ANSWERED Site available over OpenVPN but not Wireguard

[pembrokeVPN 1]

My current setup is pfSense Plus 23.09.01, with a vlan exiting all traffic via AirVPN. This works fine.

The vpn traffic exits via a gateway group, when that gateway group has openVPN servers I can reach the site, when it's Wireguard servers the browser says the connection has timed out.

Furthermore, I use Firefox with Duck Duck Go as the search engine, this fails to resolve any websites over Wireguard (when I use Google no problem), over openVPN I don't have any problems. Tried Brave browser, same result.

I checked the route on the AirVPN site, it was ok!

Again the only thing I have changed was the protocol.

Site: https://oysta.co/account/login

openVPN servers: Alathfar, Kital
Wireguard servers: Betelgeuse, Alshain

ISP: Virgin Media

Any insight ? I'm not even sure how to troubleshoot this, nothing in the pfSense logs jumps out at me.

[ss11 15]

Please try both Wireguard AND OpenVPN with THE SAME AirVPN server using the same entry protocol (IPv6 or IPv4) in order to be sure it's a protocol / vpn type problem.
Chances are very small for this to happen IMO, try with exactly the same AirVPN server on both vpn types and get back.

[pembrokeVPN 1]

So I now tried to the same openVPN servers on wireguard.

Alathfar and Kital, both failed to resolve the website over wireguard on IPv4.

Now I actually see on AirVPN that my connected sessions haven't reverted back to Betelgeuse and Alshain for some reason. As I'm running pfSense I just reverted back to my previous state.

Any other ideas to try ?

[pembrokeVPN 1]

After setting up Wireguard again in pfSense on some different servers, I was able to reproduce the site timing out. Previously the MTU was set at 1320 but now I set the MSS to 1280 on the interface, hey presto the site was able to render, Duck Duck Go could also be used as a search engine. Evidently i need to better understand what the MTU and MSS actually do.

[Staff 9971]

Hello!

MTU is critical in layer 3 VPN connections. If the MTU exceeds the frame size in your network, packets don't fit and must be re-transmitted. You will see this only when the packet to be wrapped is too big. Therefore, with some web sites or services packet should be re-transmitted forever and the site will never load. With other services you might notice nothing wrong. WireGuard IPv4 link MTU default settings (from 1360 to 1420 bytes) may be too big to some networks and apparently that was the cause of the problem you experienced. MTU should be set to the maximum possible working value beyond which problems start to appear, as larger MTU may allow higher performance. See also

Kind regards