diff --git a/dev-docs/howto/vpn/helm/templates/_helpers.tpl b/dev-docs/howto/vpn/helm/templates/_helpers.tpl
index a5218b3ee..ab8a91e66 100644
--- a/dev-docs/howto/vpn/helm/templates/_helpers.tpl
+++ b/dev-docs/howto/vpn/helm/templates/_helpers.tpl
@@ -39,4 +39,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
   value: {{ .Values.serviceCIDR | quote }}
 - name: VPN_FRONTEND_POD
   value: {{ include "..fullname" . }}-frontend-0
+- name: VPN_MTU
+  value: {{ .Values.mtu | quote }}
 {{- end }}
diff --git a/dev-docs/howto/vpn/helm/values.yaml b/dev-docs/howto/vpn/helm/values.yaml
index 13281c917..607a2775d 100644
--- a/dev-docs/howto/vpn/helm/values.yaml
+++ b/dev-docs/howto/vpn/helm/values.yaml
@@ -8,6 +8,10 @@ serviceCIDR: "10.96.0.0/12"
 # on-prem IP ranges to expose to Constellation. Must contain at least one CIDR.
 peerCIDRs: []
 
+# MTU to set on the VPN route. Leave empty if path MTU discovery is supported end-to-end.
+# See also https://docs.strongswan.org/docs/5.9/howtos/forwarding.html#_mtumss_issues.
+mtu: 1300
+
 # IPSec configuration
 ipsec:
   # pre-shared key used for authentication
@@ -15,4 +19,4 @@ ipsec:
   # Address of the peer's gateway router.
   peer: ""
 
-image: "ghcr.io/edgelesssys/constellation/vpn@sha256:34e28ced172d04dfdadaadbefb1a53b5857cb24fb24e275fbbc537f3639a789e"
+image: "ghcr.io/edgelesssys/constellation/vpn@sha256:88b6a0265052cb0a68d20d9b20e0d42ef15e7a80e5f71201ecf32e004de2356e"
diff --git a/nix/container/vpn/sidecar.sh b/nix/container/vpn/sidecar.sh
index c6720f41b..a77c8bc7a 100755
--- a/nix/container/vpn/sidecar.sh
+++ b/nix/container/vpn/sidecar.sh
@@ -30,10 +30,17 @@ reconcile_sip_verification() {
   fi
 }
 
+optional_mtu() {
+  if [ -n "${VPN_MTU}" ]; then
+    printf "mtu %s" "${VPN_MTU}"
+  fi
+}
+
 # Set up the route from the node network namespace to the VPN pod.
 reconcile_route() {
   for cidr in ${VPN_PEER_CIDRS}; do
-    nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
+    # shellcheck disable=SC2046 # Word splitting is intentional here.
+    nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)" $(optional_mtu)
   done
 }