internal/vpn/tunnelup.go

package vpn

import (
	"context"
	"errors"
	"fmt"
	"net/netip"
	"time"

	"github.com/qdm12/dns/v2/pkg/check"
	"github.com/qdm12/gluetun/internal/constants"
	"github.com/qdm12/gluetun/internal/pmtud"
	"github.com/qdm12/gluetun/internal/version"
	"github.com/qdm12/log"
)

type tunnelUpData struct {
	// Healthcheck
	serverIP netip.Addr
	// vpnType is used for path MTU discovery to find the protocol overhead.
	// It can be "wireguard" or "openvpn".
	vpnType string
	// Port forwarding
	vpnIntf        string
	serverName     string // used for PIA
	canPortForward bool   // used for PIA
	username       string // used for PIA
	password       string // used for PIA
	portForwarder  PortForwarder
}

func (l *Loop) onTunnelUp(ctx, loopCtx context.Context, data tunnelUpData) {
	l.client.CloseIdleConnections()

	for _, vpnPort := range l.vpnInputPorts {
		err := l.fw.SetAllowedPort(ctx, vpnPort, data.vpnIntf)
		if err != nil {
			l.logger.Error("cannot allow input port through firewall: " + err.Error())
		}
	}

	icmpTarget := l.healthSettings.ICMPTargetIP
	if icmpTarget.IsUnspecified() {
		icmpTarget = data.serverIP
	}
	l.healthChecker.SetConfig(l.healthSettings.TargetAddress, icmpTarget)

	healthErrCh, err := l.healthChecker.Start(ctx)
	l.healthServer.SetError(err)
	if err != nil {
		// Note this restart call must be done in a separate goroutine
		// from the VPN loop goroutine.
		l.restartVPN(loopCtx, err)
		return
	}

	mtuLogger := l.logger.New(log.SetComponent("MTU discovery"))
	err = updateToMaxMTU(ctx, data.vpnIntf, data.vpnType,
		l.netLinker, l.routing, mtuLogger)
	if err != nil {
		mtuLogger.Error(err.Error())
	}

	if *l.dnsLooper.GetSettings().ServerEnabled {
		_, _ = l.dnsLooper.ApplyStatus(ctx, constants.Running)
	} else {
		err := check.WaitForDNS(ctx, check.Settings{})
		if err != nil {
			l.logger.Error("waiting for DNS to be ready: " + err.Error())
		}
	}

	err = l.publicip.RunOnce(ctx)
	if err != nil {
		l.logger.Error("getting public IP address information: " + err.Error())
	}

	if l.versionInfo {
		l.versionInfo = false // only get the version information once
		message, err := version.GetMessage(ctx, l.buildInfo, l.client)
		if err != nil {
			l.logger.Error("cannot get version information: " + err.Error())
		} else {
			l.logger.Info(message)
		}
	}

	err = l.startPortForwarding(data)
	if err != nil {
		l.logger.Error(err.Error())
	}

	l.collectHealthErrors(ctx, loopCtx, healthErrCh)
}

func (l *Loop) collectHealthErrors(ctx, loopCtx context.Context, healthErrCh <-chan error) {
	var previousHealthErr error
	for {
		select {
		case <-ctx.Done():
			_ = l.healthChecker.Stop()
			return
		case healthErr := <-healthErrCh:
			l.healthServer.SetError(healthErr)
			if healthErr != nil {
				if *l.healthSettings.RestartVPN {
					// Note this restart call must be done in a separate goroutine
					// from the VPN loop goroutine.
					_ = l.healthChecker.Stop()
					l.restartVPN(loopCtx, healthErr)
					return
				}
				l.logger.Warnf("healthcheck failed: %s", healthErr)
				l.logger.Info("👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md")
			} else if previousHealthErr != nil {
				l.logger.Info("healthcheck passed successfully after previous failure(s)")
			}
			previousHealthErr = healthErr
		}
	}
}

func (l *Loop) restartVPN(ctx context.Context, healthErr error) {
	l.logger.Warnf("restarting VPN because it failed to pass the healthcheck: %s", healthErr)
	l.logger.Info("👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md")
	l.logger.Info("DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION")
	_, _ = l.ApplyStatus(ctx, constants.Stopped)
	_, _ = l.ApplyStatus(ctx, constants.Running)
}

var errVPNTypeUnknown = errors.New("unknown VPN type")

func updateToMaxMTU(ctx context.Context, vpnInterface string,
	vpnType string, netlinker NetLinker, routing Routing, logger *log.Logger,
) error {
	logger.Info("finding maximum MTU, this can take up to 4 seconds")

	vpnGatewayIP, err := routing.VPNLocalGatewayIP(vpnInterface)
	if err != nil {
		return fmt.Errorf("getting VPN gateway IP address: %w", err)
	}

	link, err := netlinker.LinkByName(vpnInterface)
	if err != nil {
		return fmt.Errorf("getting VPN interface by name: %w", err)
	}

	originalMTU := link.MTU

	// Note: no point testing for an MTU of 1500, it will never work due to the VPN
	// protocol overhead, so start lower than 1500 according to the protocol used.
	const physicalLinkMTU = 1500
	vpnLinkMTU := physicalLinkMTU
	switch vpnType {
	case "wireguard":
		vpnLinkMTU -= 60 // Wireguard overhead
	case "openvpn":
		vpnLinkMTU -= 41 // OpenVPN overhead
	default:
		return fmt.Errorf("%w: %q", errVPNTypeUnknown, vpnType)
	}

	// Setting the VPN link MTU to 1500 might interrupt the connection until
	// the new MTU is set again, but this is necessary to find the highest valid MTU.
	logger.Debugf("VPN interface %s MTU temporarily set to %d", vpnInterface, vpnLinkMTU)

	err = netlinker.LinkSetMTU(link, vpnLinkMTU)
	if err != nil {
		return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)
	}

	const pingTimeout = time.Second
	vpnLinkMTU, err = pmtud.PathMTUDiscover(ctx, vpnGatewayIP, vpnLinkMTU, pingTimeout, logger)
	switch {
	case err == nil:
		logger.Infof("setting VPN interface %s MTU to maximum valid MTU %d", vpnInterface, vpnLinkMTU)
	case errors.Is(err, pmtud.ErrMTUNotFound) || errors.Is(err, pmtud.ErrICMPNotPermitted):
		vpnLinkMTU = int(originalMTU)
		logger.Infof("reverting VPN interface %s MTU to %d (due to: %s)",
			vpnInterface, originalMTU, err)
	default:
		return fmt.Errorf("path MTU discovering: %w", err)
	}

	err = netlinker.LinkSetMTU(link, vpnLinkMTU)
	if err != nil {
		return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)
	}

	return nil
}
Maint: internal/vpn package for vpn loop 2021-08-18 22:01:04 +00:00			`package vpn`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00
			`import (`
			`"context"`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`"errors"`
			`"fmt"`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`"net/netip"`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`"time"`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00
feat(vpn): run `WaitForDNS` before querying the public ip address - Fix #2325 better 2024-10-07 20:11:23 +00:00			`"github.com/qdm12/dns/v2/pkg/check"`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`"github.com/qdm12/gluetun/internal/constants"`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`"github.com/qdm12/gluetun/internal/pmtud"`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`"github.com/qdm12/gluetun/internal/version"`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`"github.com/qdm12/log"`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`)`

Maint: remove startPFCh from Openvpn loop 2021-08-18 16:07:35 +00:00			`type tunnelUpData struct {`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`// Healthcheck`
			`serverIP netip.Addr`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`// vpnType is used for path MTU discovery to find the protocol overhead.`
			`// It can be "wireguard" or "openvpn".`
			`vpnType string`
Maint: remove startPFCh from Openvpn loop 2021-08-18 16:07:35 +00:00			`// Port forwarding`
chore(portforward): remove PIA dependency on storage package 2024-05-02 09:17:30 +00:00			`vpnIntf string`
			`serverName string // used for PIA`
feat(privatevpn): native port forwarding support (#2285) 2024-08-16 14:20:00 +02:00			`canPortForward bool // used for PIA`
feat(pia): port forwarding options `VPN_PORT_FORWARDING_USERNAME` and `VPN_PORT_FORWARDING_PASSWORD` - Retro-compatible with `OPENVPN_USER` + `OPENVPN_PASSWORD` - No more reading for the OpenVPN auth file - Allow to use PIA port forwarding with Wireguard 2024-07-09 14:44:46 +00:00			`username string // used for PIA`
			`password string // used for PIA`
chore(portforward): remove PIA dependency on storage package 2024-05-02 09:17:30 +00:00			`portForwarder PortForwarder`
Maint: remove startPFCh from Openvpn loop 2021-08-18 16:07:35 +00:00			`}`

feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`func (l *Loop) onTunnelUp(ctx, loopCtx context.Context, data tunnelUpData) {`
Fix: close HTTP client connections when tunnel comes up 2021-09-10 22:53:05 +00:00			`l.client.CloseIdleConnections()`

Maint: dynamically set allowed VPN input ports - Feat: allow to change VPN type at runtime - Feat: allow to change interface name at runtime - Maint: Add cleanup method to cleanup VPN loop on a vpn shutdown - Change: allow VPN inputs ports only when tunnel is up 2021-09-13 00:50:20 +00:00			`for _, vpnPort := range l.vpnInputPorts {`
			`err := l.fw.SetAllowedPort(ctx, vpnPort, data.vpnIntf)`
			`if err != nil {`
			`l.logger.Error("cannot allow input port through firewall: " + err.Error())`
			`}`
			`}`

feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`icmpTarget := l.healthSettings.ICMPTargetIP`
			`if icmpTarget.IsUnspecified() {`
			`icmpTarget = data.serverIP`
			`}`
			`l.healthChecker.SetConfig(l.healthSettings.TargetAddress, icmpTarget)`

			`healthErrCh, err := l.healthChecker.Start(ctx)`
			`l.healthServer.SetError(err)`
			`if err != nil {`
			`// Note this restart call must be done in a separate goroutine`
			`// from the VPN loop goroutine.`
			`l.restartVPN(loopCtx, err)`
			`return`
			`}`

Run MTU discovery AFTER healthcheck is started 2025-10-17 00:39:44 +00:00			`mtuLogger := l.logger.New(log.SetComponent("MTU discovery"))`
			`err = updateToMaxMTU(ctx, data.vpnIntf, data.vpnType,`
			`l.netLinker, l.routing, mtuLogger)`
			`if err != nil {`
			`mtuLogger.Error(err.Error())`
			`}`

feat(dns): `DNS_UPSTREAM_RESOLVER_TYPE` option which can be `plain` or `DoT` - Migrate `DOT` to `DNS_SERVER` - Migrate `DOT_PROVIDERS` to `DNS_UPSTREAM_RESOLVERS` - Migrate `DOT_PRIVATE_ADDRESS` to `DNS_PRIVATE_ADDRESSES` - Migrate `DOT_CACHING` to `DNS_CACHING` - Migrate `DOT_IPV6` to `DNS_UPSTREAM_IPV6` 2025-11-05 20:41:19 +00:00			`if *l.dnsLooper.GetSettings().ServerEnabled {`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`_, _ = l.dnsLooper.ApplyStatus(ctx, constants.Running)`
feat(vpn): run `WaitForDNS` before querying the public ip address - Fix #2325 better 2024-10-07 20:11:23 +00:00			`} else {`
			`err := check.WaitForDNS(ctx, check.Settings{})`
			`if err != nil {`
			`l.logger.Error("waiting for DNS to be ready: " + err.Error())`
			`}`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`}`

Remove VPN_PMTUD option 2025-10-03 14:21:38 +00:00			`err = l.publicip.RunOnce(ctx)`
feat(vpn): run `WaitForDNS` before querying the public ip address - Fix #2325 better 2024-10-07 20:11:23 +00:00			`if err != nil {`
			`l.logger.Error("getting public IP address information: " + err.Error())`
			`}`
fix(publicip): rework run loop and fix restarts - Clearing IP data on VPN disconnection clears file - More efficient partial updates - Fix loop exit - Validate settings before updating 2023-09-24 14:55:51 +00:00
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`if l.versionInfo {`
			`l.versionInfo = false // only get the version information once`
			`message, err := version.GetMessage(ctx, l.buildInfo, l.client)`
			`if err != nil {`
			`l.logger.Error("cannot get version information: " + err.Error())`
			`} else {`
			`l.logger.Info(message)`
			`}`
			`}`
Maint: remove startPFCh from Openvpn loop 2021-08-18 16:07:35 +00:00
feat(vpn): run `WaitForDNS` before querying the public ip address - Fix #2325 better 2024-10-07 20:11:23 +00:00			`err = l.startPortForwarding(data)`
Maint: remove startPFCh from Openvpn loop 2021-08-18 16:07:35 +00:00			`if err != nil {`
			`l.logger.Error(err.Error())`
			`}`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00
feat(health): info log when healthcheck passes after failure for the case of `HEALTH_VPN_RESTART=off` 2025-10-21 18:42:33 +00:00			`l.collectHealthErrors(ctx, loopCtx, healthErrCh)`
			`}`

			`func (l *Loop) collectHealthErrors(ctx, loopCtx context.Context, healthErrCh <-chan error) {`
			`var previousHealthErr error`
feat(health): `HEALTH_RESTART_VPN` option - You should really leave it to `on` ⚠️ - Turn it to `off` if you have trust issues with the healthcheck. Don't then report issues if the connection is dead though. 2025-10-21 15:36:15 +00:00			`for {`
			`select {`
			`case <-ctx.Done():`
			`_ = l.healthChecker.Stop()`
			`return`
			`case healthErr := <-healthErrCh:`
			`l.healthServer.SetError(healthErr)`
			`if healthErr != nil {`
			`if *l.healthSettings.RestartVPN {`
			`// Note this restart call must be done in a separate goroutine`
			`// from the VPN loop goroutine.`
			`_ = l.healthChecker.Stop()`
			`l.restartVPN(loopCtx, healthErr)`
			`return`
			`}`
			`l.logger.Warnf("healthcheck failed: %s", healthErr)`
			`l.logger.Info("👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md")`
hotfix(health): info log on healthcheck passing after failure 2025-10-23 18:58:19 +00:00			`} else if previousHealthErr != nil {`
			`l.logger.Info("healthcheck passed successfully after previous failure(s)")`
feat(health): `HEALTH_RESTART_VPN` option - You should really leave it to `on` ⚠️ - Turn it to `off` if you have trust issues with the healthcheck. Don't then report issues if the connection is dead though. 2025-10-21 15:36:15 +00:00			`}`
feat(health): info log when healthcheck passes after failure for the case of `HEALTH_VPN_RESTART=off` 2025-10-21 18:42:33 +00:00			`previousHealthErr = healthErr`
feat(health): `HEALTH_RESTART_VPN` option - You should really leave it to `on` ⚠️ - Turn it to `off` if you have trust issues with the healthcheck. Don't then report issues if the connection is dead though. 2025-10-21 15:36:15 +00:00			`}`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`}`
			`}`

			`func (l *Loop) restartVPN(ctx context.Context, healthErr error) {`
			`l.logger.Warnf("restarting VPN because it failed to pass the healthcheck: %s", healthErr)`
			`l.logger.Info("👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md")`
			`l.logger.Info("DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION")`
			`_, _ = l.ApplyStatus(ctx, constants.Stopped)`
			`_, _ = l.ApplyStatus(ctx, constants.Running)`
Maint: move routeReadyEvents to openvpn package 2021-08-16 19:19:41 +00:00			`}`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00
			`var errVPNTypeUnknown = errors.New("unknown VPN type")`

			`func updateToMaxMTU(ctx context.Context, vpnInterface string,`
Use the VPN local gateway IP address to run path MTU discovery 2025-10-06 10:03:15 +00:00			`vpnType string, netlinker NetLinker, routing Routing, logger *log.Logger,`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`) error {`
Use the VPN local gateway IP address to run path MTU discovery 2025-10-06 10:03:15 +00:00			`logger.Info("finding maximum MTU, this can take up to 4 seconds")`

			`vpnGatewayIP, err := routing.VPNLocalGatewayIP(vpnInterface)`
			`if err != nil {`
			`return fmt.Errorf("getting VPN gateway IP address: %w", err)`
			`}`

Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`link, err := netlinker.LinkByName(vpnInterface)`
			`if err != nil {`
			`return fmt.Errorf("getting VPN interface by name: %w", err)`
			`}`

Revert to VPN original MTU (set by WIREGUARD_MTU for example) if ICMP fails 2025-10-03 14:16:47 +00:00			`originalMTU := link.MTU`

Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`// Note: no point testing for an MTU of 1500, it will never work due to the VPN`
			`// protocol overhead, so start lower than 1500 according to the protocol used.`
			`const physicalLinkMTU = 1500`
			`vpnLinkMTU := physicalLinkMTU`
			`switch vpnType {`
			`case "wireguard":`
			`vpnLinkMTU -= 60 // Wireguard overhead`
			`case "openvpn":`
			`vpnLinkMTU -= 41 // OpenVPN overhead`
			`default:`
			`return fmt.Errorf("%w: %q", errVPNTypeUnknown, vpnType)`
			`}`

			`// Setting the VPN link MTU to 1500 might interrupt the connection until`
			`// the new MTU is set again, but this is necessary to find the highest valid MTU.`
			`logger.Debugf("VPN interface %s MTU temporarily set to %d", vpnInterface, vpnLinkMTU)`

			`err = netlinker.LinkSetMTU(link, vpnLinkMTU)`
			`if err != nil {`
			`return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)`
			`}`

			`const pingTimeout = time.Second`
Use the VPN local gateway IP address to run path MTU discovery 2025-10-06 10:03:15 +00:00			`vpnLinkMTU, err = pmtud.PathMTUDiscover(ctx, vpnGatewayIP, vpnLinkMTU, pingTimeout, logger)`
Improve logging in case of ICMP blocked 2025-10-03 14:07:07 +00:00			`switch {`
			`case err == nil:`
Handle ICMP not permitted errors 2025-10-14 17:56:04 +00:00			`logger.Infof("setting VPN interface %s MTU to maximum valid MTU %d", vpnInterface, vpnLinkMTU)`
			`case errors.Is(err, pmtud.ErrMTUNotFound) \|\| errors.Is(err, pmtud.ErrICMPNotPermitted):`
Revert to VPN original MTU (set by WIREGUARD_MTU for example) if ICMP fails 2025-10-03 14:16:47 +00:00			`vpnLinkMTU = int(originalMTU)`
Handle ICMP not permitted errors 2025-10-14 17:56:04 +00:00			`logger.Infof("reverting VPN interface %s MTU to %d (due to: %s)",`
Revert to VPN original MTU (set by WIREGUARD_MTU for example) if ICMP fails 2025-10-03 14:16:47 +00:00			`vpnInterface, originalMTU, err)`
Improve logging in case of ICMP blocked 2025-10-03 14:07:07 +00:00			`default:`
			`return fmt.Errorf("path MTU discovering: %w", err)`
Use PMTUD to set the MTU to the VPN interface - Add `VPN_PMTUD` option enabled by default - One can revert to use `VPN_PMTUD=off` to disable the new PMTUD mechanism 2025-09-10 14:43:21 +00:00			`}`

			`err = netlinker.LinkSetMTU(link, vpnLinkMTU)`
			`if err != nil {`
			`return fmt.Errorf("setting VPN interface %s MTU to %d: %w", vpnInterface, vpnLinkMTU, err)`
			`}`

			`return nil`
			`}`