[WireGuard] Header / MTU sizes for Wireguard

Jason A. Donenfeld Jason at zx2c4.com
Mon Dec 11 02:36:27 CET 2017

Many people ask about the packet breakdown of WireGuard, and though
this is explained in [1] and [2], many find this ancient mailing list
thread, which now contains out of date information. So this email is
to bring the thread up to date, for folks who stumble upon it.

 The overhead of WireGuard breaks down as follows:

- 20-byte IPv4 header or 40 byte IPv6 header
- 8-byte UDP header
- 4-byte type
- 4-byte key index
- 8-byte nonce
- N-byte encrypted data
- 16-byte authentication tag

So, if you assume 1500 byte ethernet frames, the worst case (IPv6)
winds up being 1500-(40+8+4+4+8+16), leaving N=1420 bytes. However, if
you know ahead of time that you're going to be using IPv4 exclusively,
then you could get away with N=1440 bytes.

[1] https://www.wireguard.com/protocol/
[2] https://www.wireguard.com/papers/wireguard.pdf

More information about the WireGuard mailing list