Can't resolve MTU issues through Wireguard
-
pfSense 2.6.0 with Wireguard 0.1.6_2. I followed the documentation for "WireGuard Remote Access VPN Configuration Example".
Test client is Wireguard app for Android on a Moto G31. On Boost mobile network in Australia (using Telstra network).
I can:
- Establish a connection.
- See the connection listed as active (handshake succeeded) in pfSense Wireguard status Peers list.
- Ping from Android to pfSense's IP address on the Wireguard subnet.
- Ping from pfSense to Android's IP address on the Wireguard subnet.
- Ping from Android to a device on another LAN interface on pfSense
- Load a very small test web page hosted by
python3 -m http.serveron a device on another LAN interface on pfSense.
But from Android, I can't load a larger test web page, and I can't load the pfSense web admin page itself. The browser just hangs for a long time, then says the connection has timed out. Tested with Chrome, Firefox on Android.
In pfSense, I can see the TCP connection appearing in the states list of the firewall. So it looks as though it's not a firewall issue. Especially since I can load a very small test web page.
This is all pointing towards some MTU misconfiguration. But no matter what I've tried for the WG interface's MTU and MSS values so far, I have not been able to work out good numbers that make it work.
Doing test pings on Android and the pfSense router, it looks as though the maximum ping payload size is 1236 bytes.
(I've also set up OpenVPN on the same pfSense router and Android phone, and that works fine.)
Does anyone have advice on diagnosing/solving MTU issues with Wireguard in pfSense?
-
@cmcqueen this problem seems…familiar to me. What’s the MTU of the Server you’re testing against?
Backdrop: I had a server that for some reason had a MTU of 9000. I had to set it to 1500 just to get any connectivityFirewall: NetGate 6100/7100U, Palo Alto
Routing: Juniper MX204 , Arista 7050X3
Switching: Juniper EX/QFX. Arista 7050SX
Wireless: Unifi, Aruba IAP -
@michmoor the pfSense router has MTU 1500 on its WAN and LAN interfaces.
The other device on the other LAN interface that I ran
python3 -m http.serveron also has an MTU of 1500. -
@cmcqueen the clients wireguard interface is set to 1500?
Firewall: NetGate 6100/7100U, Palo Alto
Routing: Juniper MX204 , Arista 7050X3
Switching: Juniper EX/QFX. Arista 7050SX
Wireless: Unifi, Aruba IAP -
This post is deleted! -
@michmoor The Android Wireguard app has a box for entering an MTU; if it's blank, it says "auto".
-
I've set up Wireguard on a Linux laptop running Ubuntu 22.04. I've tethered it through my phone's mobile data service, and then started the Wireguard connection on the laptop. That seems to be working fine — I can access the pfSense web admin page; I can download large test files from my test device; I can upload large files via SSH.
So, that indicates the problem is really with the Android Wireguard app, while the pfSense Wireguard implementation is fine.
