Don't shatter VPN ingress packets on local transmission between interfaces

Signed-off-by: Mel <mel@rnrd.eu>
author: Mel <mel@rnrd.eu> 2026-04-23 20:41:37 +0200
committer: Mel <mel@rnrd.eu> 2026-04-23 22:58:26 +0200
commit: f4c4a3eae96b8795834e535d1dad664179969f74 (patch)
tree: 116ff7ce6ae55ed9734445eaf6c1c3a51599f594 /modules
parent: 97a40c153e1daf8a1de251db825cb6a6020d5e1f (diff)
download: network-f4c4a3eae96b8795834e535d1dad664179969f74.tar.zst
network-f4c4a3eae96b8795834e535d1dad664179969f74.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/modules/vpn/ingress.nix b/modules/vpn/ingress.nix
index 2cf1ae5..b05572e 100644
--- a/modules/vpn/ingress.nix
+++ b/modules/vpn/ingress.nix
@@ -112,6 +112,7 @@ in
 
   # allow forwarding packets between egress and ingress, but avoid any snat,
   # ip should always keep it's origin form, for correct egress routing.
+  # also adapt mss to outgoing mss value, so that we don't shatter packets.
   networking.nftables.ruleset =
     let
       ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths;
@@ -121,6 +122,8 @@ in
         chain forward {
           type filter hook forward priority 0; policy drop;
 
+          tcp flags syn tcp option maxseg size set rt mtu
+
           iifname { "${ingressInterfaces}" } oifname "${egressName}" accept
           iifname "${egressName}" oifname { "${ingressInterfaces}" } accept
         }
author	Mel <mel@rnrd.eu>	2026-04-23 20:41:37 +0200
committer	Mel <mel@rnrd.eu>	2026-04-23 22:58:26 +0200
commit	f4c4a3eae96b8795834e535d1dad664179969f74 (patch)
tree	116ff7ce6ae55ed9734445eaf6c1c3a51599f594 /modules
parent	97a40c153e1daf8a1de251db825cb6a6020d5e1f (diff)
download	network-f4c4a3eae96b8795834e535d1dad664179969f74.tar.zst network-f4c4a3eae96b8795834e535d1dad664179969f74.zip