Set clamped MTU for obfuscation

1 files changed, 9 insertions, 6 deletions

diff --git a/talpid-wireguard/src/lib.rs b/talpid-wireguard/src/lib.rs
index 632bcd38b0..dc6964385a 100644
--- a/talpid-wireguard/src/lib.rs
+++ b/talpid-wireguard/src/lib.rs
@@ -168,6 +168,10 @@ impl WireguardMonitor {
         let endpoint_addrs = [params.get_next_hop_endpoint().address.ip()];
 
         let (close_obfs_sender, close_obfs_listener) = sync_mpsc::channel();
+        // Adjust MTU unless overridden by user
+        if params.options.mtu.is_none() {
+            config.mtu = clamp_mtu(params, config.mtu);
+        }
         // Start obfuscation server and patch the WireGuard config to point the endpoint to it.
         let obfuscation_mtu = config.mtu;
         let obfuscator = args
@@ -177,12 +181,11 @@ impl WireguardMonitor {
                 obfuscation_mtu,
                 close_obfs_sender.clone(),
             ))?;
-        // Don't adjust MTU if overridden by user
-        if params.options.mtu.is_none() {
-            if let Some(obfuscator) = obfuscator.as_ref() {
-                config.mtu = config.mtu.saturating_sub(obfuscator.packet_overhead());
-            }
-            config.mtu = clamp_mtu(params, config.mtu);
+        // Adjust MTU again for obfuscation packet overhead
+        if params.options.mtu.is_none()
+            && let Some(obfuscator) = obfuscator.as_ref()
+        {
+            config.mtu = config.mtu.saturating_sub(obfuscator.packet_overhead());
         }
 
         // NOTE: We force userspace WireGuard while boringtun is enabled to more easily test