Cannot send larger fragments than 71 bytes (!). How to set tun-mtu/link-mtu/mssfix?
Posted: Mon Mar 16, 2020 6:52 pm
Hi,
I am using OpenVPN 2.4.8 on Win 10 to connect to a Sophos SSL-VPN endpoint (runs OpenVPN under the hood and I don't want to use the Sophos client since I am using OpenVPN anyway).
This is my client config:
ip-win32 dynamic
client
dev tun
proto tcp
verify-x509-name "[...]"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
dev-node "OpenVPN"
pull-filter ignore redirect-gateway
route 192.168.20.0 255.255.255.0 vpn_gateway 3
<ca>
[...]
</ca>
<cert>
[...]
</cert>
<key>
[...]
</key>
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
remote [...] 8443
I am suffering from severe connection issues. It seems that the tunnel cannot transport anything larger than 71 byes!
I played around with tun-mtu, link-mtu and mssfix (as well as changing the MTU value of the TAP-Windows adapter) but I have not found any setting that works. However, when I set for example "tun-mtu 1200" in my client config I see the following warnings when connecting:
The interesting part: link-mtu is exactly 72 bytes larger than tun-mtu and for some weird reason the Sophos VPN server seems to set 1572 .... 1572-1500=72 ... can't be a coincidence that my largest ping message that I can send is 71 bytes! I tried setting link-mtu and tun-mtu both lower and higher but I just don't see any changes.
How can I fix this situation?
PS: I tried using the oconf BB tag but it is ignored ... so I'm using the normal code tag.
I am using OpenVPN 2.4.8 on Win 10 to connect to a Sophos SSL-VPN endpoint (runs OpenVPN under the hood and I don't want to use the Sophos client since I am using OpenVPN anyway).
This is my client config:
Client config
ip-win32 dynamic
client
dev tun
proto tcp
verify-x509-name "[...]"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
dev-node "OpenVPN"
pull-filter ignore redirect-gateway
route 192.168.20.0 255.255.255.0 vpn_gateway 3
<ca>
[...]
</ca>
<cert>
[...]
</cert>
<key>
[...]
</key>
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
remote [...] 8443
I am suffering from severe connection issues. It seems that the tunnel cannot transport anything larger than 71 byes!
Code: Select all
C:\Windows\System32>ping 192.168.20.144 -f -l 71
Pinging 192.168.20.144 with 71 bytes of data:
Reply from 192.168.20.144: bytes=71 time=23ms TTL=63
Reply from 192.168.20.144: bytes=71 time=24ms TTL=63
Reply from 192.168.20.144: bytes=71 time=23ms TTL=63
Reply from 192.168.20.144: bytes=71 time=27ms TTL=63
Ping statistics for 192.168.20.144:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 23ms, Maximum = 27ms, Average = 24ms
C:\Windows\System32>ping 192.168.20.144 -f -l 72
Pinging 192.168.20.144 with 72 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.20.144:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Windows\System32>
Code: Select all
Mon Mar 16 14:46:38 2020 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1200)
[...]
Mon Mar 16 14:46:40 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1272', remote='link-mtu 1572'
Mon Mar 16 14:46:40 2020 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1200', remote='tun-mtu 1500'
How can I fix this situation?
PS: I tried using the oconf BB tag but it is ignored ... so I'm using the normal code tag.