Nigel Magnay nigel.magnay at
Tue Jun 18 17:32:16 CEST 2019


I have successfully set up a wireguard connection, to a server hosted
inside Microsoft Azure. Thankyou for this software, it's so much easier to
configure than the alternatives.

I have a small problem though, which I think I understand (but seems
strange), but I'm not sure of the correct solution.

I have routed all internet traffic over this connection; it works, I can
successfully ping sites, and view some. I'm using IP masquerading at both
ends to connect entire networks (I thus use the client as a gateway).

However - some hosts do not respond - or, rather, there's a packet
fragmentation issue.

I can see with tcpdump on the server entries like this:

17:55:04.461804 IP > vpn1.60630: Flags [.], seq 1:1441,
ack 518, win 30, length 1440
17:55:04.461849 IP vpn1 > ICMP vpn1 unreachable - need to
frag (mtu 1420), length 556

Which I take to mean "we got a response, it's length is too big to fit in
the vpn payload, please shorten".

What happens though is nothing - it just keeps receiving over-long
responses, so it doesn't work - which is hardly wireguard's fault.

Now, I guess either the end server is simply ignoring me, or the ICMP stuff
is being blocked somewhere. I'm not knowledgeable enough to know if either
of these are likely, as I'm a bit puzzle as to how anything could work
properly if either of those were true.

So - am I doing something wrong? What's the right knobs for me to be
twiddling here?

I have wireguard 0.0.20190601 at each end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list