Wireguard packets over IPv6 are not fragmented to path MTU

Philipp S. Tiesel philipp at tiesel.net
Sat Jan 28 13:20:06 UTC 2023


I have an issue with Wireguard and IPv6 fragmentation where the kernel implementation keeps constantly emitting UDP packets which are too large for the path-MTU despite I see a correct path-MTU in the route cache.

Setup details:
- Tunnel endpoint A has an interface MTU of 9000
- Path between A and B does not block ICMPv6
- Path MTU is 1500
- First hop on the way from A to B hats an MTU of 9000 and correctly emits ICMPv6 Packet Too Big
- Tunnel endpoint B has an interface MTU of 1500

As I have some customer traffic through the tunnel that requires an MTU of 1500, I would like to have the tunnel endpoints to correctly fragment packets. This works as long as the interface MTU is equal to the path MTU, but fails otherwise.
If I switch from the Linux-kernel to the Go implementation, fragmentation also works as expected.

Does anyone have hint where to start digging why the Linux implementation does not correctly fragment the UDP frames of the Wireguard tunnel if the path-MTU is smaller than the interface-MTU?

Software version on endpoint A:
- Debian Bookworm
- Debian Kernel 6.1.0-1-cloud-amd64
- wireguard-tools v1.0.20210914

  Philipp S. Tiesel
Philipp S. Tiesel

More information about the WireGuard mailing list