WireGuard Windows should have default MTU of 1280.

David Anderson dave at natulte.net
Wed Feb 23 05:21:15 UTC 2022

FWIW, a variety of cloud providers have a leaky abstraction, where they expose an MTU slightly below 1500 to their VMs due to encapsulation they use internally, and not using jumbo frames for various reasons. For example, Google Compute Engine VMs have an MTU of 1460b before WireGuard.

So, if you blindly set your MTU to "1500 minus exactly WireGuard overhead", it'll mysteriously break in those cloud environments (unless you get lucky with PMTUD saving the day, but I tend to assume it got broken by a misguided firewall). It's a common stumbling block I've seen many people hit when deploying WireGuard to cloudy environments that aren't AWS or on-premises systems (which tend to have well-behaved MTUs and jumbo frames on the wire, empirically).

Unfortunately dropping the wg MTU all the way to 1280 can break stuff differently, for people running encapsulation _inside_ WireGuard, because then their inner packet size is smaller than the mandated minimum for IPv6. So, short of building OOB MTU discovery into WireGuard (a-la QUIC - a reasonably big complexity bump), there's no one size fits all default that'll make everyone happy, I fear.

- Dave

On Mon, Feb 21, 2022, at 13:44, Roman Mamedov wrote:
> On Tue, 22 Feb 2022 00:57:10 +0500
> Roman Mamedov <rm at romanrm.net> wrote:
> > On Mon, 21 Feb 2022 22:16:22 +0300
> > Michael Tokarev <mjt at tls.msk.ru> wrote:
> > 
> > > 21.02.2022 22:11, Michael Adams wrote:
> > > > Throwing in my two cents: I was using MTU 1280 on Tinc a few years back, for IPv6 VPN support on Windows & Linux. It's good practice.
> > > 
> > > Lemme guess. The OP is routing wg packets over IPv6?  Can this be
> > > the problem here, because V6 has larger overhead so that 1420 is
> > > too large to fit into 1500 bytes together with IPv6 header?
> > 
> > 1420 is picked specifically so that it fits into a 1500 byte packet with IPv6.
> > 
> > If you run WG exclusively over IPv4, you can use up to 1432.
> Correction: 1440.
> https://www.mail-archive.com/wireguard@lists.zx2c4.com/msg01856.html
> I'm just used to subtracting 8 everywhere, because my ISP *does* use PPPoE. :)
> -- 
> With respect,
> Roman

More information about the WireGuard mailing list