(I already posted it in general bug report thread, but got no response in 10 days, so I decided to post it here) Hello, I have problems with MTU and static1.e621.net server. Sorry for grammar mistakes, I am from Russia and English is not my native language. Long story short, E621 is blocked in my country, so I have to use VPN to access it. I am self-taught sysadmin with homelab (it's some kind of home server room) and Mikrotik router. I have a friend from UK, who is also sysadmin and have enterprise Mikrotik network hardware. We decided so setup WireGuard VPN tunnel between our networks to gain access to each-other resources and automatically route traffic of banned resources in our countries through VPN tunnel where it's not blocked. Everything worked as we expected and without any problems, except one domain: static1.e621.net, that is used to load content on this website, but not e621 itself. For example: I can get access to e621 itself, from my network, but images of posts won't load. But if I connect to my OpenVPN VPN server in my network (not VPN tunnel between our networks) via my phone and mobile data - everything works fine. After troubleshooting I found out that this happening because of VPN tunnel MTU. When I used my phone and OpenVPN - MTU of my traffic was 1420 (same as WireGuard's tunnel), so everything worked fine. But MTU of my and my friend's network is 1500. Other websites and resources handled this normally, but not static1.e621.net. I found solution - just increased MTU of WireGuard tunnel. Everything worked fine for few months, but about a week ago WireGuard tunnel stopped working at all. I found out that reason was in too high MTU. After setting MTU of tunnel to default value tunnel started to work normally, but static1.e621.net became unavailable. I have an option to decrease MTU of entire network, but this is not best idea. I hope that admins of e621.net can help me with my issue. If needed - I can assist, even in voice channel in Discord.

salpinx said:
(I already posted it in general bug report thread, but got no response in 10 days, so I decided to post it here) Hello, I have problems with MTU and static1.e621.net server. Sorry for grammar mistakes, I am from Russia and English is not my native language. Long story short, E621 is blocked in my country, so I have to use VPN to access it. I am self-taught sysadmin with homelab (it's some kind of home server room) and Mikrotik router.

I have a friend from UK, who is also sysadmin and have enterprise Mikrotik network hardware. We decided so setup WireGuard VPN tunnel between our networks to gain access to each-other resources and automatically route traffic of banned resources in our countries through VPN tunnel where it's not blocked. Everything worked as we expected and without any problems, except one domain: static1.e621.net, that is used to load content on this website, but not e621 itself.

For example: I can get access to e621 itself, from my network, but images of posts won't load. But if I connect to my OpenVPN VPN server in my network (not VPN tunnel between our networks) via my phone and mobile data - everything works fine. After troubleshooting I found out that this happening because of VPN tunnel MTU. When I used my phone and OpenVPN - MTU of my traffic was 1420 (same as WireGuard's tunnel), so everything worked fine. But MTU of my and my friend's network is 1500. Other websites and resources handled this normally, but not static1.e621.net.

I found solution - just increased MTU of WireGuard tunnel. Everything worked fine for few months, but about a week ago WireGuard tunnel stopped working at all. I found out that reason was in too high MTU. After setting MTU of tunnel to default value tunnel started to work normally, but static1.e621.net became unavailable. I have an option to decrease MTU of entire network, but this is not best idea. I hope that admins of e621.net can help me with my issue. If needed - I can assist, even in voice channel in Discord.

Paragraphing makes that easier to read.

https://skym.fi/blog/2021/08/the-fun-called-mtu-and-wireguard/ Does ping command even work for WireGuard? Wireshark/Ethereal can be used for the same test, just using HTTP or other protocols. Sliding the MTU down to 1200, and then increasing by 16 each time should show fragmentation.

alphamule said:
Paragraphing makes that easier to read.

https://skym.fi/blog/2021/08/the-fun-called-mtu-and-wireguard/ Does ping command even work for WireGuard? Wireshark/Ethereal can be used for the same test, just using HTTP or other protocols. Sliding the MTU down to 1200, and then increasing by 16 each time should show fragmentation.

Thank you. I did some research and found out that this can be fixed by a firewall rule that changes the MSS of every packet that is going to be routed through the VPN tunnel. But other blocked websites worked normally even without this rule. Why static1.e621.net doesn't tolerate MTU change remains a mystery to me.

salpinx said:
Thank you. I did some research and found out that this can be fixed by a firewall rule that changes the MSS of every packet that is going to be routed through the VPN tunnel. But other blocked websites worked normally even without this rule. Why static1.e621.net doesn't tolerate MTU change remains a mystery to me.

You'd have to use Wireshark to find out. A packet dump would tell you when packets are having to be reassembled, or getting rejected.