TCP MSS clamping with iptables for IPSec tunnel

When routing traffic through a (IPSec) tunnel, an endpoint might need to do mss clamping if you are experiencing MTU issues.

For example, you are using a site-to-site VPN network, with a specific gateway as endpoint. When browsing websites through the tunnel, some websites might not load properly.

An example, using iptables to fix this problem:

iptables -A FORWARD -s -o ens4 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

This will set the mss to 1360 for traffic coming from on interface ens4.

The 1360 value depends on the situation, 1360 bytes is the overhead created by IPsec encapsulation


Multiple default gateways on Linux

Suppose you have a Linux machine doing IP forwarding (net.ipv4.ip_forward=1).

Depending on the incoming traffic, you might want to forward the packets to different gateways.

With just one gateway, you can simply add (or replace) the default gateway:
ip route add default via x.x.x.x

If you want to set a default gateway for a specific (incoming) IP range, you can add a custom routing table, using iproute2:

  • echo 200 custom >> /etc/iproute2/rt_tables
  • ip rule add from table custom
  • ip route add default via y.y.y.y table custom
  • ip route flush cache