ANSWERED wireguard (console) - some sites not responding

[muelli 2]

Hi everyone,

I was playing around with wireguard from the console today and got some strange error.
Some websites are not responding in full or partially not responding., others work flawlessly
Example: www.speedtest.net partially responding, www.reddit.com timeout no server response
DNS is working though.....

I tried adjusting MTU (lowered, raised) same result.
Any ideas what to try?

btw: using wg-quick up/down to establish/destroy the tunnel, so no dedicated client.


edit: to clarify, when using openvpn everything works as expected

[SurprisedItWorks 48]

The lowest MTU acceptable to wireguard is 1280. Try that. Too high an MTU will freeze everything or, in some cases, make things erratic. If MTU = 1280 doesn't solve things, your problems are elsewhere. If MTU = 1280 fixes things, try raising it from there to gain a little efficiency. Many systems will work at MTU = 1420 but not higher.  But there is no substitute for a little experimentation.  Note that the maximum usable MTU value may occasionally vary with the server chosen, as it depends on the network between you and the server. 

[go558a83nk 352]

It seems that setting the mss and mtu for wireguard to the same value is the trick for many people

[muelli 2]

neither MTU setting fixes things. It seems the problems lie within the TLS handshake on certain websites.

I debugged this a little further....
to give some perspective, I am running the wireguard tunnel with default MTU 1420 on my router. Browsing from the router with firefox etc works!
The problem starts when using machines that NAT via the tunnel, so I guess this really is a MTU problem.
Havent found a MSS setting so far.....but neither MTU settings work.
 

edit: lowering MTU on the machines behind the NAT fixes the problem. thanks everyone!