Tunnelencapsulation overhead
Configuration
Inner Payload MTU
bytes (the MTU you want to preserve for application data)
Click protocols to add them to the stack. Stack is processed outer → inner (top = outermost).
Encapsulation Stack
No layers added — click protocols above to build your stack
Protocol Overhead Reference
VXLAN: 50 bytes total — 14 ETH + 20 IP + 8 UDP + 8 VXLAN header. Requires outer MTU of inner_MTU + 50.
GRE: 24 bytes — 20 IP outer + 4 GRE header (minimum, no key/checksum). Add 4B for Key, 4B for Checksum.
IPsec ESP Tunnel: ~73 bytes typical — 20 IP + 8 ESP header + 12 ESP auth (HMAC-SHA1-96) + 2 trailer + up to 31B padding.
IPsec IKEv2/AES-GCM: 20 IP + 8 ESP + 8 IV + 16 GCM tag = 52 bytes min (no padding).
MPLS: 4 bytes per label. L3VPN typically uses 2 labels (outer transport + inner VPN) = 8 bytes.
WireGuard: 60 bytes — 20 IPv4 + 8 UDP + 4 type + 4 receiver + 8 nonce + 16 Poly1305 auth tag.
802.1Q VLAN: 4 bytes inserted into the Ethernet header (TPID + TCI). QinQ adds another 4.
GRE: 24 bytes — 20 IP outer + 4 GRE header (minimum, no key/checksum). Add 4B for Key, 4B for Checksum.
IPsec ESP Tunnel: ~73 bytes typical — 20 IP + 8 ESP header + 12 ESP auth (HMAC-SHA1-96) + 2 trailer + up to 31B padding.
IPsec IKEv2/AES-GCM: 20 IP + 8 ESP + 8 IV + 16 GCM tag = 52 bytes min (no padding).
MPLS: 4 bytes per label. L3VPN typically uses 2 labels (outer transport + inner VPN) = 8 bytes.
WireGuard: 60 bytes — 20 IPv4 + 8 UDP + 4 type + 4 receiver + 8 nonce + 16 Poly1305 auth tag.
802.1Q VLAN: 4 bytes inserted into the Ethernet header (TPID + TCI). QinQ adds another 4.