From c2c9504e94c16e32c989861d8d4ba1429f1bd929 Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Thu, 5 Mar 2026 16:53:26 +0000
Subject: [PATCH] hotfix(pmtud): set TCP MSS before changing MTU, and revert to
 original MTU if TCP MSS route set fails

---
 internal/vpn/tunnelup.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/internal/vpn/tunnelup.go b/internal/vpn/tunnelup.go
index a6be2aef..6f6f00f8 100644
--- a/internal/vpn/tunnelup.go
+++ b/internal/vpn/tunnelup.go
@@ -195,16 +195,19 @@ func updateToMaxMTU(ctx context.Context, vpnInterface string,
 		logger.Infof("setting VPN interface %s MTU to maximum valid MTU %d", vpnInterface, vpnLinkMTU)
 	}
 
+	err = setTCPMSSOnVPNRoute(vpnInterface, vpnLinkMTU, routing, netlinker)
+	if err != nil {
+		err = fmt.Errorf("setting safe TCP MSS for MTU %d: %w", vpnLinkMTU, err)
+		vpnLinkMTU = originalMTU
+		logger.Infof("reverting VPN interface %s MTU to %d (due to: %s)",
+			vpnInterface, originalMTU, err)
+	}
+
 	err = netlinker.LinkSetMTU(link.Index, vpnLinkMTU)
 	if err != nil {
 		return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)
 	}
 
-	err = setTCPMSSOnVPNRoute(vpnInterface, vpnLinkMTU, routing, netlinker)
-	if err != nil {
-		return fmt.Errorf("setting safe TCP MSS for MTU %d: %w", vpnLinkMTU, err)
-	}
-
 	return nil
 }