diff options
Diffstat (limited to 'modules/vpn')
| -rw-r--r-- | modules/vpn/ingress.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/modules/vpn/ingress.nix b/modules/vpn/ingress.nix index 2cf1ae5..b05572e 100644 --- a/modules/vpn/ingress.nix +++ b/modules/vpn/ingress.nix @@ -112,6 +112,7 @@ in # allow forwarding packets between egress and ingress, but avoid any snat, # ip should always keep it's origin form, for correct egress routing. + # also adapt mss to outgoing mss value, so that we don't shatter packets. networking.nftables.ruleset = let ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths; @@ -121,6 +122,8 @@ in chain forward { type filter hook forward priority 0; policy drop; + tcp flags syn tcp option maxseg size set rt mtu + iifname { "${ingressInterfaces}" } oifname "${egressName}" accept iifname "${egressName}" oifname { "${ingressInterfaces}" } accept } |