Self-hosting: Docker Swarm and WireGuard Connectivity Issues – Clamping Solution

Let’s talk about Docker Swarm and WireGuard, two powerful tools that can work wonders for your development and deployment workflows. But, like any good duo, they have their quirks, especially when it comes to something called the MTU.

MTU? What’s that?

Imagine a network as a highway, and the MTU is the maximum weight a truck can carry. If the trucks are overloaded (packets are too big), they’ll get stuck or break down (packets get fragmented), causing delays and frustration.

Docker Swarm likes big trucks, WireGuard likes small trucks.

Here’s the problem: Docker Swarm prefers big trucks (MTU of 1500 bytes), while WireGuard prefers smaller ones (around 1420 bytes) due to its fancy encryption and authentication. This mismatch can lead to a network traffic jam, causing slowdowns and even connectivity issues.

So, how do we avoid this MTU mayhem?

  1. Match the sizes: This is the ideal solution, but it might require adjusting network configurations outside of Docker. Think of it as getting everyone on the highway to agree on the same truck size.
  2. Use a clamp: Imagine a device that automatically adjusts the truck size to fit the highway. This is what MTU clamping in WireGuard does, ensuring smooth traffic flow.
  3. Go small: If changing the highway size is too much trouble, consider downsizing the Docker trucks to match WireGuard’s preference. This might not be the fastest option, but it can get you moving.


Imagine you’re sending a large package across the country. You need a truck to transport it, but there are limitations on the size of trucks allowed on certain roads.

This is similar to how data travels across networks. Each network segment has a maximum size for data packets, called the Maximum Transmission Unit (MTU). If a data packet is larger than the MTU, it won’t fit and can’t be delivered.

WireGuard uses encryption to secure your data, which adds a little bit of extra “weight” to each packet. This can cause problems if the network’s MTU is too small.

Here’s where clamping comes in:

Clamping acts like a smart truck driver who automatically adjusts the size of the package before sending it. If the package is too big for the road ahead, the driver will divide it into smaller packages that will fit.

When using WireGuard, you can enable clamping. This will automatically adjust the size of your data packets to fit within the network’s MTU. This ensures that your data can be delivered smoothly and efficiently, even if the network MTU is lower than ideal.

Here are some additional benefits of using clamping:

  • Improved performance: By avoiding fragmentation (splitting large packets into smaller ones), clamping can improve network performance.
  • Reduced errors: Fragmentation can also lead to errors during data transmission. Clamping helps to prevent these errors.
  • Wider compatibility: Clamping allows WireGuard to work with networks that have lower MTUs, making it more versatile and compatible with different environments.

In short, clamping is like having a helpful assistant who makes sure your data gets delivered safely and efficiently, even when the road ahead gets a little bumpy.


In your wireguard conf (/etc/wireguard/wg0.conf), add the following:

PostUp = iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PreDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu