#MTU FOR VPN MAC MAC#
If this works, then consult your VPN documentation for the exact ports and network ranges used, and refine your "Allow VPN" rule.Įxamine output of "ifconfig" command line on a Mac client, and look for "utun" interfaces which are used by VPN software.
#MTU FOR VPN MAC FOR MAC#
A much simpler configuration.If you are troubleshooting SEP for Mac firewall rules, an "Allow All" rule at the top the settings might not work at first. With WireGuard, only the server hides IP addresses behind it using NAT. On OpenVPN I had to use double NAT, first on the home gateway, then on the server, resulting in a slower connection. Other noteworthy items with this configuration: The VPN tunnel uses 10.88.88.0/24 block for its internal communication and 192.168.1.0/24 block (change this to your local IP address range) is added to the IP addresses behind the client, which lets local machines connect directly to the server without any extra NAT configuration.
![mtu for vpn mac mtu for vpn mac](https://faq.draytek.com.au/wp-content/uploads/2020/06/MTU-1.png)
With it, the client tells the server to use the correct MTU when sending packets to it. Also, iptables -A FORWARD -p tcp -tcp-flags SYN,RST SYN -j TCPMSS -clamp-mss-to-pmtu added on PostUp to the client configuration is the magical setting here that fixes the remaining issues.
#MTU FOR VPN MAC UPDATE#
So, what makes this configuration work? First, on PPPoE connections, the maximum MTU is generally 1492 instead of widely used 1500, so the default MTU of WireGuard which is 1420, needs to be corrected to 1412 (I recommend setting the MTU to 1280, see my update on the top of the post for my reasoning). PostDown = ip route del SERVER_PUBLIC_IP/32 via 192.168.1.1 dev eth0 iptables -D FORWARD -i wg0 -m state -state RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -p tcp -tcp-flags SYN,RST SYN -j TCPMSS -clamp-mss-to-pmtu PostUp = ip route add SERVER_PUBLIC_IP/32 via 192.168.1.1 dev eth0 iptables -A FORWARD -i wg0 -m state -state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -tcp-flags SYN,RST SYN -j TCPMSS -clamp-mss-to-pmtu PostDown = iptables -D FORWARD -i wg0 -j ACCEPT iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE iptables -D FORWARD -i eth0 -m state -state RELATED,ESTABLISHED -j ACCEPTĪllowedIPs = 10.88.88.2/32, 192.168.1.0/24Ĭlient configuration (Home gateway): PostUp = iptables -A FORWARD -i wg0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -m state -state RELATED,ESTABLISHED -j ACCEPT So I decided to write it as a future reference to people who will most probably have the same problems on PPPoE. After searching for hours and trying many options I came to a perfectly working configuration. Some sites behaved normally, others had intermittent problems, and some were just not working. I had problems with connection drops, timeouts or other weird issues when I first installed WireGuard on Debian (The mobile devices had no problems whatsoever, so this was an issue with the home gateway).
#MTU FOR VPN MAC HOW TO#
What I will cover is, how to fix problems if you are connecting to the internet using PPPoE, for example on an ADSL connection. There are many how-tos about installing and configuring WireGuard on the internet, so I will not cover that. It is really something to configure and forget about, just perfect. I also use WireGuard as an on demand VPN for cellular networks on my iPhone and iPad and the battery impact is minimal. My home gateway is on a Debian server with VMWare Fusion, installed on a Mac mini 2018 as I write this post. It is incredibly fast to connect, very easy to implement and uses minimal resources on a modern computer. Donenfeld called WireGuard, which blew my mind as I read about it. Until recently, I was using OpenVPN but then I came upon a great new technology by Jason A. So I use a VPN at home and on my mobile devices to overcome this issue. Due to the incompetence of our censors, sometimes sites with necessary knowledge get blocked too. Wikipedia and Imgur access were just recently restored, and access to many other websites are blocked for various reasons. I live in a country where internet access is severely censored. While it is smaller and will generate more packets, I think it will encounter fewer configuration problems across different sites. So instead of 1412 as I wrote below, I now recommend 1280 for MTU.
![mtu for vpn mac mtu for vpn mac](https://cdn.osxdaily.com/wp-content/uploads/2016/09/4-custom-mtu-size-sierra-wifi.jpg)
ipv6 connections require 1280 as the minimum MTU and most router configurations expect to see some standardized MTU. UPDATE: I researched a little more on this.