MTU is wrong when enabling Wireguard for Multicluster #5914
Assignees
Labels
area/multi-cluster
Issues or PRs related to multi cluster.
area/transit/encryption
Issues or PRs related to transit encryption (IPSec, SSL).
kind/bug
Categorizes issue or PR as related to a bug.
Comments
|
#5880 will fix this. cc @luolanzone |
tnqn
added
area/transit/encryption
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
While fixing #5868, @hjiajing and I tested more scenarios and found the issue: when enabling Wireguard for Multicluster, the MTU of all Pod interfaces and wireguard interface were reduced 130 bytes (50 for geneve + 80 for wireguard), however, cross-cluster traffic sent from Pods were not forwarded by wireguard interface.
This is because traffic originated from Pods will be encapsulated on gateway Node, and it's the encapsulated packet which will be encrypted. If the wireguard interface is set with the same MTU as the Pod interface, the encapsulated packet will exceed wireguard interface's MTU.
Versions:
The text was updated successfully, but these errors were encountered: