On 2025/12/20 11:45, All wrote: > On Thursday, December 18, 2025 at 01:08:29 AM GMT+9, Stuart Henderson > <[email protected]> wrote: > > > On 2025-12-17, Stéphane Guedon <[email protected]> wrote: > >> This is a multi-part message in MIME format. > >> --------------T09rgncy60gERzj3vsDVRYGQ > >> Content-Type: text/plain; charset=UTF-8; format=flowed > >> Content-Transfer-Encoding: 7bit > >> > >> I have setup a wg tunnel between a cloud server VM (dina) and my home > >> network (mirror is my main router). Both run the last release of OpenBSD. > >> > >> Globally, it works fine. I have notably syslog messages in that tunnel. > >> > >> But trying to ssh into the vm is holding, I have no clue why : > > >mtu blackhole. > > >the endpoints are at default (1500), but the tunnel is 1420. that's ok > >when the tunnel is directly on the endpoints as then they know not to > >use larger packets over it, but if it's done via a router then you > >often need to fiddle with packets to get this to work nicely. > > >try this: > > >match on wg0 inet proto tcp scrub (max-mss 1380) > >match on wg0 inet6 proto tcp scrub (max-mss 1360) > > > Sorry to jump from in. Is there any advantage on doing it this way instead of > reducing mtu on wgX to > 1200 or something? I kind of used the latter when faced with such issues.
if the tunnel is on a *different* device than the TCP connection endpoints: yes
