On my laptop I am using a WireGuard always on VPN. This works absolutely fine for the OS, however Docker containers making connections to certain things (primarily GitHub HTTPS) does not work.
As typical with MTU issues generally badly configured servers will mainly have broken HTTPS connectivity; from the client side it will appear as though the connections time out.
There are multiple ways to work around; I prefer to use a firewall to do it.
The TCP MSS can be adjusted using the following iptables rule:
iptables -I FORWARD -i docker0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
If you are not using docker0 for the docker bridge interface name and wg0 for the wireguard interface name they will need to be adjusted.
The following nftables rule can be used as an alternative to iptables:
# Main inet family filtering table
table inet filter {
# Rules for forwarded traffic
chain forward {
type filter hook forward priority 0; policy drop
## Adjust TCP MSS for Docker containers
iifname docker0 oifname wg0 tcp flags & (syn|rst) == syn \
tcp option maxseg size set 1360 \
comment "Adjust TCP MSS for Docker containers"
## Other rules go here
}
## Other chains go here
}
An alternative to adding the above nftables rule on the host running Docker itself is adding the rule to the WireGuard server. The same rule as above with the in/out interface names adjusted can be used. See the WireGuard nftables Template for more information.