I'm transporting an OpenVPN UDP tunnel within another OpenVPN UDP tunnel, and am experiencing MTU issues I don't understand.
The inner tunnel uses TAP devices and has an MTU of 1500. It's part of an Ethernet bridge, so ideally I'd like to keep its MTU high (1500 may even be too low since there can be Ethernet frames that won't fit).
The outer tunnel uses TUN devices and also has an MTU of 1500.
The topology looks like this:
Code: Select all
+----------+ +----------+ +----------+ +----------+ | intranet +-----+ router A +---<openvpn in openvpn>---+ router B +-----+ Internet | +----------+ +----------+ +----------+ +----------+
When connecting to an https server on the intranet from the Internet (with the connection being forwarded via OpenVPN), the SSL handshake hangs. I can see packets like this in tcpdump on router A, entering the inner tunnel:
Code: Select all
09:18:15.637834 IP (tos 0x0, ttl 63, id 13034, offset 0, flags [DF], proto TCP (6), length 1296) 10.74.91.26.443 > 184.108.40.206.47880: Flags [.], cksum 0x129a (correct), seq 1:1245, ack 518, win 59, options [nop,nop,TS val 1110009216 ecr 948988316], length 1244
If I lower the MTU on the inner OpenVPN link to 1292 on router A, everything works. Larger values don't work.
The outer tunnel is established over physical links that have an MTU of 1500. Both routers run Linux.
(In case you're wondering, the double tunnel is needed because the outer tunnel uses route-based failover and load-balancing, which must be transparent to the bridge the inner tunnel is part of.)
There are a number of things I don't know:
1. what happens to frames larger than 1292 bytes router A receives on its physical Ethernet, that's part of the same bridge as the inner OpenVPN TAP device? If I lower the MTU on the TAP device to 1292, the MTU of the entire bridge changes to 1292. Can it still receive larger frames, just not send them, causing any that would need to be bridged to be dropped?
2. why are packets being dropped silently?
3. how should I set mtu, fragment, mssfix, tun-mtu etc. to be able to forward 1518-byte Ethernet frames in the inner UDP tunnel?