OpenVPN 2.2.1 IPv6 MTU

[realdreams]

I have dual stacked network.
client
IPv4 MTU 1500
IPv6 MTU 1280 (because of 6in4 tunnel on the router)

server, native dual stack, tested no MTU issues, Debian wheezy
MTU 1500

proto udp6 set on both server and client
server domain name has both A and AAAA records and Windows prefers AAAA

With no MTU related settings on either ends, client actual MTU 1500 (ping openvpn server tun0 IPv4 address ping 10.0.0.1 -f -l 1472 success,1473 gets me ICMP packet too large). I think OpenVPN is clearly doing internal fragmentation. The man page for OpenVPN 2.2 says no fragmentation by default.
I guess allowing packets to be fragmented will decrease the performance. So I tried to set link-mtu to 1232 on both sides (IPv6 minimum MTU 1280-IPv6 header 40 - UDP header 8 = 1232). It connects fine but on Windows TAP-Windows MTU=1500. ping 10.0.0.1 -f -l 1472 times out with no ICMP packet too large message. I am not filtering ICMP. I guess that has to do something within OpenVPN. I read that TAP-Windows MTU can only be changed manually because of Windows Ethernet bridging. So lower the link-mtu ended up causing problems?

So where can I find up to date information on how OpenVPN MTU/fragmentation, especially when IPv6 is involved?

BTW it appears proto udp6 makes openvpn instance to listen on both udp and udp6, which is against what the documentation says?


client log:
proto = udp6
Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4 (Is this a bug? It is clearly connecting via UDPv6)
UDPv6 link remote: [AF_INET6]







# openvpn --version
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route

Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL

[janjust]

openvpn 2.2.1+IPv6 is highly experimental and unsupported - redo your testing using 2.3.1 which has much better support for IPv6.

As for the MTU issue: a maximum ping size of 1472 on an adapter with MTU=1500 is normal - the same applies to your ethernet adapters.