How to properly change wireguard MTU

Hello guys,
I think I have some problems with changing wireguard interface mtu.
I have set up a wireguard server with a udp2raw tunnel (because I cannot access my wireguard server directly so I'm using udp2raw to access it) both of these tunnels are running on online virtual servers (not on my router)
I have no problem with connecting to my wireguard server through udp2raw tunnel with my phone or PC with just adding the "MTU = 1280" to wireguard .conf and changing end point but in my OpenWRT router my wireguard interface connection behaves exactly as if I didn't lower the mtu (some light weight sites are working but most sites are not working)

Here are my settings:

What is the output of:

ifconfig wg0

1 Like

You may go to the firewall status and check if MSS adjustment (clamping) is performed or not. Also, the MTU could be wrongly calculated. If you are using some specific applications, you may need to clear the DF-bit on both ends.

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:  P-t-P:  Mask:
          inet6 addr: fd42:42:42::2/128 Scope:Global
          RX packets:10244 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9326960 (8.8 MiB)  TX bytes:1123984 (1.0 MiB)

Is everything alright here?

Your MTU is 1280.

yes it should be 1280

however I have ticked the "MSS clamping" for wg0 firewall zone and now every site is loading flawlessly.


Yes. Sometimes you should check that checkbox over the firewall page. Basically setting the interface MTU won't do everything - It may influence the routing or result fragmentation. If there is some bigger packet and you have an interface with suitable MTU, in theory the packet must be routed via this interface. If you have only one route, the packet should be discarded, if the DF-bit is set. If you don't have the correct MTU, the packet is likely to be dropped when sent over the interface, instead being fragmented. The MSS adjustment is applicable only to the TCP traffic, so if UDP - it may not work if not handled properly via the application. If the DF-bit is being cleared with an additional firewall rule will likely result some amount of fragmented and reassembled traffic which may degrade the performance and will introduce more protocol overhead, reducing the usable throughput. Note that the fragmentation is done on L3, the MSS clamping on L4, so it is better the applications to produce a payload which won't result any fragmentation or drop at first place. In some cases the fragmentation and reassembly capability could be disabled in general, so clearing the DF, may not work.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.