WireGuard and MTU/MSS: Prevent Packet Loss on Your Linux Router
Optimize your WireGuard VPN performance by understanding and configuring MTU (Maximum Transmission Unit) and MSS (Maximum Segment Size) on your Linux router. This guide explains how to prevent packet loss when routing traffic between physical and virtual interfaces.
WireGuard is a fast and efficient VPN solution, but it introduces complexities when routing traffic between different network interfaces. This is because WireGuard encapsulates packets, increasing their size. If the encapsulated packet exceeds the MTU of any network link along its path, it gets fragmented, leading to performance issues and potential packet loss. This guide provides a clear explanation of MTU and MSS, and how to configure them correctly for optimal WireGuard performance.
What are MTU and MSS?
- MTU (Maximum Transmission Unit): The largest packet size allowed over a network connection. Exceeding the MTU causes fragmentation.
- MSS (Maximum Segment Size): The maximum amount of data in a single TCP segment. It's negotiated during the TCP handshake to ensure segments fit within the MTU.
Why are MTU and MSS Important for WireGuard?
WireGuard's encapsulation adds overhead to packets. If the resulting packet size exceeds the MTU of any link (including the tunnel itself), fragmentation occurs. This can cause:
- Reduced performance: Fragmentation and reassembly add processing overhead.
- Increased packet loss: Fragmented packets are more likely to be lost.
Calculating MTU and MSS
Physical Interface:
- MTU: Usually 1500 bytes for Ethernet.
- MSS: MTU - (TCP header size + IP header size)
- IPv4: 1500 - (20 + 20) = 1460 bytes
- IPv6: 1500 - (40 + 20) = 1440 bytes
Virtual Interface (WireGuard):
-
MTU: Limited by the underlying protocol's MSS and WireGuard's header size.
- MTU = underlying_mss - protocol_headers
- IPv4 over IPv4 WireGuard: 1460 - 20 = 1440 bytes
- IPv6 over IPv4 WireGuard: 1460 - 40 = 1420 bytes
- IPv4 over IPv6 WireGuard: 1440 - 20 = 1420 bytes
- IPv6 over IPv6 WireGuard: 1440 - 40 = 1400 bytes
-
MSS: Calculated the same way as for physical interfaces.
- IPv4 over IPv4 WireGuard: 1440 - (20 + 20) = 1400 bytes
- IPv6 over IPv4 WireGuard: 1420 - (40 + 20) = 1360 bytes
- IPv4 over IPv6 WireGuard: 1420 - (20 + 40) = 1360 bytes
- IPv6 over IPv6 WireGuard: 1400 - (40 + 40) = 1320 bytes
MSS Clamping: Preventing Packet Loss
MSS clamping is crucial when routing between interfaces with different MTUs. It prevents your router from sending packets that are too large for the receiving interface.
Example:
- Physical Interface: MTU = 1500, MSS = 1460
- WireGuard Interface: MTU = 1420, MSS = 1360
Without clamping, packets between 1360 and 1460 bytes would be accepted by the router but dropped by the receiving device.
How to Implement MSS Clamping:
Using iptables:
iptables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip6tables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
iptables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip6tables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360Using WireGuard Configuration:
[Interface]
...
PostUp = ip6tables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && ip6tables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
PostDown = ip6tables -D FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && ip6tables -D OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -D FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -D OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360Remember to replace
By understanding and correctly configuring MTU and MSS, you can ensure your WireGuard VPN performs optimally and avoids packet loss, providing a smooth and reliable network experience.