[Solved] udp connection problem - MTU - mssfix + tun-mtu

[poilkj]

Hello,

I installed and use a openvpn server with udp network connection.
About 20 clients works perfectly.(with udp)
but for two end points ISP Client of the connection is failed
-vpn connect ok (green),
-icmp: ok,
-telnet example server port 80 ok,
-but if i downloaded files or browse http websites the connection bad, i could'n use ssh, http...
test: If the downlodad file is above the 20 kbyte the result failed.
The vpn tunnel only works well with small files (less than 20 kbytes)
The same vpn client (key and config) from other locations works well.

I tested the tunnel with tcp (instead of udp) connection, there was perfect.

This is ISP problem?
or ISP filtering?
the udp tunnel is untrusted connection (beacuse there isnt error correction).

Opinion?
Thanks,
steven

[kia0]

Probably these two clients passes through NAT which does not correctly handle long-term UDP traffic. E.g. some cheap routers looses an UDP "connection" information after few seconds and blocks incoming UDP packets. Or ISP stuff thinks that UDP traffic is not needed for plain users and blocks it.

You can see at log is the VPN connection freezes after some time

[TinCanTech]

for two end points ISP Client of the connection is failed
-vpn connect ok (green),
-icmp: ok,
-telnet example server port 80 ok,
-but if i downloaded files or browse http websites the connection bad, i could'n use ssh, http...
test: If the downlodad file is above the 20 kbyte the result failed.

Sounds like an MTU problem .. you could use TCP from those two clients, which will require a second server running.

[poilkj]

>Sounds like an MTU problem .. you could use TCP from those two clients, which will require a second server running

Yes I installed a second server with tcp openvpn connection. Those clients are useing that new server with tcp protocoll. This is ok.
The ISP and connections is a standard coax cable type with standard router. I didnt see "change MTU parameter" there.

thanks

[TinCanTech]

Yes I installed a second server with tcp openvpn connection. Those clients are useing that new server with tcp protocoll. This is ok.

Good .. that is probably your easiest and most reliable solution.

The ISP and connections is a standard coax cable type with standard router. I didnt see "change MTU parameter" there

MTU can rear up anywhere ..

Make sure you are running up-to date openvpn on server and client ..

This may help for the UDP problem:
https://community.openvpn.net/openvpn/w ... tu-problem

Also, see the manual for MTU related options .. but be careful, you could make things worse. A lot of testing will be required.

[poilkj]

Hello,

)

thanks for the advice:
The udp connection is perfect with these parameters (in client config):
mssfix 1200
tun-mtu 1200

(it wrote this error: "fragment 1200")

Thanks
bye

[TinCanTech]

Great .. thanks for letting us know