IPv6 and PPPoE with MSSFIX

Luiz Angelo Daros de Luca luizluca at gmail.com
Tue Aug 22 20:39:23 UTC 2023


We noticed an issue with clients that use PPPoE and connect to WG
using IPv6. Both sides start to fragment the encrypted packet leading
to a severe degradation in performance. We reduced the wireguard MTU
from the default 1420 to 1400 and the issue was solved. However, I
wonder if it could be fixed with MSSFIX (in my case, nftables

The server does know that the remote address has a smaller MTU as it
fragments the packet accordingly when any VPN peer sends some traffic.
The traffic inside the VPN does adjust the TCP MSS to fit into vpn
interface MTU (1420 by default, now 1400).

I could dynamically add firewall rules to clamp MSS per authorized_ips
but, theoretically, the kernel has all the info to do that
automatically. I wonder if MSSFIX could detect the best MTU for a
specific address through the wireguard. It should consider the
peer-to-peer PMTU, the IP protocol wireguard is using and the normal
wireguard headers.


     Luiz Angelo Daros de Luca
            luizluca at gmail.com

More information about the WireGuard mailing list