MTU mismatch wireguard

Question

MTU mismatch wireguard

Closed this issue 10 months ago · 3 comments

Details

TLS request on subclient VPN (like Qbittorrent) will fail 9 out of 10 for wireguard user.
curl -v --connect-timeout 10 https://github.com/angelnu/pod-gateway/blob/main/README.md

Because default MTU on wg0 interface is 1420, but default mtu for vxlan is (eth0 MTU-50).

So for most common setup who use a MTU of 1500(I use native routing with cilium, but idk if use vxlan overlay with kubernetes CNI reduce eth0 container MTU too, need to confirm), vxlan0 is set to 50 bit less so 1450.

When a subclient make a TLS request, the MTU is set to 1450 because the default route is vxlan0, when the packet arrive to pod-gateway it's needed to be fragmented for be able to go trough wg0 interface who have MTU of 1420 BUT TLS packet cannot be fragmented on the way.

Additional Information:

Kubernetes 1.26.5
Cilium 1.13.4 native routing

Answer 1 · 2023-09-06T12:29:50.000Z

i'm guessing this is related to the snippet below

qbittorrent:/$ curl -v --connect-timeout 10 https://github.com/angelnu/pod-gateway/blob/main/README.md

* processing: https://github.com/angelnu/pod-gateway/blob/main/README.md
*   Trying 140.82.112.4:443...
* Connected to github.com (140.82.112.4) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* SSL connection timeout
* Closing connection
curl: (28) SSL connection timeout

if i leave it hanging, it just ends up saying client reset.

i noticed this recently after switching to a wg provider from openvpn.

this is the netshoot container, it sets mtu properly 1450 and 1400

2: vxlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 1a:0c:3b:ca:cd:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.242.1/24 scope global vxlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::180c:3bff:feca:cd10/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default
    link/none
    inet 10.14.0.2/16 brd 10.14.255.255 scope global wg0
       valid_lft forever preferred_lft forever

is the PR valid considering the netshoot container is showing 1450/1400?

Answer 2 · 2023-12-03T13:46:20.000Z

Hi @samos667 - can we close this as your PR is merged?

Answer 3 · 2023-12-03T17:11:29.000Z

Hi @samos667 - can we close this as your PR is merged?

For sure !