秋来冬风的博客

WireGuard Network Configuration Experience: Lower MTU for High Packet Loss, Switch Ports If It Fails, Skip Persisting iptables Rules, and Test with mtr

目录

AI translation.

WireGuard is an excellent networking tool that can be used to build a private intranet, preventing databases such as MySQL in the production environment from being exposed to the public network.

This blog shares the author’s experience with WireGuard networking.

Testing with MTR

MTR is a great testing tool that can be installed and run on Linux via WSL. It is capable of measuring latency and packet loss rate over a period of time.

Simply put, unlike tracert on Windows, which only measures the latency and packet loss rate three times for each hop along the network path, MTR can perform measurements continuously for hours or even days, conducting a large number of tests.

Changing the Port

WireGuard configuration is extremely straightforward. A network can be established by filling in a total of six fields in the configuration file: PrivateKey, Address and ListenPort under the [Interface] section, as well as PublicKey, AllowedIPs and Endpoint under the [Peer] section, along with opening the relevant ports in the firewall.

If the network setup fails, debugging with various network tools has little significance. You can first directly try changing the port; if that doesn’t work, then use packet capture tools for debugging and troubleshooting.

Reducing the MTU

I once encountered a situation where, after successfully setting up the network, the packet loss rate was as high as over 10% with substantial latency.

MTR tests showed that the direct packet loss rate to the peer was very low (0–1%), while the packet loss rate to the intranet IP after network setup was as high as over 10%.

Here, it is necessary to understand the concept of Path Maximum MTU.

Simply put, on the Internet, data is split into many small data packets for transmission. There are numerous routers between two terminals on the Internet that forward data packets to the next router until the packets can be directly forwarded to the destination terminal.The maximum size of data packets that can be forwarded between any two computers is the Maximum MTU. From one terminal to another, among all the computers involved in packet forwarding, the smallest value among these Maximum MTUs is the Path Maximum MTU. Any data packet exceeding this size will either be fragmented into multiple parts or discarded.This usually leads to an increase in the packet loss rate.

How to Measure Path Maximum MTU

This can be run in WSL (it cannot be run on Windows): ping -M do -s <icmp payload size> <destination ip>

  • For IPv4: Path Maximum MTU = ICMP payload size + 28
  • For IPv6: Path Maximum MTU = ICMP payload size + 48

Add the line MTU=Path Maximum MTU - 60 (IPv4 header (20 bytes) + UDP header (8 bytes) + WireGuard encryption header (approximately 32 bytes)) in the [Interface] section of the WireGuard configuration file. Practical tests have shown that this can effectively reduce the packet loss rate. (This applies when IPv6 is not involved in the intranet.)

For example, if the Path Maximum MTU is 1420, add the line MTU=1360 to the WireGuard configuration file. Not Persisting iptables Rules

When configuring WireGuard in a production environment, if the iptables rules are not persisted, restarting the system can reset it to the state before configuration once you suspect incorrect settings.

Otherwise, in extreme cases, you may lose the ability to perform any operations due to SSH disconnection.

Tags: