A bug in Wireguard? What did Google change, since it affects only them? Any lessons learned about modifying cryptographic software?

...

Skipping past the investigation bit (minimising my daily slop intake), it's a wrong MTU value causing failing connections when Wireguard is disabled:

> When we disabled WireGuard, we expected the configuration to change to use the full 1500 bytes. However, some nodes in the cluster hadn't been restarted [and were] using the old 1420-byte MTU.

> [paraphrased] This particularly affected Valkey connections because they were distributed across nodes with mismatched MTU settings. So your API pod might not connect. The fix was rerolling all the nodes to get a consistent MTU configuration