I am looking for some more information about how OpenVPN handles MTU differences and what I might be able to do to diagnose MTU problems.
First some background.
I have an OpenVPN network with many clients (on average about 260) in subnet topology.
Traffic between clients is managed by iptables.
The tunnel MTU is left at the default of 1500. Fframent or mssfix are not active.
OpenVPN version is 2.2.1. I know this is old, but it is what is standard on Ubuntu 12.04 LTS. I know this is old too. An upgrade was planned long ago, but may still be some months away, mainly due to other business taking precedence. I have no control over this.
I am looking into upgrading OpenVPN beyond what is in the current repositories based on info another forum member sent me.
Meanwhile, I am looking to educate myself further on the subject of how OpenVPN handles, or is supposed to handle, MTU differences.
In my network of 260+ clients, there are currently 2 clients that cause problems. Both on the same premises. They are laptops using the OpenVPN Windows client. On the same premises are some embedded clients (provided by me) that use the same configuration as the laptops. All with their own unique identity of course.
When these clients connect and start sending or receiving, OpenVPN starts logging the well known code=90 messages, such as these:
and a packet trace shows:avc-00009/213.126.118.218:15140 write UDPv4 [EMSGSIZE Path-MTU=1452|EMSGSIZE Path-MTU=1452|EMSGSIZE Path-MTU=1452|EMSGSIZE Path-MTU=1452]: Message too long (code=90)
read UDPv4 [EMSGSIZE Path-MTU=1452|EMSGSIZE Path-MTU=1452]: Message too long (code=90)
So clearly OpenVPN receives the messages that are required for PMTUD. Also, the client does not seem to be having trouble receiving. Unless they have informed me incorrectly, they do not experience a stalled connection or any other symptoms that might indicate they are missing packets.IP 213.126.118.218 > 10.0.8.11: ICMP 213.126.118.218 unreachable - need to frag (mtu 1452), length 36
A packet trace of the OpenVPN UDP communication between client and server shows that OpenVPN starts by sending IP packets of 1452 bytes (1466 with ethernet header included).
2017-12-05 12:53:00.965599 10.0.8.11 213.126.118.218 IPv4 1466 Fragmented IP protocol (proto=UDP 17, off=0, ID=77f9) [Reassembled in #127]
It was my understanding that the ICMP type 3 messages is specifying the maximum IP size of the next hop, being 1452 in this case.Internet Protocol Version 4, Src: 10.0.8.11, Dst: 213.126.118.218
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 1452
Identification: 0x77f9 (30713)
Flags: 0x01 (More Fragments)
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..1. .... = More fragments: Set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x7ee4 [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.8.11
Destination: 213.126.118.218
[Source GeoIP: Unknown]
[Destination GeoIP: AS9143 Ziggo B.V., Netherlands, Den Bosch, 06, 51.585701, 6.020100]
Reassembled IPv4 in frame: 127
OpenVPN seems to be honouring this, by sending IP packets no larger that 1452 bytes.
Which would lead me to conclude that the other side is sending ICMP type 3 messages with the wrong number, or is sending those messages when it should not.
Since they say they are not having problems sending or receiving, I would think that the ICMP 3 messages are wrong. But I can't think of any reason why. Also, my entire line of thinking may be based on false premises.
Any thoughts anyone? Besides upgrading OpenVPN. The server will be upgraded shortly (hopefully).
p.s. Many other clients I have checked so far are sending and receiving IP packets of 1473 bytes (1487 with ethernet header included), which suggests OpenVPN is indeed adapting to MTU differences.