Skip to content

Commit 54eef60

Browse files
MonviechMonviech
authored
Wireguard - Reworked wireguard s2s completely & added MTU + MSS to wireguard client (opnsense#498)
* Update wireguard-client.rst - Add MTU and MSS hints * Update wireguard-s2s.rst - Add MTU and MSS hints * Update wireguard-s2s.rst - changed mss values * Update wireguard-s2s.rst - Reworked How-To completely * Update wireguard-client.rst - adjusted mss value * Update wireguard-client.rst - Different mss values for IPv4 and IPv6 * Update wireguard-s2s.rst - Improved some aspects * Update wireguard-client.rst - Improved some aspects Normalization rules should have different MSS values for either IPv4, or IPv4+IPv6. Changed the protocol back to any, since I'm unsure if selecting TCP only means IPv4 TCP, since there is also only IPv6 selectable. * Update wireguard-s2s.rst - Omitted Source Port in Firewall rules - Added tip and note about dynamic WAN IP * Update wireguard-s2s.rst - Terminology changes 23.7.6 - Changed Local to Instance - Changed Endpoint to Peer - Added information about CARP vhid tracking to mitigate HA problems. - Added note about Keepalive for NATed sites.
1 parent d16635c commit 54eef60

File tree

2 files changed

+303
-37
lines changed

2 files changed

+303
-37
lines changed

source/manual/how-tos/wireguard-client.rst

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ Step 2 - Configure the local peer (server)
3131
**Public Key** *This will initially be blank; it will be populated once the configuration is saved*
3232
**Private Key** *This will initially be blank; it will be populated once the configuration is saved*
3333
**Listen Port** *51820 or a higher numbered unique port*
34+
**MTU** *1420 (default) or 1412 if you use PPPoE; it's 80 bytes less than your WAN MTU*
3435
**Tunnel Address** *For example, 10.10.10.1/24. See note below*
3536
**Peers** *The (client) peers will be specified here; leave it blank initially until the Endpoint configuration is created in Step 3*
3637
**Disable Routes** *Unchecked*
@@ -214,7 +215,48 @@ This will involve two steps - first creating a firewall rule on the WAN interfac
214215
.. Note::
215216

216217
If you didn't assign an interface as suggested in Step 5(a), then the second firewall rule outlined above will need to be configured on the automatically created :code:`WireGuard` group that appears once the Local configuration is enabled and WireGuard is started. You will also need to manually specify the source IPs/subnet(s) for the tunnel. It's probably easiest to define an alias (via :menuselection:`Firewall --> Aliases`) for those IPs/subnet(s) and use that. If you have only one local WireGuard instance and only one WireGuard endpoint configured, you can use the default :code:`WireGuard net`, although this is generally not recommended due to unexpected behaviour
218+
219+
------------------------------------
220+
Step 6a - Create normalization rules
221+
------------------------------------
222+
223+
- Go to :menuselection:`Firewall --> Settings -> Normalization` and press **+** to create **one** new normalization rule.
224+
225+
- If you only pass IPv4 traffic through the wireguard tunnel, create the following rule:
226+
============================ ==================================================================================================
227+
**Interface** *WireGuard (Group)*
228+
**Direction** *Any*
229+
**Protocol** *any*
230+
**Source** *any*
231+
**Destination** *any*
232+
**Destination port** *any*
233+
**Description** *Wireguard MSS Clamping IPv4*
234+
**Max mss** *1380 (default) or 1372 if you use PPPoE; it's 40 bytes less than your Wireguard MTU*
235+
============================ ==================================================================================================
236+
237+
- **Save** the rule
238+
239+
- If you pass IPv4+IPv6 - or only IPv6 traffic - through the wireguard tunnel, create the following rule:
240+
============================ ==================================================================================================
241+
**Interface** *WireGuard (Group)*
242+
**Direction** *Any*
243+
**Protocol** *any*
244+
**Source** *any*
245+
**Destination** *any*
246+
**Destination port** *any*
247+
**Description** *Wireguard MSS Clamping IPv6*
248+
**Max mss** *1360 (default) or 1352 if you use PPPoE; it's 60 bytes less than your Wireguard MTU*
249+
============================ ==================================================================================================
250+
251+
- **Save** the rule
217252

253+
.. Tip::
254+
- The header size for IPv4 is usually 20 bytes, and for TCP 20 bytes. In total thats 40 bytes for IPv4 TCP.
255+
- IPv6 has a larger header size with 40 bytes. That encreases the total to 60 bytes for IPv6 TCP.
256+
257+
.. Note::
258+
By creating the normalization rules, you ensure that IPv4 TCP and IPv6 TCP can pass through the Wireguard tunnel without being fragmented. Otherwise you could get working ICMP and UDP, but some encrypted TCP sessions will refuse to work.
259+
218260
---------------------------------------
219261
Step 7 - Configure the WireGuard client
220262
---------------------------------------

0 commit comments

Comments
 (0)