-- =====================================================================
-- Migration 072: TCP MSS clamping for AmneziaWG 2.0 (awg2)
--
-- Issue #50: clients connect (handshake OK) but no traffic flows. With the
-- reduced tunnel MTU (clients use 1280), TCP must also negotiate a small
-- enough MSS, otherwise full-size download packets (web pages, TLS responses)
-- exceed the tunnel and are dropped — the handshake and small packets work,
-- but browsing stalls. Clamping MSS to 1240 (1280 - 40) on the server's
-- FORWARD path fixes the download direction.
--
-- This appends the clamp to the awg2 install script's PostUp so panel-installed
-- servers get it on every interface bring-up. (Adopted native containers are
-- handled at runtime by VpnClient::addClientToServer(), which applies the same
-- rule idempotently on each client creation.)
-- =====================================================================

UPDATE protocols
SET install_script = REPLACE(
  install_script,
  'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE',
  'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240'
)
WHERE slug = 'awg2'
  AND install_script LIKE '%-A POSTROUTING -o eth0 -j MASQUERADE%'
  AND install_script NOT LIKE '%TCPMSS%';