Wireguard MSS issue

Hi,
Pritunl server: v1.32.3732.84 c5d79a | wireguard 1.0.20200513-1~18.04.2
Pritunl client: MacOS v1.3.3785.81 | wireguard-tools 1.0.20210914_1
Problem: MSS fix doesn’t work for Wireguard connections resulting in random sites being inaccessible.
Connection MTU: 1280 (setting a lower value results in [winter-plains-2389] 2024-02-07 10:22:39 ERROR Management socket exception error preventing server to start

Client-side packet capture while connected with OpenVPN:

No.     Time           Source                Destination           Protocol Length Total Length Version    Info
      1 0.000000       172.20.0.4            3.68.175.98           TCP      68     64                      53425 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=1881480190 TSecr=0 SACK_PERM
      2 0.070784       3.68.175.98           172.20.0.4            TCP      64     60                      443 → 53425 [SYN, ACK] Seq=0 Ack=1 Win=32200 Len=0 MSS=1190 SACK_PERM TSval=4179559107 TSecr=1881480190 WS=4096
      3 0.070968       172.20.0.4            3.68.175.98           TCP      56     52                      53425 → 443 [ACK] Seq=1 Ack=1 Win=131904 Len=0 TSval=1881480261 TSecr=4179559107
      4 0.073844       172.20.0.4            3.68.175.98           TLSv1.3  388    384          TLS 1.0    Client Hello (SNI=3.68.175.98)
      5 0.142993       3.68.175.98           172.20.0.4            TCP      56     52                      443 → 53425 [ACK] Seq=1 Ack=333 Win=32768 Len=0 TSval=4179559178 TSecr=1881480264
      6 0.143120       3.68.175.98           172.20.0.4            TLSv1.3  1234   1230         TLS 1.2,TLS 1.2 Server Hello, Change Cipher Spec
      7 0.143278       172.20.0.4            3.68.175.98           TCP      56     52                      53425 → 443 [ACK] Seq=333 Ack=1179 Win=130752 Len=0 TSval=1881480333 TSecr=4179559179
      8 0.150327       3.68.175.98           172.20.0.4            TCP      1234   1230                    443 → 53425 [PSH, ACK] Seq=1179 Ack=333 Win=32768 Len=1178 TSval=4179559179 TSecr=1881480264 [TCP segment of a reassembled PDU]
      9 0.150564       3.68.175.98           172.20.0.4            TCP      1234   1230                    443 → 53425 [ACK] Seq=2357 Ack=333 Win=32768 Len=1178 TSval=4179559179 TSecr=1881480264 [TCP segment of a reassembled PDU]
     10 0.150624       3.68.175.98           172.20.0.4            TLSv1.3  972    968          TLS 1.2    Application Data

Client-side packet capture while connected with Wireguard:

No.     Time           Source                Destination          Protocol Length Total Length Version    Info
     94 70.808145      172.20.24.4           3.68.175.98          TCP      68     64                       53465 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 WS=64 TSval=2192964412 TSecr=0 SACK_PERM
     95 70.849315      3.68.175.98           172.20.24.4          TCP      64     60                      443 → 53465 [SYN, ACK] Seq=0 Ack=1 Win=32200 Len=0 MSS=1300 SACK_PERM TSval=468270415 TSecr=2192964412 WS=4096
     96 70.849405      172.20.24.4           3.68.175.98          TCP      56     52                       53465 → 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSval=2192964454 TSecr=468270415
     97 70.853667      172.20.24.4           3.68.175.98          TLSv1    388    384          TLS 1.0     Client Hello (SNI=3.68.175.98)
     98 70.913961      3.68.175.98           172.20.24.4          TCP      56     52                      443 → 53465 [ACK] Seq=1 Ack=333 Win=32768 Len=0 TSval=468270459 TSecr=2192964457
     99 70.985517      3.68.175.98           172.20.24.4          SSL      642    638                     [TCP Previous segment not captured] , Continuation Data
    100 70.985697      172.20.24.4           3.68.175.98          TCP      68     64                       [TCP Dup ACK 96#1] 53465 → 443 [ACK] Seq=333 Ack=1 Win=131328 Len=0 TSval=2192964590 TSecr=468270459 SLE=3865 SRE=4451
    253 73.324809      172.20.24.4           3.68.175.98          TCP      44     40                       53465 → 443 [RST, ACK] Seq=333 Ack=1 Win=131328 Len=0

If the option in the server settings is labeled MSS Fix that is an older release that does not support setting the WireGuard MTU. This should work in newer releases. Run sudo ip a and check the MTU of the WireGuard adapters on the server.

It is Connection MTU
image

wg25: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1280
inet 172.20.24.1  netmask 255.255.252.0  destination 172.20.24.1

I have fixed this issue it will be included in the next Pritunl and Pritunl Client update. Currently the MTU is only be set on the server interface. Running sudo networksetup -setMTU <wg_interface_name> <mtu> can be run on the client to set the MTU on the client side.

Hi,
Is it fixed in v1.32.3805.31 ? Would be nice to have a more detailed release notes section in github :slight_smile:

The server update only includes the MTU in the WireGuard connection data, the client update that isn’t released yet will be needed to apply the MTU.

Why is the client update required if MSS fix is applied on a transit network device (VPN) ?

It needs to be sent to the client by the server and then configured on the client. The client should automatically detect the lower MTU but it appears it also needs to be configured on the client.

I’m still unclear about the explanation, MTU is a different thing.
MSS is negotiated between client and server at a lowest value during TCP handshake.
Pritunl being an intermediate device in the network flow will need to override MSS in the TCP SYN packet and server will either honour it or provide even a lower value.

Once the MTU is configured on the client, the MSS will be correctly calculated.