentation error, which given the 28 byte ICMP & TCP header aligns to 1420.

                  I then checked ifconfig, and it looks like pfsense already sets all WG interfaces to 1420:

                  e.g

                  wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
                      
                  
                  

                  What I can't find is why 1420 is the magic number.. I thought WG had only 32 bytes of overhead

                  I can confirm however that Netflix works fine on my WG tunnels to a commercial VPN provider.

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    AB5G @Griffo
                    last edited by AB5G

                    @griffo 1420 is the default MTU for WG (1500-80) - comes from here - https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html

                    If you are running WG over a PPPoE instead of Ethernet then instead of 1500-80 you'd have 1492 (MTU for PPPoE) - 80 = 1412.

                    P:S : For me I have no issues on WG - except for some missing packets that I strongly believe is a bug. I have a separate thread on it.

                    1 Reply Last reply Reply Quote 1
                    • arrmoA
                      arrmo
                      last edited by

                      @griffo said in Netflix Issues over WireGuard:

                      The highest i could get was 1392 without a fragmentation error

                      Hi,

                      Sorry for the delay - having a bit of "fun" today, with rolling power outages thanks to crazy winter weather. Trying to get to this, between outages 😞.

                      @Griffo , to your comment above, about "The highest i could get was 1392 without a fragmentation error" ... are you just adjusting the size of ping (packets), to see where it breaks? Will try to duplicate here, but want to first understand how you are doing it 😆.

                      I do see here the same 1420 MTU on pfSense, but perhaps on the remote end (OW) it's not following / abiding by this? I do also see some notes in the links from @AB5G (thanks!) about messing with iptables - is this on the OW side (I assume, but may be wrong).

                      Thanks again!

                      1 Reply Last reply Reply Quote 0
                      • arrmoA
                        arrmo
                        last edited by

                        OK, an update - and this is VERY odd 🤣. There are two clients behind the OW router, both getting DHCP from the router, and both on the same subnet and WG link of course. But ... one of them, Netflix is fine. The other - nope! One is a Windows laptop, the other a Roku TV. I did change the MTU setting on the router, but that made no difference, and I actually captured the traffic coming out from the tunnel on the pfSense side (tcpdump) - both seem to show a maximum packet size of 1424 (to and from Netflix) ... not sure if that is an issue or not, as this is on the pfSense side, not OW (where I reduced the size ... perhaps not enough though?).

                        But ... as both clients are on the same subnet - seems like it's not routing, nor packet size? Or am I just confused?

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • D
                          Dhiru
                          last edited by Dhiru

                          I suspect that TCP MSS clamping is not enabled for wireguard interfaces. I am facing similar issues with not just Netflix but several other websites on 2.5 when wireguard is enabled to route all traffic through VPN.

                          I was able to fix this by adding a clamping rule on my VPN server. Ideally I would like pfSense to add the rule on the interface by default.

                          iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
                          
                          arrmoA 1 Reply Last reply Reply Quote 1
                          • arrmoA
                            arrmo @Dhiru
                            last edited by

                            @dhiru Yes, agreed - and similar to the link above from @AB5G. There is a way to do this in the webConfigurator as well (you can set MSS inside the interface). I tried it, and it works ... and also fixes my issue, thanks!

                            What's very odd, I can see the MSS webConfigurator setting works (based on tcpdump captures). But when I upgraded from 2.5-RC to 2.5 => it no longer seems to be needed. Huh?

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.