diff --git a/header/header.go b/header/header.go
index fb4d2a52a..50b7d62b2 100644
--- a/header/header.go
+++ b/header/header.go
@@ -24,19 +24,6 @@ type m map[string]interface{}
 const (
 	Version uint8 = 1
 	Len           = 16
-
-	// The total Nebula packet overhead is 60 bytes:
-	//   - HeaderLen bytes for the Nebula header.
-	//   - 16 bytes for the encryption cipher's AEAD 128-bit tag.
-	//     NOTE: both AESGCM and ChaChaPoly have a 16 byte tag, but if we add other
-	//     ciphers in the future we could calculate this based on the cipher,
-	//     returned by (cipher.AEAD).Overhead().
-	//   - 20 bytes for our IPv4 header.
-	//     (max is 60 bytes, but we don't use IPv4 options)
-	//     TODO: Could routers along the path inject a larger IPv4 header? If so,
-	//     we may need to increase this.
-	//   - 8 bytes for our UDP header.
-	NebulaOverhead = Len + 16 + 20 + 8
 )
 
 type MessageType uint8
diff --git a/inside.go b/inside.go
index 2e256e689..a7829d69b 100644
--- a/inside.go
+++ b/inside.go
@@ -102,7 +102,8 @@ func (f *Interface) rejectOutside(packet []byte, ci *ConnectionState, hostinfo *
 	}
 
 	// Use some out buffer space to build the packet before encryption
-	const maxOutLen = iputil.MaxRejectPacketSize + header.NebulaOverhead
+	const aeadOverhead = 16
+	const maxOutLen = iputil.MaxRejectPacketSize + header.Len + aeadOverhead
 	outPacket := iputil.CreateRejectPacket(packet, out[maxOutLen:maxOutLen+iputil.MaxRejectPacketSize])
 	out = out[:maxOutLen]