Managing Latency on Encrypted Links: Tuning MTU and MSS
When you wrap your network traffic in multiple layers of security—such as handling private DNS queries inside a WireGuard tunnel that routes through a travel router—you introduce cryptographic overhead. This overhead increases the physical size of your data packets. If a packet becomes too large for the local ISP infrastructure to handle, it must be split into smaller pieces, a process known as fragmentation. Packet fragmentation causes severe latency spikes, packet loss, and degraded throughput, especially on restrictive or poorly optimized public networks.
Understanding the Metrics: MTU and MSS
To eliminate fragmentation and restore lean performance to your “Pipes,” you must manually optimize two critical network values: the Maximum Transmission Unit (MTU) and the Maximum Segment Size (MSS).
- Maximum Transmission Unit (MTU): This defines the largest physical packet size (in bytes) that an interface can accept without breaking it apart. The standard internet MTU is 1500 bytes.
- Maximum Segment Size (MSS): This specifies the largest amount of actual data that a TCP segment can carry, excluding the packet headers.
The WireGuard Overhead Formula
WireGuard requires exactly 60 bytes of overhead for its own encryption headers (or 80 bytes if routing over an IPv6 link). If your local Wi-Fi connection uses a standard MTU of 1500, setting your WireGuard interface (wg0) to 1500 will guarantee fragmentation. To keep your link clear, you must calculate the exact buffer required. For most networks, clamping your WireGuard MTU to 1420 (or 1280 for maximum compatibility across unstable mobile infrastructure) resolves latency bottlenecks immediately.
Clamping TCP MSS at the Firewall
If you manage a travel router running open firmware, you can enforce this performance fix across your entire workspace using a firewall rule known as MSS Clamping. This rule automatically intercepts the initial TCP handshake packets and adjusts their size parameter to match your secure tunnel, ensuring that no device connected behind your perimeter ever sends a packet that exceeds the limit.
nft add rule inet filter forward tcp flags syn tcp option maxseg size set 1360By manually sizing your network data packets to fit perfectly within your encrypted tunnels, you eliminate the overhead that causes lag, ensuring a highly responsive, low-footprint connection regardless of local conditions.
