MTU issue

[albertnguyen]

I've been using OpenVPN for several years. This month my systems are updated to avoid Heartbleed security bug and the VPN connection suddenly became unstable. I did some packet captures and discovered that it was MTU-related. Referring to the manual, I appended some lines in the server & client configurations:

Code: Select all

tun-mtu 1500
fragment 1300
mssfix 1300

But the problem was not solved, even with smaller values.

This is my network topology:



HostA: Broadband router with HTTP management interface.
OpenVPN Server: Arch Linux, kernel 3.14.1-1-ARCH. OpenVPN v. 2.3.3. VPN UDP Tunnel.
OpenVPN Client: Windows 7 SP1. OpenVPN v. 2.3.3

Ping tests are smooth with small payload or Don't Fragment flag not set; however, in replying HTTP requests from Client, both HostA and Server keep sending big packets which are discarded before entering the VPN tunnel. Thus many TCP Duplicate ACKs and TCP Retransmissions appear and the connection becomes unusable.



More packet captures here: https://drive.google.com/file/d/0B_e-dR ... sp=sharing

My server configuration:

Code: Select all

local 192.168.1.4
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 192.168.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
fragment 1300
mssfix 1300

My client configuration:

Code: Select all

client
dev tun
proto udp
remote (myaddress) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
tun-mtu 1500
fragment 1300
mssfix 1300

Please help.

Thank you very much.

[maikcat]

you can always try to determine the optimal MTU by using:

Code: Select all

ping -M do -s <size> server

on linux or using

Code: Select all

ping -f -l <size> server

Michael.

[albertnguyen]

Hi Michael,

Thanks for your advice. I've tried that and my optimal MTU is 1464.

But I think I have to make it clearer: Whichever values the MTU & MSS are set, the VPN server still sends out bigger-than-allowed packets.

As you can see in my screenshot, the first SYN indicates the MSS value is 1214, and for the second SYN it's 1460 (?). I set mssfix 1300 on both sides.

The host at server side (and the server itself), still transmits some TCP segment with 2400+ bytes length (red ovals). There must be something wrong here. It should have been around a half of that.

[maikcat]

The directive tun-mtu can be specified but the Windows version of
OpenVPN cannot alter the actual MTU setting, as Windows did not support this until Windows
Vista. OpenVPN, however, does not yet have the capability of altering the MTU size on
Windows Vista or Windows 7.

this was taken from janjusts book Openvpn 2 cookbook...

Michael.

[liujed]

I came across this post while debugging my own (similar) issues with OpenVPN. Downgrading to linux-3.13.8-1 might help. Or, at the very least, is a step towards having a usable tunnel. (See https://bbs.archlinux.org/viewtopic.php?pid=1407872.)

[albertnguyen]

I came across this post while debugging my own (similar) issues with OpenVPN. Downgrading to linux-3.13.8-1 might help. Or, at the very least, is a step towards having a usable tunnel. (See https://bbs.archlinux.org/viewtopic.php?pid=1407872.)

So it is confirmed to be a Linux kernel problem and hopefully it will get corrected soon. Many thanks for your support.