Tsnet has MTU Issues with WSL2 (Was: Tsnet HTTP goes well, HTTPS fails)

Some months ago I checked out tsnet, which “just worked”, and IIRC I also successfully tested out serving HTTPS.

But now I fail to write a working HTTPS server.

EDIT Please see next post. HTTPS is a red herring. Keeping original here, maybe it helps someone else observing the same symptoms.

Based on the example in Virtual private services with tsnet · Tailscale I changed a handful of lines:

ln, err := s.Listen("tcp", ":443")

// ...

hs := http.Server{
	// Handler: ...
	TLSConfig: &tls.Config{
		GetCertificate: lc.GetCertificate,

// ...

err := hs.ServeTLS(ln, "", "")

When I try running this, on the client side I see:

# curl -vvv https://thing
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
# hangs here forever


2023-03-06 09:42:03 DBG Accept: TCP{a.b.c.d:65336 > d.c.b.a:443} 60 tcp ok
2023-03-06 09:42:03 DBG Accept: TCP{a.b.c.d:65336 > d.c.b.a:443} 52 tcp non-syn
2023-03-06 09:42:03 DBG Accept: TCP{a.b.c.d:65336 > d.c.b.a:443} 569 tcp non-syn

And only once I interrupt curl:

2023/03/06 09:44:03 http: TLS handshake error from a.b.c.d:65358: EOF

All clients show the same behavior.

Without further ideas on debugging this, this seems, that the client thinks they’ve sent some message, but the server either never receives it, or thinks it’s incomplete.

I hope for an embarrassing error on my part. Anyone any ideas?

Good guess: It’s the MTU.

Plain HTTP requests/responses can also fail. Strangely enough only when they get big enough.

I develop on WSL2. And I’m sure that I had solved all my MTU issues.
But obviously I didn’t.
Within WSL2, eth0 is set to MTU 1280.
Checking with ping - this works as expected.
When the tsnet application runs on Windows directly, 1280 is also appropriate.
But when the tsnet app runs within WSL2, I have to reduce down to MTU 1216.

Which means: How can I force a lower MTU?

If I had any Google Fu left I‘d have found Cannot receive large packets inside wsl2 due to MTU · Issue #4833 · tailscale/tailscale · GitHub earlier