From f4c4a3eae96b8795834e535d1dad664179969f74 Mon Sep 17 00:00:00 2001
From: Mel <mel@rnrd.eu>
Date: Thu, 23 Apr 2026 20:41:37 +0200
Subject: Don't shatter VPN ingress packets on local transmission between
 interfaces

Signed-off-by: Mel <mel@rnrd.eu>
---
 modules/vpn/ingress.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/vpn/ingress.nix b/modules/vpn/ingress.nix
index 2cf1ae5..b05572e 100644
--- a/modules/vpn/ingress.nix
+++ b/modules/vpn/ingress.nix
@@ -112,6 +112,7 @@ in
 
   # allow forwarding packets between egress and ingress, but avoid any snat,
   # ip should always keep it's origin form, for correct egress routing.
+  # also adapt mss to outgoing mss value, so that we don't shatter packets.
   networking.nftables.ruleset =
     let
       ingressInterfaces = concatImapStringsSep "\", \"" (i: _: ingressName (i - 1)) paths;
@@ -121,6 +122,8 @@ in
         chain forward {
           type filter hook forward priority 0; policy drop;
 
+          tcp flags syn tcp option maxseg size set rt mtu
+
           iifname { "${ingressInterfaces}" } oifname "${egressName}" accept
           iifname "${egressName}" oifname { "${ingressInterfaces}" } accept
         }
-- 
cgit 1.4.1