Hi,
I saw the recent change in pf.conf.5. Thank you. But I would argue that a person who just wants to set up a VPN can easily overlook the max-mss option. That's why I suggest adding it to examples like this:
--- src/share/man/man5/pf.conf.5.orig Sat May 28 19:47:32 2022
+++ src/share/man/man5/pf.conf.5 Sat May 28 20:30:33 2022
@@ -2781,6 +2781,18 @@
.Bd -literal -offset 4n
pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
.Ed
+.Pp
+In the example below a WireGuard VPN server does NAT for outgoing
+packets from WireGuard's internal network. Since the MTU of the
+WireGuard network interface (1420) is lower than MTU of the egress
+interface (1500) this may sometimes result in a packet loss. To
+avoid that the
+.Cm max-mss
+needs to be set to min(1500,1420)-40=1380:
+.Bd -literal -offset 4n
+match out on egress from (wg0:network) nat-to (egress:0) scrub (max-mss 1380)
+pass out on egress
+.Ed
.Sh GRAMMAR
Syntax for
.Nm
No comments:
Post a Comment