Fragment Directive
-
plays88keys
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jun 19, 2013 1:32 pm
Fragment Directive
I'm getting an error that fragment directive is not supported. Any ideas?
-
lolex
- OpenVPN Power User
- Posts: 52
- Joined: Sun Jun 05, 2011 7:50 pm
Re: Fragment Directive
Taken from the OpenVPN Connect iOS FAQ:plays88keys wrote:I'm getting an error that fragment directive is not supported. Any ideas?
"The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation and the fact that it is usually better to leave fragmentation up to the lower-level transport protocols. Note as well that the client dies not support connecting to a server that uses the fragment directive."
However I believe that this option is one of the most important directives, complex or not. It resolves problems in many situations that cannot be resolved otherwise or only with a lot more effort. For example some of our employees have SoHo routers at home that crash when receiving a lot of large UDP packets. Simply add "--fragment 1460" and everyone is happy again.
-
redradioflyer
- OpenVPN User
- Posts: 25
- Joined: Mon Jul 08, 2013 7:00 am
Re: Fragment Directive
I agree, I'd like to see support for the fragmentation directive in the iOS app. In addition to the problem mentioned it can also be used to lighten the app's workload (as I understand it... and I don't... so if I'm wrong please let me know).
In this article (https://community.openvpn.net/openvpn/w ... orks_Linux), it says that using '--fragment 0' (and '--mssfix 0') improves performance "by disabling OpenVPN's internal fragmentation routines... feeding larger packets to the OpenSSL encryption and decryption routines... The second advantage of not internally fragmenting packets is that this is left to the operating system and to the kernel network device drivers."
So, as I understand it (and again correct me if I'm wrong) '--fragment 0' could also be used to reduce the workload of the OpenVPN iOS app. At the very least, the '--fragment 0' directive should be considered for the next iOS app update.
In this article (https://community.openvpn.net/openvpn/w ... orks_Linux), it says that using '--fragment 0' (and '--mssfix 0') improves performance "by disabling OpenVPN's internal fragmentation routines... feeding larger packets to the OpenSSL encryption and decryption routines... The second advantage of not internally fragmenting packets is that this is left to the operating system and to the kernel network device drivers."
So, as I understand it (and again correct me if I'm wrong) '--fragment 0' could also be used to reduce the workload of the OpenVPN iOS app. At the very least, the '--fragment 0' directive should be considered for the next iOS app update.
-
jamesyonan
- OpenVPN Inc.
- Posts: 169
- Joined: Thu Jan 24, 2013 12:13 am
Re: Fragment Directive
"fragment 0" on OpenVPN 2.x doesn't actually do anything. It essentially disables OpenVPN's internal fragmentation routines, however those routines are normally disabled by default anyway. Only "fragment n" where n is non-zero will actually enable OpenVPN's internal fragmentation routines.
The fragment directive is not for performance. It actually significantly reduces performance when used. Its use case is when you must communicate through misconfigured routers that don't properly manage IP fragmentation.
James
The fragment directive is not for performance. It actually significantly reduces performance when used. Its use case is when you must communicate through misconfigured routers that don't properly manage IP fragmentation.
James
-
redradioflyer
- OpenVPN User
- Posts: 25
- Joined: Mon Jul 08, 2013 7:00 am
Re: Fragment Directive
Thanks for the explanation James!
-
FloJoe2.0
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Aug 02, 2013 11:12 am
Re: Fragment Directive
does anyone know when a new update comes out and whether you can then change the fragments