feat(vpn): path MTU discovery to find the best MTU (#2586)

internal/vpn/interfaces.go

@@ -81,6 +81,7 @@ type Linker interface {
 	LinkDel(link netlink.Link) (err error)
 	LinkSetUp(link netlink.Link) (linkIndex int, err error)
 	LinkSetDown(link netlink.Link) (err error)
+	LinkSetMTU(link netlink.Link, mtu int) (err error)
 }
 
 type DNSLoop interface {

internal/vpn/run.go

@@ -47,6 +47,7 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 			continue
 		}
 		tunnelUpData := tunnelUpData{
+			vpnType:        settings.Type,
 			serverIP:       connection.IP,
 			serverName:     connection.ServerName,
 			canPortForward: connection.PortForward,

internal/vpn/tunnelup.go

@@ -2,16 +2,24 @@ package vpn
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"net/netip"
+	"time"
 
 	"github.com/qdm12/dns/v2/pkg/check"
 	"github.com/qdm12/gluetun/internal/constants"
+	"github.com/qdm12/gluetun/internal/pmtud"
 	"github.com/qdm12/gluetun/internal/version"
+	"github.com/qdm12/log"
 )
 
 type tunnelUpData struct {
 	// Healthcheck
 	serverIP netip.Addr
+	// vpnType is used for path MTU discovery to find the protocol overhead.
+	// It can be "wireguard" or "openvpn".
+	vpnType string
 	// Port forwarding
 	vpnIntf        string
 	serverName     string // used for PIA
@@ -31,6 +39,13 @@ func (l *Loop) onTunnelUp(ctx, loopCtx context.Context, data tunnelUpData) {
 		}
 	}
 
+	mtuLogger := l.logger.New(log.SetComponent("MTU discovery"))
+	err := updateToMaxMTU(ctx, data.vpnIntf, data.vpnType,
+		l.netLinker, l.routing, mtuLogger)
+	if err != nil {
+		mtuLogger.Error(err.Error())
+	}
+
 	icmpTargetIPs := l.healthSettings.ICMPTargetIPs
 	if len(icmpTargetIPs) == 1 && icmpTargetIPs[0].IsUnspecified() {
 		icmpTargetIPs = []netip.Addr{data.serverIP}
@@ -120,3 +135,65 @@ func (l *Loop) restartVPN(ctx context.Context, healthErr error) {
 	_, _ = l.ApplyStatus(ctx, constants.Stopped)
 	_, _ = l.ApplyStatus(ctx, constants.Running)
 }
+
+var errVPNTypeUnknown = errors.New("unknown VPN type")
+
+func updateToMaxMTU(ctx context.Context, vpnInterface string,
+	vpnType string, netlinker NetLinker, routing Routing, logger *log.Logger,
+) error {
+	logger.Info("finding maximum MTU, this can take up to 4 seconds")
+
+	vpnGatewayIP, err := routing.VPNLocalGatewayIP(vpnInterface)
+	if err != nil {
+		return fmt.Errorf("getting VPN gateway IP address: %w", err)
+	}
+
+	link, err := netlinker.LinkByName(vpnInterface)
+	if err != nil {
+		return fmt.Errorf("getting VPN interface by name: %w", err)
+	}
+
+	originalMTU := link.MTU
+
+	// Note: no point testing for an MTU of 1500, it will never work due to the VPN
+	// protocol overhead, so start lower than 1500 according to the protocol used.
+	const physicalLinkMTU = 1500
+	vpnLinkMTU := physicalLinkMTU
+	switch vpnType {
+	case "wireguard":
+		vpnLinkMTU -= 60 // Wireguard overhead
+	case "openvpn":
+		vpnLinkMTU -= 41 // OpenVPN overhead
+	default:
+		return fmt.Errorf("%w: %q", errVPNTypeUnknown, vpnType)
+	}
+
+	// Setting the VPN link MTU to 1500 might interrupt the connection until
+	// the new MTU is set again, but this is necessary to find the highest valid MTU.
+	logger.Debugf("VPN interface %s MTU temporarily set to %d", vpnInterface, vpnLinkMTU)
+
+	err = netlinker.LinkSetMTU(link, vpnLinkMTU)
+	if err != nil {
+		return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)
+	}
+
+	const pingTimeout = time.Second
+	vpnLinkMTU, err = pmtud.PathMTUDiscover(ctx, vpnGatewayIP, vpnLinkMTU, pingTimeout, logger)
+	switch {
+	case err == nil:
+		logger.Infof("setting VPN interface %s MTU to maximum valid MTU %d", vpnInterface, vpnLinkMTU)
+	case errors.Is(err, pmtud.ErrMTUNotFound) || errors.Is(err, pmtud.ErrICMPNotPermitted):
+		vpnLinkMTU = int(originalMTU)
+		logger.Infof("reverting VPN interface %s MTU to %d (due to: %s)",
+			vpnInterface, originalMTU, err)
+	default:
+		return fmt.Errorf("path MTU discovering: %w", err)
+	}
+
+	err = netlinker.LinkSetMTU(link, vpnLinkMTU)
+	if err != nil {
+		return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)
+	}
+
+	return nil
+}