diff --git a/src/ip-util.h b/src/ip-util.h
index 8c769eec..e5456499 100644
--- a/src/ip-util.h
+++ b/src/ip-util.h
@@ -26,6 +26,10 @@
 #include <netinet/in.h>
 
 #define MAX_IP_STR 46
+// Lower MTU bound is the value defined in RFC 791
+#define RFC_791_MTU (68)
+// Upper bound is the maximum DTLS frame size
+#define MAX_DTLS_MTU (1<<14)
 
 void set_mtu_disc(int fd, int family, int val);
 int ip_route_sanity_check(void *pool, char **_route);
diff --git a/src/main-worker-cmd.c b/src/main-worker-cmd.c
index 5e3239e9..b3409f47 100644
--- a/src/main-worker-cmd.c
+++ b/src/main-worker-cmd.c
@@ -317,6 +317,11 @@ int handle_worker_commands(main_server_st * s, struct proc_st *proc)
 		break;
 	case CMD_TUN_MTU:{
 			TunMtuMsg *tmsg;
+			unsigned minimum_mtu = RFC_791_MTU;
+			unsigned maximum_mtu =
+			    proc->vhost->perm_config.config->default_mtu != 0 ?
+			    proc->vhost->perm_config.config->default_mtu :
+			    MAX_DTLS_MTU;
 
 			if (proc->status != PS_AUTH_COMPLETED) {
 				mslog(s, proc, LOG_ERR,
@@ -332,6 +337,13 @@ int handle_worker_commands(main_server_st * s, struct proc_st *proc)
 				goto cleanup;
 			}
 
+			if (tmsg->mtu < minimum_mtu || tmsg->mtu > maximum_mtu) {
+				mslog(s, proc, LOG_ERR,
+				      "worker process invalid MTU %d", (int)tmsg->mtu);
+				ret = ERR_BAD_COMMAND;
+				goto cleanup;
+			}
+
 			set_tun_mtu(s, proc, tmsg->mtu);
 
 			tun_mtu_msg__free_unpacked(tmsg, &pa);