On devices with too small of an MTU, direct connections may be established (i.e. disco packets fit) but will drop every packet containing app data which renders the connection unusable.

This can happen on Cloudflare WARP VPN.

We should block these devices from being used for direct connections:

• When binding the UDP socket, do not bind to any devices that have an MTU below the minimum
• Don't share endpoints gathered locally from these devices

Background

Relates tohttps://github.com/coder/customers/issues/592

Inside the Wireguard tunnel to the workspace, we use IPv6 as the network layer protocol. IPv6 sets the minimum MTU for devices that carry it to 1280 octets. Thus, we set the virtual Wireguard TUN to an MTU of 1280 octets, and gVisor's tcpip stack will keep the inner IPv6 packets smaller than 1280 octets. However, these packets then need to get encapsulated in Wireguard, and in the case of direct connections, further encapsulated in UDP & IP and sent over the outer network interface. With this overhead, the typical TCP packets are 1338 octets. Thus, if the outer network interface has an MTU smaller than this, the packets are dropped.

It is not possible to reconfigure the inner protocols to use a smaller MTU because 1280 is the minimum for IPv6 according to the IPv6 specs.

gVisor is actually a bit conservative in its choice of segment size, leaving some extra room for TCP & IP options, so we may need greater than 1338 minimum to ensure packets aren't dropped.

Additional Requirements:

• Update our documentation to note this limitation
• Update ournetcheck command to highlight devices which are being skipped