Hello!
I know the topic has been discussed pretty intensively here.
I read a lot of threads now about mssfix, mtu and so on.
But still there are some questions unanswered.
I been testing a lot recently, to get a better performance with MTU and mssfix, fragmentation and so on.
I seems the actual performance drops about 50% or more for connections going throgh inside the tunnel. Compared with those running outside the tunnel.
I been banging my head with link-mtu, tun-mtu, mssfix and fragmentation options without much success until now.
Today i tried something else, and found out this is working:
I turned down the MTU and MSS value of the physical interface (outside the openvpn settings). I mean the settings on the machine that is hosting OpenVPN.
And THIS is a the first time i expierience a gain in performance. It had default values before, and changed it to MTU = 1440 and MSS = 1400.
The openvpn settings i left at defaults.
How does the OpenVPN settings relate to those settings of the physical interface?
I mean, it must have an impact.
Because if the PHY interface has 1500 MTU (default), and OpenVPN adds up a virtual tunnel interface with the same MTU, and also encapsulation headers, the size of the resulting packets that try leave the physical link must be a lot bigger than 1500. Am i right?
So possibly this is causeing fragmentation? And maybe that is a part of the whole problem?
One thing that is also pretty odd is: The OpenVPN documentation recommends leaving tun-mtu and link-mtu to defaults and use mssfix and fragmentation options instead.
But when you do so, the log is always complaining about you should change to tun-mtu (or link-mtu) option because its not suitable or something.
I just wonder if there is something like a better explaination about the difference between tun-mtu and link-mtu values. And also their relation to the Physical interface outside of OpenVPN.
And maybe there should be a best practice guide, generally.
Because researching, i found this topic extremly often in forums and elsewhere, and it usually leaves a lot of question marks in the end. And it takes really long time figuring out by "trial and error" what are the best settings. But in the end you don't know WHY they are the best settings in your case right now. And the next time u setup OpenVPN, you run into the same problem again.
Regards,
ND
Relation between tun-mtu, link-mtu and the MTU of the physical interface
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
- NullDevice
- OpenVpn Newbie
- Posts: 13
- Joined: Sun Sep 11, 2011 11:33 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Relation between tun-mtu, link-mtu and the MTU of the physical interface
The options --tun-mtu and --link-mtu are only briefly documented. (*1)
Example:
It is the --tun-mtu, so what is the --link-mtu default ... ? (Check your log file and wonder ..)
A good place to start is --mtu-test (see the manual)
*1 Openvpn manual for MTU is briefly documented because generally network administrators are expected to do their job properly and MTU will not be a problem. But this is not always the case ..
Note:
OpenVPN-CE is free open source software made and supported by volunteers.
It can only do so much and it may not be "finished" or even suitable for you.
Example:
Is that default 1500 the --tun-mtu or the --link-mtu ?Quoth the manual wrote:--tun-mtu n
- Take the TUN device MTU to be n and derive the link MTU from it (default=1500).
It is the --tun-mtu, so what is the --link-mtu default ... ? (Check your log file and wonder ..)
because in most cases your network and the networks of the service providers you traverse will be set up correctly and MTU 1500 is configured and used correctly. Of course, that is not always the case ..Quoth the manual wrote:
- In most cases, you will probably want to leave this parameter set to its default value.
This would tend to indicate a serious network problem, or at least a serious network configuration error .. perhaps it is only your local network and you can fix it. If it is outside the scope of your network then you have a more serious problem.NullDevice wrote: ↑Mon Oct 22, 2018 9:01 pmI turned down the MTU and MSS value of the physical interface
A good place to start is --mtu-test (see the manual)
*1 Openvpn manual for MTU is briefly documented because generally network administrators are expected to do their job properly and MTU will not be a problem. But this is not always the case ..
Note:
OpenVPN-CE is free open source software made and supported by volunteers.
It can only do so much and it may not be "finished" or even suitable for you.