MTU Problems - unreachable - need to frag

[danielschonfeld]

I have the following setup with two edgerouters X (basically one uses the other as a VPN to show a different IP location):

ERX #1 WG (Masquaraded) -> ERX #1 PPPOE (MTU 1492) -> ADSL modem ----- internet ----- ->- ERX #2 WG-> Masqueraded outbound -> internet -------=>

Some website's TLS server, seems to have a problem where somewhere in the protocol it tries to send an ICMP packet where the do not frag bit is set resulting in the following:

(This error appears on tcpdump, on ERX #2 that is trying to contact the server, in this case hertz.com over HTTPs curl -L https://hertz.com)

16:59:48.820853 ethertype IPv4, IP 1-2-3-4.myISP.net > 45.60.31.5: ICMP 1-2-3-4.myISP.net unreachable - need to frag (mtu 1420), length 556

I am trying to figure out how to fix this or is this a problem with WireGuard on ERX?

For reference I found this article, of a gentleman encountering the same problem, only he isn't using EdgeRouter https://keremerkan.net/posts/wireguard-mtu-fixes/

Any ideas will be appreciated

[danielschonfeld]

I don't know if this is the correct "solution", but following the logic from that article and digging some more. Setting the MTU on the ERX #2 ("the server") to 1412, and then using the mss clamping option in firewall options and setting it to 1372, solves the problem for my clients on the ERX #1 network.