Relation between tun-mtu, link-mtu and the MTU of the physical interface

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
NullDevice
OpenVpn Newbie
Posts: 13
Joined: Sun Sep 11, 2011 11:33 pm

Relation between tun-mtu, link-mtu and the MTU of the physical interface

Post by NullDevice » Mon Oct 22, 2018 9:01 pm

Hello!

I know the topic has been discussed pretty intensively here.
I read a lot of threads now about mssfix, mtu and so on.
But still there are some questions unanswered.

I been testing a lot recently, to get a better performance with MTU and mssfix, fragmentation and so on.
I seems the actual performance drops about 50% or more for connections going throgh inside the tunnel. Compared with those running outside the tunnel.

I been banging my head with link-mtu, tun-mtu, mssfix and fragmentation options without much success until now.
Today i tried something else, and found out this is working:

I turned down the MTU and MSS value of the physical interface (outside the openvpn settings). I mean the settings on the machine that is hosting OpenVPN.
And THIS is a the first time i expierience a gain in performance. It had default values before, and changed it to MTU = 1440 and MSS = 1400.
The openvpn settings i left at defaults.

How does the OpenVPN settings relate to those settings of the physical interface?
I mean, it must have an impact.
Because if the PHY interface has 1500 MTU (default), and OpenVPN adds up a virtual tunnel interface with the same MTU, and also encapsulation headers, the size of the resulting packets that try leave the physical link must be a lot bigger than 1500. Am i right?
So possibly this is causeing fragmentation? And maybe that is a part of the whole problem?

One thing that is also pretty odd is: The OpenVPN documentation recommends leaving tun-mtu and link-mtu to defaults and use mssfix and fragmentation options instead.
But when you do so, the log is always complaining about you should change to tun-mtu (or link-mtu) option because its not suitable or something.

I just wonder if there is something like a better explaination about the difference between tun-mtu and link-mtu values. And also their relation to the Physical interface outside of OpenVPN.
And maybe there should be a best practice guide, generally.
Because researching, i found this topic extremly often in forums and elsewhere, and it usually leaves a lot of question marks in the end. And it takes really long time figuring out by "trial and error" what are the best settings. But in the end you don't know WHY they are the best settings in your case right now. And the next time u setup OpenVPN, you run into the same problem again.

Regards,
ND

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Relation between tun-mtu, link-mtu and the MTU of the physical interface

Post by TinCanTech » Mon Oct 22, 2018 11:13 pm

The options --tun-mtu and --link-mtu are only briefly documented. (*1)

Example:
Quoth the manual wrote:--tun-mtu n
  • Take the TUN device MTU to be n and derive the link MTU from it (default=1500).
Is that default 1500 the --tun-mtu or the --link-mtu ?
It is the --tun-mtu, so what is the --link-mtu default ... ? (Check your log file and wonder ..)
Quoth the manual wrote:
  • In most cases, you will probably want to leave this parameter set to its default value.
because in most cases your network and the networks of the service providers you traverse will be set up correctly and MTU 1500 is configured and used correctly. Of course, that is not always the case ..
NullDevice wrote:
Mon Oct 22, 2018 9:01 pm
I turned down the MTU and MSS value of the physical interface
This would tend to indicate a serious network problem, or at least a serious network configuration error .. perhaps it is only your local network and you can fix it. If it is outside the scope of your network then you have a more serious problem.

A good place to start is --mtu-test (see the manual)

*1 Openvpn manual for MTU is briefly documented because generally network administrators are expected to do their job properly and MTU will not be a problem. But this is not always the case ..

Note:
OpenVPN-CE is free open source software made and supported by volunteers.
It can only do so much and it may not be "finished" or even suitable for you.

Post Reply