Leaderboard

As OPNsense and pfSense are/where pretty much the same, I am also interested in this! Looking at pictures of the pfSense WireGuard user interface (VPN --> WireGuard --> Tunnel Configuration) it seems that there is no field which would allow setting an MTU or MSS value for the tunnel. It looks like you only have the option to set the MTU (and MSS) value in the pfSense interface section. However on OPNsense there is an extra field (VPN --> WireGuard --> Local --> "Tunnelname") to set the MTU value directly in the WireGuard config but also no field for the MSS value. In the OPNsense interface section it also of course possible to define the MTU (and MSS) value. The interface section also overwrites any setting configured in the WireGuard tunnel configuration. Also reading through this tutorial and the linked reddit thread it seems that it is best to just set these values in the interface section of OPNsense/pfSense and not in the tunnel configuration. I will try this out and report back here. Update It is best to declare the MTU value at the interface configuration and also in the tunnel configuration. The latter is necessary because each reload of the interface configuration and each reload of the WireGuard package will reapply the MTU value to the interface. Setting the MTU=1420 and MSS=1420 in the interface configuration of the interface assigned to the WireGuard tunnel and also MTU=1420 in the tunnel configuration resolved both the speed and SSL issues. Note I personally have to use MTU=1412 since my WAN requires the use of PPPoE, which adds another 8 byte of overhead that needs to be substracted of the theoretical maximum MTU=1420. WireGuard MTU for PPPoE = 1420 - 8 = 1412 Details see here: https://lists.zx2c4.com/pipermail/wireguard/2017-December/002201.html Note Setting the MSS value the same as the MTU value is specific to OPNsense and pfSense! Both firewalls automatically reduce the value entered in the MSS field by 40 bytes. On other systems the MSS value has to be entered 40 bytes lower than the MTU value. OPNsense / pfSense: MTU entered = actual MTU applied to the interface OPNsense / pfSense: MSS entered = MSS entered - 40 bytes = actual MSS applied to the interface Update 2 The official OPNsense docs now display the correct way of handling MTU/MSS with WireGuard. https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Using Wireguard, the logs should be in the journal. # journalctl -k --grep wireguard .