As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP Options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS value for IPv4 and IPv6.
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Clamp outgoing MSS value in a TCP SYN packet to 1452 for pppoe0 and 1372 for your WireGuard wg02 tunnel.
set firewall options interface pppoe0 adjust-mss '1452' set firewall options interface wg02 adjust-mss '1372'
Clamp outgoing MSS value in a TCP SYN packet to 1280 for both pppoe0 and wg02 interface.
set firewall options interface pppoe0 adjust-mss6 '1280' set firewall options interface wg02 adjust-mss6 '1280'
When doing your byte calculations, you might find useful this Visual packet size calculator.