Path MTU discovery fixes and improvements (#3109)

- Existing option `WIREGUARD_MTU` , if set, disables PMTUD and is used - New option `PMTUD_ICMP_ADDRESSES=1.1.1.1,8.8.8.8` and `PMTUD_TCP_ADDRESSES=1.1.1.1:443,8.8.8.8:443` - ICMP PMTUD now targets external-by-default IP addresses - New TCP PMTUD (binary search only) as a second MTU confirmation and fallback mechanism. - Force set TCP MSS to MTU - IP header - TCP base header - "magic 20 bytes" 🎆 - Fix #3108
2026-05-07 04:20:12 +02:00 · 2026-02-15 01:40:34 +01:00
parent 8f1fda7646
commit be92aa2ac4
59 changed files with 2050 additions and 376 deletions
@@ -0,0 +1,108 @@
+package settings
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"strings"
+
+	"github.com/qdm12/gosettings"
+	"github.com/qdm12/gosettings/reader"
+	"github.com/qdm12/gotree"
+)
+
+// PMTUD contains settings to configure Path MTU Discovery.
+type PMTUD struct {
+	// ICMPAddresses is the redundancy list of addresses to use
+	// for ICMP path MTU discovery. Each address MUST handle ICMP
+	// packets for PMTUD to work.
+	// It cannot be nil in the internal state.
+	ICMPAddresses []netip.Addr `json:"icmp_addresses"`
+	// TCPAddresses is the redundancy list of addresses to use
+	// for TCP path MTU discovery. Each address MUST have a listening
+	// TCP server on the port specified.
+	// It cannot be nil in the internal state.
+	TCPAddresses []netip.AddrPort `json:"tcp_addresses"`
+}
+
+var (
+	ErrPMTUDICMPAddressNotValid = errors.New("PMTUD ICMP address is not valid")
+	ErrPMTUDTCPAddressNotValid  = errors.New("PMTUD TCP address is not valid")
+)
+
+// Validate validates PMTUD settings.
+func (p PMTUD) validate() (err error) {
+	for i, addr := range p.ICMPAddresses {
+		if !addr.IsValid() {
+			return fmt.Errorf("%w: at index %d", ErrPMTUDICMPAddressNotValid, i)
+		}
+	}
+	for i, addr := range p.TCPAddresses {
+		if !addr.IsValid() {
+			return fmt.Errorf("%w: at index %d", ErrPMTUDTCPAddressNotValid, i)
+		}
+	}
+	return nil
+}
+
+func (p *PMTUD) copy() (copied PMTUD) {
+	return PMTUD{
+		ICMPAddresses: gosettings.CopySlice(p.ICMPAddresses),
+		TCPAddresses:  gosettings.CopySlice(p.TCPAddresses),
+	}
+}
+
+func (p *PMTUD) overrideWith(other PMTUD) {
+	p.ICMPAddresses = gosettings.OverrideWithSlice(p.ICMPAddresses, other.ICMPAddresses)
+	p.TCPAddresses = gosettings.OverrideWithSlice(p.TCPAddresses, other.TCPAddresses)
+}
+
+func (p *PMTUD) setDefaults() {
+	defaultICMPAddresses := []netip.Addr{
+		netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+		netip.AddrFrom4([4]byte{8, 8, 8, 8}),
+	}
+	p.ICMPAddresses = gosettings.DefaultSlice(p.ICMPAddresses, defaultICMPAddresses)
+
+	const tlsPort = 443
+	defaultTCPAddresses := []netip.AddrPort{
+		netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), tlsPort),
+		netip.AddrPortFrom(netip.AddrFrom4([4]byte{8, 8, 8, 8}), tlsPort),
+	}
+	p.TCPAddresses = gosettings.DefaultSlice(p.TCPAddresses, defaultTCPAddresses)
+}
+
+func (p PMTUD) String() string {
+	return p.toLinesNode().String()
+}
+
+func (p PMTUD) toLinesNode() (node *gotree.Node) {
+	node = gotree.New("Path MTU discovery:")
+
+	addrs := make([]string, len(p.ICMPAddresses))
+	for i, addr := range p.ICMPAddresses {
+		addrs[i] = addr.String()
+	}
+	node.Appendf("ICMP addresses: %s", strings.Join(addrs, ", "))
+
+	addrs = make([]string, len(p.TCPAddresses))
+	for i, addr := range p.TCPAddresses {
+		addrs[i] = addr.String()
+	}
+	node.Appendf("TCP addresses: %s", strings.Join(addrs, ", "))
+	return node
+}
+
+func (p *PMTUD) read(r *reader.Reader) (err error) {
+	p.ICMPAddresses, err = r.CSVNetipAddresses("PMTUD_ICMP_ADDRESSES")
+	if err != nil {
+		return err
+	}
+
+	p.TCPAddresses, err = r.CSVNetipAddrPorts("PMTUD_TCP_ADDRESSES")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
@@ -29,14 +29,17 @@ func Test_Settings_String(t *testing.T) {
 |   |       └── OpenVPN server selection settings:
 |   |           ├── Protocol: UDP
 |   |           └── Private Internet Access encryption preset: strong
-|   └── OpenVPN settings:
-|       ├── OpenVPN version: 2.6
-|       ├── User: [not set]
-|       ├── Password: [not set]
-|       ├── Private Internet Access encryption preset: strong
-|       ├── Network interface: tun0
-|       ├── Run OpenVPN as: root
-|       └── Verbosity level: 1
+|   ├── OpenVPN settings:
+|   |   ├── OpenVPN version: 2.6
+|   |   ├── User: [not set]
+|   |   ├── Password: [not set]
+|   |   ├── Private Internet Access encryption preset: strong
+|   |   ├── Network interface: tun0
+|   |   ├── Run OpenVPN as: root
+|   |   └── Verbosity level: 1
+|   └── Path MTU discovery:
+|       ├── ICMP addresses: 1.1.1.1, 8.8.8.8
+|       └── TCP addresses: 1.1.1.1:443, 8.8.8.8:443
 ├── DNS settings:
 |   ├── Keep existing nameserver(s): no
 |   ├── DNS server address to use: 127.0.0.1
@@ -18,6 +18,7 @@ type VPN struct {
 	Provider  Provider  `json:"provider"`
 	OpenVPN   OpenVPN   `json:"openvpn"`
 	Wireguard Wireguard `json:"wireguard"`
+	PMTUD     PMTUD     `json:"pmtud"`
 }

 // TODO v4 remove pointer for receiver (because of Surfshark).
@@ -45,6 +46,11 @@ func (v *VPN) Validate(filterChoicesGetter FilterChoicesGetter, ipv6Supported bo
 		}
 	}

+	err = v.PMTUD.validate()
+	if err != nil {
+		return fmt.Errorf("PMTUD settings: %w", err)
+	}
+
 	return nil
 }

@@ -54,6 +60,7 @@ func (v *VPN) Copy() (copied VPN) {
 		Provider:  v.Provider.copy(),
 		OpenVPN:   v.OpenVPN.copy(),
 		Wireguard: v.Wireguard.copy(),
+		PMTUD:     v.PMTUD.copy(),
 	}
 }

@@ -62,6 +69,7 @@ func (v *VPN) OverrideWith(other VPN) {
 	v.Provider.overrideWith(other.Provider)
 	v.OpenVPN.overrideWith(other.OpenVPN)
 	v.Wireguard.overrideWith(other.Wireguard)
+	v.PMTUD.overrideWith(other.PMTUD)
 }

 func (v *VPN) setDefaults() {
@@ -69,6 +77,7 @@ func (v *VPN) setDefaults() {
 	v.Provider.setDefaults()
 	v.OpenVPN.setDefaults(v.Provider.Name)
 	v.Wireguard.setDefaults(v.Provider.Name)
+	v.PMTUD.setDefaults()
 }

 func (v VPN) String() string {
@@ -85,6 +94,7 @@ func (v VPN) toLinesNode() (node *gotree.Node) {
 	} else {
 		node.AppendNode(v.Wireguard.toLinesNode())
 	}
+	node.AppendNode(v.PMTUD.toLinesNode())

 	return node
 }
@@ -107,5 +117,10 @@ func (v *VPN) read(r *reader.Reader) (err error) {
 		return fmt.Errorf("wireguard: %w", err)
 	}

+	err = v.PMTUD.read(r)
+	if err != nil {
+		return fmt.Errorf("PMTUD: %w", err)
+	}
+
 	return nil
 }
@@ -38,15 +38,9 @@ type Wireguard struct {
 	Interface                   string         `json:"interface"`
 	PersistentKeepaliveInterval *time.Duration `json:"persistent_keep_alive_interval"`
 	// Maximum Transmission Unit (MTU) of the Wireguard interface.
-	// It cannot be zero in the internal state, and defaults to
-	// 1320. Note it is not the wireguard-go MTU default of 1420
-	// because this impacts bandwidth a lot on some VPN providers,
-	// see https://github.com/qdm12/gluetun/issues/1650.
-	// It has been lowered to 1320 following quite a bit of
-	// investigation in the issue:
-	// https://github.com/qdm12/gluetun/issues/2533.
-	// Note this should now be replaced with the PMTUD feature.
-	MTU uint32 `json:"mtu"`
+	// It cannot be nil in the internal state, and defaults to
+	// 0 indicating to use PMTUD.
+	MTU *uint32 `json:"mtu"`
 	// Implementation is the Wireguard implementation to use.
 	// It can be "auto", "userspace" or "kernelspace".
 	// It defaults to "auto" and cannot be the empty string
@@ -195,8 +189,7 @@ func (w *Wireguard) setDefaults(vpnProvider string) {
 	w.AllowedIPs = gosettings.DefaultSlice(w.AllowedIPs, defaultAllowedIPs)
 	w.PersistentKeepaliveInterval = gosettings.DefaultPointer(w.PersistentKeepaliveInterval, 0)
 	w.Interface = gosettings.DefaultComparable(w.Interface, "wg0")
-	const defaultMTU = 1320
-	w.MTU = gosettings.DefaultComparable(w.MTU, defaultMTU)
+	w.MTU = gosettings.DefaultPointer(w.MTU, 0)
 	w.Implementation = gosettings.DefaultComparable(w.Implementation, "auto")
 }

@@ -232,7 +225,11 @@ func (w Wireguard) toLinesNode() (node *gotree.Node) {
 	}

 	interfaceNode := node.Appendf("Network interface: %s", w.Interface)
-	interfaceNode.Appendf("MTU: %d", w.MTU)
+	if *w.MTU == 0 {
+		interfaceNode.Append("MTU: use path MTU discovery")
+	} else {
+		interfaceNode.Appendf("MTU: %d", *w.MTU)
+	}

 	if w.Implementation != "auto" {
 		node.Appendf("Implementation: %s", w.Implementation)
@@ -273,11 +270,9 @@ func (w *Wireguard) read(r *reader.Reader) (err error) {
 		return err
 	}

-	mtuPtr, err := r.Uint32Ptr("WIREGUARD_MTU")
+	w.MTU, err = r.Uint32Ptr("WIREGUARD_MTU")
 	if err != nil {
 		return err
-	} else if mtuPtr != nil {
-		w.MTU = *mtuPtr
 	}
 	return nil
 }