diff --git a/infra/root/setup.sh b/infra/root/setup.sh
index 2d400d2..29d5000 100755
--- a/infra/root/setup.sh
+++ b/infra/root/setup.sh
@@ -45,6 +45,10 @@
 iptables-nft  -t nat -A POSTROUTING -o $WAN_INTERFACE_V4 -j MASQUERADE
 ip6tables-nft -t nat -A POSTROUTING -o $WAN_INTERFACE_V6 -j MASQUERADE
 
+# clamp tcp MSS of packets out tunnels
+iptables-nft  -t mangle -A POSTROUTING -o $VPN_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ip6tables-nft -t mangle -A POSTROUTING -o $VPN_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
 ####################################################################
 # Port forwarding
 ####################################################################