diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go index a09e5c41d19..2d092b0ce8c 100644 --- a/cmd/cloudflared/tunnel/cmd.go +++ b/cmd/cloudflared/tunnel/cmd.go @@ -82,6 +82,11 @@ const ( // udpUnregisterSessionTimeout is how long we wait before we stop trying to unregister a UDP session from the edge udpUnregisterSessionTimeoutFlag = "udp-unregister-session-timeout" + // quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size. + // Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size. + // Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets. + quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery" + // uiFlag is to enable launching cloudflared in interactive UI mode uiFlag = "ui" @@ -692,6 +697,13 @@ func tunnelFlags(shouldHide bool) []cli.Flag { Value: 5 * time.Second, Hidden: true, }), + altsrc.NewBoolFlag(&cli.BoolFlag{ + Name: quicDisablePathMTUDiscovery, + EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"}, + Usage: "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.", + Value: false, + Hidden: true, + }), altsrc.NewStringFlag(&cli.StringFlag{ Name: connectorLabelFlag, Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.", diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go index 56e5c12c37a..8d1fe209b57 100644 --- a/cmd/cloudflared/tunnel/configuration.go +++ b/cmd/cloudflared/tunnel/configuration.go @@ -240,6 +240,7 @@ func prepareTunnelConfig( PQKexIdx: pqKexIdx, MaxEdgeAddrRetries: uint8(c.Int("max-edge-addr-retries")), UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag), + DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery), } packetConfig, err := newPacketConfig(c, log) if err != nil { diff --git a/supervisor/tunnel.go b/supervisor/tunnel.go index 9052398d5ac..3ba04050ffc 100644 --- a/supervisor/tunnel.go +++ b/supervisor/tunnel.go @@ -70,6 +70,8 @@ type TunnelConfig struct { PacketConfig *ingress.GlobalRouterConfig UDPUnregisterSessionTimeout time.Duration + + DisableQUICPathMTUDiscovery bool } func (c *TunnelConfig) registrationOptions(connectionID uint8, OriginLocalIP string, uuid uuid.UUID) *tunnelpogs.RegistrationOptions { @@ -596,14 +598,15 @@ func (e *EdgeTunnelServer) serveQUIC( } quicConfig := &quic.Config{ - HandshakeIdleTimeout: quicpogs.HandshakeIdleTimeout, - MaxIdleTimeout: quicpogs.MaxIdleTimeout, - KeepAlivePeriod: quicpogs.MaxIdlePingPeriod, - MaxIncomingStreams: quicpogs.MaxIncomingStreams, - MaxIncomingUniStreams: quicpogs.MaxIncomingStreams, - EnableDatagrams: true, - MaxDatagramFrameSize: quicpogs.MaxDatagramFrameSize, - Tracer: quicpogs.NewClientTracer(connLogger.Logger(), connIndex), + HandshakeIdleTimeout: quicpogs.HandshakeIdleTimeout, + MaxIdleTimeout: quicpogs.MaxIdleTimeout, + KeepAlivePeriod: quicpogs.MaxIdlePingPeriod, + MaxIncomingStreams: quicpogs.MaxIncomingStreams, + MaxIncomingUniStreams: quicpogs.MaxIncomingStreams, + EnableDatagrams: true, + MaxDatagramFrameSize: quicpogs.MaxDatagramFrameSize, + Tracer: quicpogs.NewClientTracer(connLogger.Logger(), connIndex), + DisablePathMTUDiscovery: e.config.DisableQUICPathMTUDiscovery, } quicConn, err := connection.NewQUICConnection(