If you're like me, you might have a home network with an overlay VPN setup. If you have this setup, you might sometimes hit a scenario like this: you can ping devices on your local network, but SSH and TLS connections to your local network will hang. They hang in a very particular way – SSH will just hang on the connection start, for no reason, and visiting in Firefox will hang at “Performing a TLS handshake with [website]”.

If this happens and you're using a WireGuard-based VPN, and some part of your network stack is over a mobile network, you're probably hitting an MTU limit.

The solution to this is to manually reduce your MTU to 1280 on one or the other sides of the interface. If your MTU is too big – bigger than the actual network supports with WireGuard overhead – your packets will simply be too big for the physical link and get dropped. You might think this is absurd, but particularly on LTE/5G, you can hit this with network overhead + WireGuard + some packets.

The easiest way to detect this is just to have some things work but other things not. DNS might work, but TLS to a service you know is working won't.

Strangely enough, iOS seems immune to this type of tomfoolery, but macOS and Linux-based stacks do not seem to automatically negotiate this in a reasonable way.