From c15127b6ab24bb16ab61957a69b623c80ee372f0 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 16 Oct 2025 10:27:53 +0200
Subject: [PATCH] Add --apply-egress-mtu option and corresponding unittests to
 allow automatic MTU adjustment on egress interface before setting WireGuard
 MTU

See: https://chatgpt.com/share/68efc179-1a10-800f-9656-1e8731b40546 (German discussion)
---
 __pycache__/main.cpython-313.pyc | Bin 17752 -> 18313 bytes
 __pycache__/test.cpython-313.pyc | Bin 10096 -> 14914 bytes
 main.py                          |  11 ++++
 test.py                          | 100 +++++++++++++++++++++++++++++++
 4 files changed, 111 insertions(+)

diff --git a/__pycache__/main.cpython-313.pyc b/__pycache__/main.cpython-313.pyc
index a142012f92f594175fa6e9b0e7957444379e78c6..cfb2c30246bc6bdcdbd350910aa35b8a3b9e584c 100644
GIT binary patch
delta 1186
zcmYjRT})eL7(VZ5kFB(&&>sFFoQ9RQlpYGDV-#?9u)5(!3x~6H?K)_?L)*BY&X%EQ
zvUsO6WG?T8#>5!!=7j;$7_&Q#7h<AG*=9!OrdhJYWG0SfmtN@ioetWQ^Y=aP`#$gU
zKIhBXxeg!Qfch6EQyoK&TmL-EhKDxmf3>mRhSDS3Q&ubKBoTk_=`s(*jWmTGl2;nU
zM?D?pp&HCbu>TI+hGD#I{}=qY>21a}gC6hpTFL6K-X1uJHyqtCg6j@D9Ku<LUpFeV
z^^6q2HHWQ&w~YCr(nDb4j>;S9H;#Wh;`ocR3)9XV946dt@H(y1jf}DaBLiM>@%W`(
zk8YP)6RfPYg!%}|u8(07AG<z)sZzSH3%H|FXl@d(IIZ}ZI|OgwpY9eorZOJK#{Ly<
zT8#($JN2agO&R8<aogDhC-A5Km5!6Lk)SiO$@x-Sl4Tg#6b31bXFO|MWIulvLG+pD
zs^gGI3}@{fT!dkwHoPhFd?3m&$#$l8Qi&=#Jnz#~3&V~YCuF&f2slN3^J%L&ao?U-
z(LOSL*xPML>>*^G6nQrK6+RbvTo&8lG;N}b%4R}!2A_$|)T$V+i*4=`zE`WPL~?46
zrTR?0Lq;YM1WyyDL@W9StXy10s8MGr4<yLFz22v*C8IJLWVkT6$EDW%JkYH>N2T~!
zvL~AGsl6Bbyfd(%id<A9TJ<X>DdJAmdQ;;}THQ<MWsc0Es4j(QJ}jYmunRIJ&)_9(
zz~b>F^Z5(!dX&uDN}=GnSX^G64pKxYW)(qMT2j)*+*L)0B#T+$<h(2tFRPLB=ox7>
z2~I`Kh=NkgdR=1abN>s?wXyh0hSDU2<1?XfK#<<b<@32q8KKfa<xpD+DJ7j;E|4Z_
zYhhwScmU$6uwSprP%HOUPywq3s^MkPs%1ZY^76&}auL56O(7fj1BObE11n&8(4aP3
zsN^pYVHh3%vF;AB{0DLso|NnpIcP2O&W+BUHf2}CaQt%yxD4#R!f?9M_1C`BNaR&-
zyszsd=Z>NA)7Z_}T|@UnV`G^Qmm~A{BeCsBZ0r4U{A}5h_|16k35^VIBsRj|k8NGu
z%9bss?-`>Hjn+>>w}#ipzaGD5JX8uEIR(w{0b`qk0{xL}x3?}@>$VT_i&p$*@>{rr
Y>8S&-gC9<9>Vqs?gWY3V3?6Oy9}3ty-v9sr

delta 711
zcmY*XOHUI~6uxI3DQ)_YK&dUkGO49gTH6`M;-dtrl%j~DoeVx&D`lY=2#YpaqYGmU
ziH{g!j{m`x!8&n)JL8&|i3?u=mqr$Xx^&~6p|yIG`})rJedpZA{bl&@0NlS^E(f9Q
z>E_m4NUFQn1ZL8suM3-uyWlhfW>XVt64yiB9_b%UrkD_3g#r8={tXI_^!f06Ux2Rc
zkr3?1dL#%bG$LUb#A+mEJD@Rcq8`MRh|s_fVO{pZVRVTFNaL31hatQx&f}ce(@@8v
zGK^p{+Qm_625ZrWa0J=@J8)EA>hA%5RL$l`@kg=)U&V4Th7k8b&T<+@C0^r?{f$50
zV>dmH<J-6&Ch%Ll)_p>AQe;wdi94qxWrh&VH3jNPytVHUoU*u67)mJq(<#^?^^!uN
zK_?pIizp|(P{Q$K49=K|ZF$W@T~#bg0nQ?nqu$trVs9Bxbf#(1nrCm&<TOH0<AoyH
zq%f~pd#dNBn@;@M=BoXiV*AgtNR^%L1*vIiiJwV9IFD=6GF-5#E11<OoOMw}>!L2=
zitOtsS&wr`<7w?PnuCs6Ga4*gd`BzM6;fq-X<ux+Oro=T`@kZne;NGAVkTW-KS2Ut
zq&Gm;9}m?41H*3|1}*0`?bU1g*Ws(6FJyF9uVkm8YaWP@hpPF>4Eyeq;4s3SB>^|a
qUV?#7a(m%DuIB2&>j1Z5yTTIAdGF>s*8h=fTgq+IZJ@G?O8)?h7qEK(

diff --git a/__pycache__/test.cpython-313.pyc b/__pycache__/test.cpython-313.pyc
index 953acee2e51d7556262e3c18fcdb33e57bdf26db..cc2751871faf62e4b0500e79d762207773aeed8e 100644
GIT binary patch
delta 3328
zcmcInTTC126`t{RJhr(712#4c;gWU0#$22W2_V2^SIrVN*fiB9+Ua1A%_v}7|BRub
z)za-nC0c3I>Q}2gqN*zqX{EBF4_h@4n+*>ut+a{-E3#HrUF}1qtyGCLkyb^0=s9B>
z$b}ZE>L9*3|Ly$epZUIX#ygij)+(Mjoje0q|NA>LUx$8O@i&9X{K4*|(R0mooQWF3
zEDkb^-f~6jqUN&(`j)Ye^-;lelK#rT8Hk<!knOa(qNdVdv#Y9`MO$CQN9|}wn@S5B
zyu|Ted^eYU^TZhyNJYx-Z&{C--r(8Y^*>bn%fyD)-#->G*v28S0y|B{>DR7w#{jha
z4$=fS(u^>O(1LIrA&4-vK3|t%*|GJ%)>j*j_hZ*70KbJe&~_r|ZcWotq6a*?J-=fI
z*YA3k&Fn7yLTK~$g+inXrhQXuW|)}YbYNkO{z7=W=DX<cnK<ZOPs{q*7K5QJZiT_}
zg|-p?pS)pUnBOqnOq9LMrmb{@53p96;lobus=YjUilZO!r>V;)upC{f^|3ZO;;uKE
zrfjsw(h@LF*}~ujFM+vQTeKKvvaW3H-zVL)#eFPbiCUvv825+kC@U`7qWu1fZbO=%
zvP?D>*B`_weB+L@27#GkCVdA-iZ-lj!U&ws{fJXWns+y{f1>v+ElVE{8k?CU>#tb+
zEguL-+3f6%fSe+-ss`q?oS@3uq9znO24!s~BuKfWASaV@TvO&{VInpqywcMj?)3|~
zbV5i-X(>J<EToF_a3F9dG}zO3x;MyA%F2wKPG)9PvXGDo`WBa9lfXzWNpeYfK#++F
zo53z!=qZhUg1q0n|JHYFUW`$v5b1;Sk_v!JyC+BR6iPbvT$~t<pk+#@(f8RMsT<48
zWpkRG(1V8K3<wx4L7kE?Kujl~at#Q0;SO7{N$DG6hCuw}ER5c%qVHDsEpfTDqG__K
z6-;xP`1OJ*F3rvssw7pFi6+iSs)!vbIfq`)<2w7{+8M%0tq6D?(uU9uP%!IGRHUh}
ze~}JgGgI*6_M-j*#p3%C;n|AtkkxWqgU2r}qzc3IotDP_qfGrXY^8n)@Dt`A9;WI|
z`j?su^s3FaH2Trl7Wdji&T-3m)A^t-xMtkq`k!))({*d&=ESz6Deq{yJ-?!@#x@<j
zj~ulJdUGp@)ySr!XUA-;=9kSo9Ak5BbM1MqeMMf&JwR&^9B*?Cd9LBMciSDxyF+U&
zpL6}+HZnCGpI5i<eoK=Tm1iPe<2^%N#BRRVz=6GC=Ob?0hRce!myevZ#%&OJ`PxeW
zkLahz{)pP94=Yd6f7bT07Ajd>{%16*>#4rHcK;4~YS8s`AOn>2w5aRpXC*!HxoKF%
zUy*^v#n&MW4kE|81T`}|3;b4v=yjrGHPAwNN<e3>aR2T!C?QLL!g9Jxkf5crGbN=L
zg>;6@Nwc~z<us_{U@{dM5x8;^HYS}2m^zE1AYEWCc1N!(*{rS%UE;cYbsh-Qa$L%(
z^0ToP9aO{8*f&_4{7ztd?*#Fp-#sorn}2a=uMQL}VwPkeex1(4I2J<CiH)2lSLv-f
zPbhE*c_Ca?TtM2ED6K#<RTx78pLvnMFQ5Jh_EFyh01|tdsw9wjAO=*ey7l_a*WbCc
z%zjm-@u?5lEpA|s)vtb1y~SPpimTn`+VWi6%G7FPt!;}t4f9{d&SUh=iiU^}Njc^~
zQjYnI_Z|G0$9BKYinfm*>$JYSD!uhTS0y7<C8$oVod=kCluAQ?>~;!AnRpRPjjde7
z{$ojUM4d+{Nfj@Yq)&ATZIvWcnfp1sG=98D)dhtl^x~tZ@szArrUT;8$LADH2n1j#
zu#nR0*DH%bVKfLSJrwenbQPZ=iaZU%;&W+fdglJ`(<vn-%xC6614NF`ETv@)6nO<Q
zH<UK01%6POb-xA?&{*-iWzpIb)c;5fyQUEI5=4H0riAc4gy)J0xdNRR2qp-<h>!$Y
z3IOKz(dUvo<n}}4v7l%(VlqSGaspH#X6B(NDG9kKkMIlfIAr=R?)!HD%<*)*{yT>!
z_&sF|eFXVF^3?Kw%lFn&!Usv!w?~3{qW9^EK4{$V@sUp3#tAF*Zv^?sdFvg<UrC2s
z$Ip%6gS?1v8Q~hjb%ZQ}3Q%x~qN+)n5*H;+Bg!<?epM7nj;^(O4R+J|XRUV(jXS*0
zeCF{e%UJBoLz`yL7iRu}-MiYKH;3q#ZQaItbC_1PH#mEq7#U0Bjsx0{PtoCachyU#
zd%r)vb~<l9r#op{jpfa~j}0~EFs|)GIKO9gqg8ae*LQBG3MN19IxH4%F_zKNG6%HD
zkMOt_JT51SbCQyV6XNHJA3k7!CDR#I(QZKA#xGXlLXZLIhaJPs^VrHE=uSGoDsboL
zGKt)*JVf56btg{rU4~x;w_n@#2J+s(QwCc*Nsci&mKQgT?uRDFFDHIFaeHLb)U;z{
JOdj3QzX9OQJKO*O

delta 431
zcmX?9^1+YqGcPX}0}yO}^*-ag{6xN2OkvC$e+4mf1<Mw3r*mt{-4dN_AR@Y1lFgZm
zv1)Uyz#kSylg&}0x=frdKy9}elZsp>PY};jvjp-qd5YwKRFOQ0umKT@AVLX5=z$2^
z%_<W4jEqj3r$`DiDH(%=Oo4<ZTM-Y4%?l#H#<C<OrWgWEJ}$k8(Pnd&Ob6@aHYHUV
zV*`UC0idEx5mp9<5KR^&ZNZa`l^TWoL8hU&Vse&@;^yZ{OiU~*fija<n79f!fUNNX
z5dk0~ax#ypG-LE+4O1EJHB1Z)Z44jT7}&Tc2bh^`ZZ^$flK#vk%W6@S2vW-iByMrU
z$LA(y=EcVsSxnBfl;OI?QJR-oQj%I+GP%prUOon-Fd9UFwWxu$*yQG?l;)(`6=h6*
zVX1DM!^CJY!{fS)?nN2hFAN~whd5RS7M_l(%gmBDSa{lfn|x<DUS^T|z|6oR1vUr(
D0rP4c

diff --git a/main.py b/main.py
index 267d2e9..f9f56fe 100755
--- a/main.py
+++ b/main.py
@@ -207,6 +207,9 @@ def main():
     ap.add_argument("--pmtu-max-payload", type=int, default=1472, help="Upper bound payload for PMTU search (default: 1472 ~ 1500-28).")
     ap.add_argument("--pmtu-policy", choices=["min", "median", "max"], default="min",
                     help="How to choose effective PMTU across multiple targets (default: min).")
+    ap.add_argument("--apply-egress-mtu", action="store_true",
+                    help="Apply the effective Path MTU to the detected egress interface (e.g. eth0).")
+     
     ap.add_argument("--dry-run", action="store_true", help="Show actions without applying changes.")
     # NEW: force a specific WireGuard MTU (overrides computed value)
     ap.add_argument("--set-wg-mtu", type=int, help="Force a specific MTU to apply on the WireGuard interface (overrides computed value).")
@@ -289,6 +292,14 @@ def main():
         else:
             print("[wg-mtu] WARNING: All PMTU probes failed. Falling back to egress MTU.")
 
+    # Optionally apply the effective MTU to the egress interface
+    if args.apply_egress_mtu:
+        if egress == args.wg_if:
+            print(f"[wg-mtu] INFO: Skipping egress MTU apply because egress == {args.wg_if}.")
+        else:
+            print(f"[wg-mtu] Applying effective MTU {effective_mtu} to egress {egress}")
+            set_mtu(egress, effective_mtu, args.dry_run)
+
     # Compute WG MTU
     wg_mtu = max(args.wg_min, effective_mtu - args.wg_overhead)
     print(f"[wg-mtu] Computed {args.wg_if} MTU: {wg_mtu}  (overhead={args.wg_overhead}, min={args.wg_min})")
diff --git a/test.py b/test.py
index e2d0079..1bf6288 100644
--- a/test.py
+++ b/test.py
@@ -181,7 +181,107 @@ class TestWgMtuAutoExtended(unittest.TestCase):
         self.assertIn("[wg-mtu][WARN] --set-wg-mtu 1200 is below wg-min 1280; clamping to 1280.", s)
         self.assertIn("Forcing WireGuard MTU (override): 1280", s)
         mock_set_mtu.assert_any_call("wg0", 1280, True)
+        
+    # ---------- --apply-egress-mtu: setzt egress vor wg ----------
 
+    @patch("main.set_mtu")
+    @patch("main.probe_pmtu", return_value=1452)
+    @patch("main.read_mtu", return_value=1500)
+    @patch("main.exists_iface", return_value=True)
+    @patch("main.get_default_ifaces", return_value=["eth0"])
+    @patch("main.require_root", return_value=None)
+    def test_apply_egress_mtu_sets_egress_then_wg(
+        self, _req_root, _get_def, _exists, _read_mtu, _probe_pmtu, mock_set_mtu
+    ):
+        """
+        --apply-egress-mtu setzt egress=eth0 auf effective MTU (1452) und danach wg0 auf 1452-80=1372.
+        Reihenfolge der set_mtu-Aufrufe: erst eth0, dann wg0.
+        """
+        argv = ["main.py", "--dry-run", "--apply-egress-mtu", "--pmtu-target", "46.4.224.77"]
+        with patch.object(sys, "argv", argv):
+            buf = io.StringIO()
+            with redirect_stdout(buf):
+                automtu.main()
+
+        out = buf.getvalue()
+        self.assertIn("Applying effective MTU 1452 to egress eth0", out)
+        self.assertIn("Computed wg0 MTU: 1372", out)
+
+        # Call order prüfen
+        calls = [
+            unittest.mock.call("eth0", 1452, True),  # egress zuerst
+            unittest.mock.call("wg0", 1372, True),   # dann wg0
+        ]
+        mock_set_mtu.assert_has_calls(calls, any_order=False)
+        self.assertEqual(mock_set_mtu.call_count, 2)
+
+    # ---------- --apply-egress-mtu: egress == wg_if -> skip apply auf egress ----------
+
+    @patch("main.wg_default_is_active", return_value=True)
+    @patch("main.wg_is_active", return_value=True)
+    @patch("main.set_mtu")
+    @patch("main.probe_pmtu", return_value=1500)
+    @patch("main.read_mtu", return_value=1500)
+    @patch("main.exists_iface", return_value=True)
+    @patch("main.get_default_ifaces", return_value=["wg0"])  # wg0 wird als egress gewählt
+    @patch("main.require_root", return_value=None)
+    def test_apply_egress_mtu_skips_when_egress_is_wg(
+        self, _req_root, _get_def, _exists, _read_mtu, _probe, mock_set_mtu, _wg_active, _wg_def_active
+    ):
+        """
+        Wenn egress == wg0, soll das Skript den egress-Apply überspringen, aber wg0 ganz normal setzen.
+        """
+        argv = ["main.py", "--dry-run", "--apply-egress-mtu", "--prefer-wg-egress", "--wg-if", "wg0"]
+        with patch.object(sys, "argv", argv):
+            out = io.StringIO()
+            with redirect_stdout(out):
+                automtu.main()
+        s = out.getvalue()
+
+        self.assertIn("Detected egress interface: wg0", s)
+        self.assertIn("Skipping egress MTU apply because egress == wg0", s)
+        # wg0 wird trotzdem gesetzt (1500-80=1420)
+        mock_set_mtu.assert_any_call("wg0", 1420, True)
+        # Es darf nur ein set_mtu-Aufruf erfolgen (kein separater egress-Apply)
+        self.assertEqual(mock_set_mtu.call_count, 1)
+
+    # ---------- --apply-egress-mtu plus --set-wg-mtu override ----------
+
+    @patch("main.set_mtu")
+    @patch("main.probe_pmtu", return_value=1452)
+    @patch("main.read_mtu", return_value=1500)
+    @patch("main.exists_iface", return_value=True)
+    @patch("main.get_default_ifaces", return_value=["eth0"])
+    @patch("main.require_root", return_value=None)
+    def test_apply_egress_mtu_with_forced_wg_override(
+        self, _req_root, _get_def, _exists, _read_mtu, _probe_pmtu, mock_set_mtu
+    ):
+        """
+        Egress wird auf 1452 gesetzt, aber wg0 wird mit --set-wg-mtu (z. B. 1300) überschrieben,
+        unabhängig vom berechneten Wert (1372).
+        """
+        argv = [
+            "main.py", "--dry-run",
+            "--apply-egress-mtu",
+            "--pmtu-target", "1.1.1.1",
+            "--set-wg-mtu", "1300",
+        ]
+        with patch.object(sys, "argv", argv):
+            buf = io.StringIO()
+            with redirect_stdout(buf):
+                automtu.main()
+
+        out = buf.getvalue()
+        self.assertIn("Applying effective MTU 1452 to egress eth0", out)
+        self.assertIn("Computed wg0 MTU: 1372", out)  # erst berechnet
+        self.assertIn("Forcing WireGuard MTU (override): 1300", out)  # dann überschrieben
+
+        calls = [
+            unittest.mock.call("eth0", 1452, True),
+            unittest.mock.call("wg0", 1300, True),
+        ]
+        mock_set_mtu.assert_has_calls(calls, any_order=False)
+        self.assertEqual(mock_set_mtu.call_count, 2)
 
 if __name__ == "__main__":
     unittest.main(verbosity=2)