[WireGuard] Header / MTU sizes for Wireguard

Jason A. Donenfeld Jason at zx2c4.com
Wed Jul 27 01:41:48 CEST 2016

This mailing list post is out of date. Find updated information here.

You will be redirected there in 3 seconds.

Hi Jens,

I assume it was you asking in the IRC channel about this same thing
before signing out? Sorry I wasn't there when you were; I only just
now arrived home.

There actually is some optimization potential for you with regards to
the MTU. The overhead of WireGuard breaks down as follows:

- 20 byte IPv4 header or 40 byte IPv6 header
- 8 byte UDP header
- 1 byte type
- 4 byte key index
- 8 byte nonce
- N byte encrypted data
- 16 byte poly1305 authentication tag

So, if you assume 1500 byte ethernet frames, the worst case (IPv6)
winds up being 1500-(40+8+1+4+8+16), leaving N=1423 bytes. However, if
you know ahead of time that you're going to be using IPv4 exclusively,
then you could get away with 1443 bytes.

Hope that helps,

More information about the WireGuard mailing list