MTU discovery problem when using wireguard (wg)

[Wojtek]

I tried recently wireguard instead of openvpn.
One of my config is like that

computer in home network <=> home server <=wg=> internet <=wg=> my server <=> local services and internet

Wireguard itself works fine. When i do anything from home server it is ok.
When i connect from computer in home network there are problems.
Websites finally loads, but with large delays.
ftp ftp.freebsd.org stalls completely when trying to download file.

IMHO that's because there is some problems in TCP MSS discovery as wg interface have mtu of 1420 not 1500.
How can i diagnose where is a problem?

 

[atax1a]

PMTU discovery problems tend to be due to a router or server along the way doing a drop on all ICMP. You need to allow at least Time Exceeded, Parameter Problem, and Unreachable.

 

[covacat]

you can rewrite mss with pf or ipfw

 

[cy@]

PMTU discovery uses the do not fragment bit in the TCP header. A router will return ICMP needfrag if a packet is too big. Unfortunately too many sites take M$'s advice to block all ICMP (there is some history to M$'s recommendation). This causes unresponsiveness, a black hole, which is why PMTU black hole discovery has been built into most kernels today.

The reason for M$'s recommendation at the time was due to the Windows 95 ping of death. M$ patched the bug and it no longer exists in current Windows implementations but many sites still block all ICMP out of habit.