Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mesh-vpn-wireguard: actually set the mtu from the site.conf on the wireguard interface #3258

Merged
merged 2 commits into from
Jul 1, 2024
Merged

mesh-vpn-wireguard: actually set the mtu from the site.conf on the wireguard interface #3258

merged 2 commits into from
Jul 1, 2024

Conversation

maurerle
Copy link
Member

Before, we did only set the MTU on mesh-vpn (the vxlan interface), which has to be smaller than the set value on the wg_mesh (wireguard interface).

On WAN interfaces with an MTU of 1500, the default wireguard MTU of 1420 is optimal (as wireguard takes 80 Bytes).
Though it would be better for PPPoE interfaces (which typically have a MTU of 1496) to use a MTU of 1416 or less (1406 being a typical value, currently used by FFMUC, FFH and FFAC).

The documentation mentions an optimal wireguard MTU of 1376.
This would then also work on WAN-interfaces with an MTU of 1436 on IPv4 respective 1462 for IPv6).

This PR changes the behavior for mesh-vpn-wireguard to set the correct MTU from the site.conf.

Curiously, this did never lead to any known problems in one of the stated communities, and was found when debugging a fragmentation problem.

Eventually, one should also set the MTU on the wireguard gateway/supernode to something less than 1420..?

@maurerle
mesh-vpn-wireguard: actually set the mtu from the site.conf on the wi…
16351b9 
…reguard interface

before, we did only set the MTU on mesh-vpn (the vxlan interface), which has to be smaller than the set value on the wg_mesh (wireguard interface)
@github-actions github-actions bot added 3. topic: package Topic: Gluon Packages 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN labels May 12, 2024
@neocturne
Copy link
Member

neocturne commented Jun 11, 2024
edited
Loading

We discussed this issue today, and found that the MTU in site.conf should always be applied to mesh-vpn, as it already is for all VPN providers; changing this would make the VPN handling less consistent. The MTU of the Wireguard interface should be active_vpn.mtu() + 70 to account for the VXLAN overhead.

Unfortunately, the documentation is wrong and adds the 70 bytes at a different point than what Gluon does, but this must be fixed in the docs, not in the code.

maurerle added a commit to ffac/site that referenced this pull request Jun 12, 2024
@maurerle
reduce mtu by 70 set on mesh-vpn due to VXLAN
7d42124 
as discussed in freifunk-gluon/gluon#3258
@blocktrron @neocturne
Update package/gluon-mesh-vpn-wireguard/luasrc/lib/gluon/upgrade/400-…
f0a85cd 
…mesh-vpn-wireguard

Co-authored-by: Matthias Schiffer <mschiffer@universe-factory.net>
@maurerle
Copy link
Member Author

maurerle commented Jul 1, 2024

Thanks for taking care of this! @blocktrron

@blocktrron blocktrron merged commit 9cdd8d5 into freifunk-gluon:main Jul 1, 2024
9 checks passed
@blocktrron
Copy link
Member

@maurerle Can you provide a short explanation for the release notes of an upcoming release?

@maurerle
Copy link
Member Author

maurerle commented Jul 1, 2024
edited
Loading

I'd suggest something like this:
* Fixed setting MTU on vxlan interface correctly when using mesh-vpn-wireguard-vxlan (https://github.com/freifunk-gluon/gluon/pull/3258)

@maurerle maurerle deleted the fix_wireguard_mtu branch July 1, 2024 21:27
@neocturne
Copy link
Member

As the MTU was previously not set at all for wireguard, I don't think the 70 need to be mentioned anywhere.

We still need to fix the MTU doc page though.

@blocktrron
Copy link
Member

Ah, thanks for the explanation, I misread the previous comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neocturne neocturne neocturne left review comments

Assignees
No one assigned
Labels
3. topic: package Topic: Gluon Packages 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maurerle @neocturne @blocktrron