From e3ec5b18cf911122f9cab1835ed5c5c8f51d9bf3 Mon Sep 17 00:00:00 2001
From: Maciej Lebiest <68295743+Szwendacz99@users.noreply.github.com>
Date: Mon, 11 Sep 2023 18:26:48 +0200
Subject: [PATCH] Update README.md wiregaurd postup script

---
 README.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 784f399..e1bb654 100644
--- a/README.md
+++ b/README.md
@@ -131,9 +131,10 @@ Before seting up the wg interface, entrypoint will execute files in
 `PostUp` and `PostDown` in network interface config should look like this:
 
 ```bash
-PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet nat postrouting oifname "eth*" masquerade
-PostDown = nft delete table inet filter
+PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft insert rule inet nat postrouting tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu; nft add rule inet nat postrouting oifname "eth*" masquerade
+PostDown = nft delete table inet filter; nft delete table inet nat;
 ```
+The `nft insert rule inet nat postrouting tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu` is optional, but recommended if on client side there are virtual networks from which discovering the MTU of whole path can be difficult.
 
 Example run (requires root and privileged for nftables setup)