From f74b31ad0b377bcd73c68a02a21b9208cd2ccd44 Mon Sep 17 00:00:00 2001
From: Rat Poison <ratpoison4@protonmail.com>
Date: Tue, 24 Nov 2020 13:19:29 +0100
Subject: [PATCH] WireGuard guide: fix MTU issue

Some sites work in sys-wireguard, but did not work in an AppVM
connected to sys-wireguard. Examples:

https://duckduckgo.com
https://atlassian.net

The problem is caused by MTU. The solution was proposed on
https://github.com/QubesOS/qubes-issues/issues/5264#issuecomment-707683771
---
 docs/wireguard/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/wireguard/README.md b/docs/wireguard/README.md
index 7a720fd..18b1d94 100644
--- a/docs/wireguard/README.md
+++ b/docs/wireguard/README.md
@@ -90,7 +90,7 @@ Create the file `/home/user/wg0.conf` with the following content:
 PrivateKey = <private key of the client>
 Address = 192.168.66.2/32
 DNS = 1.1.1.1
-PostUp = iptables -t nat -I PREROUTING 1 -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1
+PostUp = iptables -t nat -I PREROUTING 1 -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1; iptables -t nat -I POSTROUTING 3 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 [Peer]
 PublicKey = <public key of the client>