IPv4 NAT traffic from WireGuard VPN client not getting TCP ACKs from some servers

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm hoping for some suggestions on how to diagnose what's going on here. Is it a crappy ISP upstream causing trouble? Or something I can configure my way around on the OpenWrt side?

  • 21.02.2 OpenWrt router, on Spectrum cable modem service (Maine), with WireGuard VPN server
    • ISP provides IPv4 address plus IPv6 address and a /56 delegation
  • iOS or macOS WireGuard clients connecting to the router
  • Some IPv4 web servers work fine (ipquail.com, ipv4.google.com)
  • Some IPv4 web servers are very slow to send or never send TCP ACKs for the initial SYN handshake packet, at least as far as tcpdump reports.

I would suspect it's an MSS issue, but the SYN packets in both cases are showing an MSS based on the wireguard tunnel MSS. The troublesome connections never get open enough for an MSS mismatch to cause trouble, I believe.

I am not at the location where the router is, so I can't connect to the wifi or ethernet there to see if things are working properly from the LAN. The best I can do to compare in that regard is to use wget while logged into the router to attempt to connect to the same web pages that stall in the iOS browser, and that always seem to complete the TCP handshake very reliably, with slightly different TCP options (see last trace).

Where do I start looking?

Here's a working opening handshake connection via the VPN to ipquail.com:

22:08:36.661297 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63365 > 192.241.199.179.443: Flags [S], cksum 0x1365 (correct), seq 1093115627, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 541759036 ecr 0,sackOK,eol], length 0
22:08:37.154856 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63365 > 192.241.199.179.443: Flags [S], cksum 0x1173 (correct), seq 1093115627, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 541759534 ecr 0,sackOK,eol], length 0
22:08:37.241315 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [S.], cksum 0x72b5 (correct), seq 2639897731, ack 1093115628, win 65160, options [mss 1460,sackOK,TS val 2669662029 ecr 541759534,nop,wscale 7], length 0
22:08:37.301121 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63365 > 192.241.199.179.443: Flags [.], cksum 0x8f75 (correct), seq 1, ack 1, win 4106, options [nop,nop,TS val 541759673 ecr 2669662029], length 0
22:08:37.301275 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 569)
    xx.xx.xx.xx.63365 > 192.241.199.179.443: Flags [P.], cksum 0x3c27 (correct), seq 1:518, ack 1, win 4106, options [nop,nop,TS val 541759673 ecr 2669662029], length 517
22:08:37.390156 IP (tos 0x0, ttl 53, id 16348, offset 0, flags [DF], proto TCP (6), length 52)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [.], cksum 0x9aeb (correct), seq 1, ack 518, win 506, options [nop,nop,TS val 2669662178 ecr 541759673], length 0
22:08:37.390901 IP (tos 0x0, ttl 53, id 16349, offset 0, flags [DF], proto TCP (6), length 1280)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [.], cksum 0x0d9c (correct), seq 1:1229, ack 518, win 506, options [nop,nop,TS val 2669662179 ecr 541759673], length 1228
22:08:37.391182 IP (tos 0x0, ttl 53, id 16350, offset 0, flags [DF], proto TCP (6), length 1280)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [P.], cksum 0x55d0 (correct), seq 1229:2457, ack 518, win 506, options [nop,nop,TS val 2669662179 ecr 541759673], length 1228
22:08:37.391747 IP (tos 0x0, ttl 53, id 16351, offset 0, flags [DF], proto TCP (6), length 1280)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [.], cksum 0xea2d (correct), seq 2457:3685, ack 518, win 506, options [nop,nop,TS val 2669662179 ecr 541759673], length 1228
22:08:37.391875 IP (tos 0x0, ttl 53, id 16352, offset 0, flags [DF], proto TCP (6), length 464)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [P.], cksum 0x5966 (correct), seq 3685:4097, ack 518, win 506, options [nop,nop,TS val 2669662179 ecr 541759673], length 412
22:08:37.392065 IP (tos 0x0, ttl 53, id 16353, offset 0, flags [DF], proto TCP (6), length 966)
    192.241.199.179.443 > xx.xx.xx.xx.63365: Flags [P.], cksum 0x9bce (correct), seq 4097:5011, ack 518, win 506, options [nop,nop,TS val 2669662180 ecr 541759673], length 914
22:08:37.447205 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63365 > 192.241.199.179.443: Flags [.], cksum 0x87a1 (correct), seq 518, ack 1229, win 4067, options [nop,nop,TS val 541759821 ecr 2669662179], length 0

and here's a mostly-failed attempt to open to theoldreader.com. It was reliably completely failing earlier tonight, now it's half-heartedly working sometimes (quite slow to connect, very slow/stuttering network, browser often times out waiting)

22:16:37.887387 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xd148 (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268095203 ecr 0,sackOK,eol], length 0
22:16:38.088331 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xd081 (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268095402 ecr 0,sackOK,eol], length 0
22:16:38.114472 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [S], cksum 0x8e12 (correct), seq 1549284226, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 1791845915 ecr 0,sackOK,eol], length 0
22:16:38.289219 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xcfb7 (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268095604 ecr 0,sackOK,eol], length 0
22:16:38.489283 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xceec (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268095807 ecr 0,sackOK,eol], length 0
22:16:38.690685 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xce24 (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268096007 ecr 0,sackOK,eol], length 0
22:16:38.893084 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xcd5a (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268096209 ecr 0,sackOK,eol], length 0
22:16:39.149102 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xcc5f (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268096460 ecr 0,sackOK,eol], length 0
22:16:39.440172 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [S], cksum 0x88e7 (correct), seq 1549284226, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 1791847238 ecr 0,sackOK,eol], length 0
22:16:39.641156 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xca6e (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268096957 ecr 0,sackOK,eol], length 0
22:16:40.628872 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xc691 (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268097946 ecr 0,sackOK,eol], length 0
22:16:40.765963 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [S], cksum 0x83bc (correct), seq 1549284226, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 1791848561 ecr 0,sackOK,eol], length 0
22:16:42.092288 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [S], cksum 0x7e92 (correct), seq 1549284226, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 1791849883 ecr 0,sackOK,eol], length 0
22:16:42.612942 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63403 > 199.119.124.46.443: Flags [S], cksum 0xbedc (correct), seq 4249436519, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 268099919 ecr 0,sackOK,eol], length 0
22:16:43.410250 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [S], cksum 0x7967 (correct), seq 1549284226, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 1791851206 ecr 0,sackOK,eol], length 0
22:16:44.731778 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [S], cksum 0x743d (correct), seq 1549284226, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 1791852528 ecr 0,sackOK,eol], length 0
22:16:44.774794 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [S.], cksum 0x202b (correct), seq 1905295632, ack 1549284227, win 14480, options [mss 1460,sackOK,TS val 3245438853 ecr 1791852528,nop,wscale 7], length 0
22:16:44.832467 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x7719 (correct), seq 1, ack 1, win 4106, options [nop,nop,TS val 1791852628 ecr 3245438853], length 0
22:16:44.832527 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 569)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [P.], cksum 0xce06 (correct), seq 1:518, ack 1, win 4106, options [nop,nop,TS val 1791852630 ecr 3245438853], length 517
22:16:44.874616 IP (tos 0x0, ttl 55, id 63119, offset 0, flags [DF], proto TCP (6), length 52)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x8489 (correct), seq 1, ack 518, win 122, options [nop,nop,TS val 3245438878 ecr 1791852630], length 0
22:16:44.875099 IP (tos 0x0, ttl 55, id 63120, offset 0, flags [DF], proto TCP (6), length 1280)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x79a2 (correct), seq 1:1229, ack 518, win 122, options [nop,nop,TS val 3245438878 ecr 1791852630], length 1228
22:16:44.875387 IP (tos 0x0, ttl 55, id 63121, offset 0, flags [DF], proto TCP (6), length 1280)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x9672 (correct), seq 1229:2457, ack 518, win 122, options [nop,nop,TS val 3245438878 ecr 1791852630], length 1228
22:16:44.875606 IP (tos 0x0, ttl 55, id 63122, offset 0, flags [DF], proto TCP (6), length 1692)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [P.], cksum 0x562a (incorrect -> 0x830e), seq 2457:4097, ack 518, win 122, options [nop,nop,TS val 3245438878 ecr 1791852630], length 1640
22:16:44.933617 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x6ff3 (correct), seq 518, ack 1229, win 4067, options [nop,nop,TS val 1791852727 ecr 3245438878], length 0
22:16:44.933782 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x6b2f (correct), seq 518, ack 2457, win 4057, options [nop,nop,TS val 1791852729 ecr 3245438878], length 0
22:16:44.933829 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x6660 (correct), seq 518, ack 3685, win 4057, options [nop,nop,TS val 1791852732 ecr 3245438878], length 0
22:16:44.933877 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x64a7 (correct), seq 518, ack 4097, win 4083, options [nop,nop,TS val 1791852735 ecr 3245438878], length 0
22:16:44.976084 IP (tos 0x0, ttl 55, id 63124, offset 0, flags [DF], proto TCP (6), length 1116)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [P.], cksum 0xe0ad (correct), seq 4097:5161, ack 518, win 122, options [nop,nop,TS val 3245438903 ecr 1791852735], length 1064
22:16:45.033449 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x601c (correct), seq 518, ack 5161, win 4062, options [nop,nop,TS val 1791852830 ecr 3245438903], length 0
22:16:45.051565 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 178)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [P.], cksum 0xddb9 (correct), seq 518:644, ack 5161, win 4096, options [nop,nop,TS val 1791852854 ecr 3245438903], length 126
22:16:45.093766 IP (tos 0x0, ttl 55, id 63125, offset 0, flags [DF], proto TCP (6), length 103)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [P.], cksum 0xcd13 (correct), seq 5161:5212, ack 644, win 122, options [nop,nop,TS val 3245438933 ecr 1791852854], length 51
22:16:45.152125 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x5eb9 (correct), seq 644, ack 5212, win 4094, options [nop,nop,TS val 1791852946 ecr 3245438933], length 0
22:16:45.152500 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 1280)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0xd831 (correct), seq 644:1872, ack 5212, win 4096, options [nop,nop,TS val 1791852949 ecr 3245438933], length 1228
22:16:45.152597 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 243)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [P.], cksum 0x3d62 (correct), seq 1872:2063, ack 5212, win 4096, options [nop,nop,TS val 1791852949 ecr 3245438933], length 191
22:16:45.195175 IP (tos 0x0, ttl 55, id 63126, offset 0, flags [DF], proto TCP (6), length 52)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x686c (correct), seq 5212, ack 2063, win 164, options [nop,nop,TS val 3245438958 ecr 1791852949], length 0
22:16:45.449557 IP (tos 0x0, ttl 55, id 63127, offset 0, flags [DF], proto TCP (6), length 1280)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x5b70 (correct), seq 5212:6440, ack 2063, win 164, options [nop,nop,TS val 3245439022 ecr 1791852949], length 1228
22:16:45.449843 IP (tos 0x0, ttl 55, id 63128, offset 0, flags [DF], proto TCP (6), length 3736)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x5e26 (incorrect -> 0x6c32), seq 6440:10124, ack 2063, win 164, options [nop,nop,TS val 3245439022 ecr 1791852949], length 3684
22:16:45.450085 IP (tos 0x0, ttl 55, id 63131, offset 0, flags [DF], proto TCP (6), length 3736)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x5e26 (incorrect -> 0x8a2e), seq 10124:13808, ack 2063, win 164, options [nop,nop,TS val 3245439022 ecr 1791852949], length 3684
22:16:45.450482 IP (tos 0x0, ttl 55, id 63134, offset 0, flags [DF], proto TCP (6), length 3736)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x5e26 (incorrect -> 0x076f), seq 13808:17492, ack 2063, win 164, options [nop,nop,TS val 3245439022 ecr 1791852949], length 3684
22:16:45.582749 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x4dd2 (correct), seq 2063, ack 7668, win 4019, options [nop,nop,TS val 1791853384 ecr 3245439022], length 0
22:16:45.582817 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x4d85 (correct), seq 2063, ack 7668, win 4096, options [nop,nop,TS val 1791853384 ecr 3245439022], length 0
22:16:45.582982 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x4438 (correct), seq 2063, ack 10124, win 4019, options [nop,nop,TS val 1791853386 ecr 3245439022], length 0
22:16:45.583024 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x3647 (correct), seq 2063, ack 13808, win 3904, options [nop,nop,TS val 1791853386 ecr 3245439022], length 0
22:16:45.583063 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x3587 (correct), seq 2063, ack 13808, win 4096, options [nop,nop,TS val 1791853386 ecr 3245439022], length 0
22:16:45.583101 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x2c3c (correct), seq 2063, ack 16264, win 4019, options [nop,nop,TS val 1791853386 ecr 3245439022], length 0
22:16:45.583140 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x2797 (correct), seq 2063, ack 17492, win 3980, options [nop,nop,TS val 1791853386 ecr 3245439022], length 0
22:16:45.583177 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x2723 (correct), seq 2063, ack 17492, win 4096, options [nop,nop,TS val 1791853386 ecr 3245439022], length 0
22:16:45.625386 IP (tos 0x0, ttl 55, id 63137, offset 0, flags [DF], proto TCP (6), length 1280)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x838d (correct), seq 17492:18720, ack 2063, win 164, options [nop,nop,TS val 3245439066 ecr 1791853386], length 1228
22:16:45.625577 IP (tos 0x0, ttl 55, id 63138, offset 0, flags [DF], proto TCP (6), length 1280)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x12b8 (correct), seq 18720:19948, ack 2063, win 164, options [nop,nop,TS val 3245439066 ecr 1791853386], length 1228
22:16:45.625740 IP (tos 0x0, ttl 55, id 63139, offset 0, flags [DF], proto TCP (6), length 2508)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x595a (incorrect -> 0x941b), seq 19948:22404, ack 2063, win 164, options [nop,nop,TS val 3245439066 ecr 1791853386], length 2456
22:16:45.625924 IP (tos 0x0, ttl 55, id 63141, offset 0, flags [DF], proto TCP (6), length 1280)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [.], cksum 0x93e5 (correct), seq 22404:23632, ack 2063, win 164, options [nop,nop,TS val 3245439066 ecr 1791853386], length 1228
22:16:45.626059 IP (tos 0x0, ttl 55, id 63142, offset 0, flags [DF], proto TCP (6), length 1745)
    199.119.124.47.443 > xx.xx.xx.xx.63404: Flags [P.], cksum 0x565f (incorrect -> 0x8017), seq 23632:25325, ack 2063, win 164, options [nop,nop,TS val 3245439066 ecr 1791853386], length 1693
22:16:45.682598 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x1d4d (correct), seq 2063, ack 19948, win 4019, options [nop,nop,TS val 1791853481 ecr 3245439066], length 0
22:16:45.682709 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x1d00 (correct), seq 2063, ack 19948, win 4096, options [nop,nop,TS val 1791853481 ecr 3245439066], length 0
22:16:45.682790 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x1859 (correct), seq 2063, ack 21176, win 4057, options [nop,nop,TS val 1791853483 ecr 3245439066], length 0
22:16:45.692058 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x0ee1 (correct), seq 2063, ack 23632, win 4019, options [nop,nop,TS val 1791853489 ecr 3245439066], length 0
22:16:45.692216 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x0e94 (correct), seq 2063, ack 23632, win 4096, options [nop,nop,TS val 1791853489 ecr 3245439066], length 0
22:16:45.692279 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.63404 > 199.119.124.47.443: Flags [.], cksum 0x0828 (correct), seq 2063, ack 25325, win 4043, options [nop,nop,TS val 1791853493 ecr 3245439066], length 0

and here's an open with wget on the router:

22:19:33.648982 IP (tos 0x0, ttl 64, id 2031, offset 0, flags [DF], proto TCP (6), length 60)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [S], cksum 0x4fc9 (incorrect -> 0x0472), seq 3342180094, win 64240, options [mss 1460,sackOK,TS val 2233430448 ecr 0,nop,wscale 6], length 0
22:19:34.665436 IP (tos 0x0, ttl 64, id 2032, offset 0, flags [DF], proto TCP (6), length 60)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [S], cksum 0x4fc9 (incorrect -> 0x0079), seq 3342180094, win 64240, options [mss 1460,sackOK,TS val 2233431465 ecr 0,nop,wscale 6], length 0
22:19:36.746998 IP (tos 0x0, ttl 64, id 2033, offset 0, flags [DF], proto TCP (6), length 60)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [S], cksum 0x4fc9 (incorrect -> 0xf857), seq 3342180094, win 64240, options [mss 1460,sackOK,TS val 2233433546 ecr 0,nop,wscale 6], length 0
22:19:36.789300 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    199.119.124.46.443 > xx.xx.xx.xx.39492: Flags [S.], cksum 0x1122 (correct), seq 3737043274, ack 3342180095, win 14480, options [mss 1460,sackOK,TS val 3245623302 ecr 2233433546,nop,wscale 7], length 0
22:19:36.789465 IP (tos 0x0, ttl 64, id 2034, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [.], cksum 0x4fc1 (incorrect -> 0x7467), seq 1, ack 1, win 1004, options [nop,nop,TS val 2233433589 ecr 3245623302], length 0
22:19:36.793027 IP (tos 0x0, ttl 64, id 2035, offset 0, flags [DF], proto TCP (6), length 410)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [P.], cksum 0x5127 (incorrect -> 0x85f1), seq 1:359, ack 1, win 1004, options [nop,nop,TS val 2233433593 ecr 3245623302], length 358
22:19:36.836695 IP (tos 0x0, ttl 55, id 35163, offset 0, flags [DF], proto TCP (6), length 52)
    199.119.124.46.443 > xx.xx.xx.xx.39492: Flags [.], cksum 0x7663 (correct), seq 1, ack 359, win 122, options [nop,nop,TS val 3245623314 ecr 2233433593], length 0
22:19:36.837286 IP (tos 0x0, ttl 55, id 35164, offset 0, flags [DF], proto TCP (6), length 1500)
    199.119.124.46.443 > xx.xx.xx.xx.39492: Flags [.], cksum 0x3e5f (correct), seq 1:1449, ack 359, win 122, options [nop,nop,TS val 3245623314 ecr 2233433593], length 1448
22:19:36.837387 IP (tos 0x0, ttl 64, id 2036, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [.], cksum 0x4fc1 (incorrect -> 0x6d1f), seq 359, ack 1449, win 1002, options [nop,nop,TS val 2233433637 ecr 3245623314], length 0
22:19:36.837620 IP (tos 0x0, ttl 55, id 35165, offset 0, flags [DF], proto TCP (6), length 1500)
    199.119.124.46.443 > xx.xx.xx.xx.39492: Flags [.], cksum 0x25e7 (correct), seq 1449:2897, ack 359, win 122, options [nop,nop,TS val 3245623314 ecr 2233433593], length 1448
22:19:36.837723 IP (tos 0x0, ttl 64, id 2037, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xx.xx.xx.39492 > 199.119.124.46.443: Flags [.], cksum 0x4fc1 (incorrect -> 0x677f), seq 359, ack 2897, win 994, options [nop,nop,TS val 2233433637 ecr 3245623314], length 0
22:19:36.837902 IP (tos 0x0, ttl 55, id 35166, offset 0, flags [DF], proto TCP (6), length 1252)
    199.119.124.46.443 > xx.xx.xx.xx.39492: Flags [P.], cksum 0xf9a0 (correct), seq 2897:4097, ack 359, win 122, options [nop,nop,TS val 3245623314 ecr 2233433593], length 1200
2

I think that's the likeliest answer. Sometime in the past few days, things mysteriously started working much better (close to normal) without any configuration changes on my end.

3

Does your ISP happen to use PPPoE?

If so, you might try setting your router MTU to 1492, and the VPN MTU to 1412.

Or if you have IPv6, 1280.

4

The ISP (Spectrum/Charter in Maine) uses regular ethernet with DHCP and DHCPv6 provisioned through a cable modem.
Plus, I've already got the MTU of the WireGuard tunnel set to 1280.
The TCP SYN packets seen in the trace show MSS of 1240, so that shouldn't be the problem with why they fail coming from the tunnel through NAT, while the local opens with MSS 1460 work OK.

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.