Ball of confusion: MTU, mssfix and fragment

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
barkingdoggy
OpenVpn Newbie
Posts: 10
Joined: Mon May 23, 2016 4:29 pm

Ball of confusion: MTU, mssfix and fragment

Post by barkingdoggy » Tue Feb 23, 2021 6:09 pm

I'm running OpenVPN 2.5 on the server and clients. The server is running ipFire.

One of my Road Warrior, OpenVPN clients is experiencing Windows File Explorer time-outs when trying to access shared folders on a Windows server on the “Green” network (LAN). Other Road Warriors are having no such difficulties.

Based on my research, it appears that I have an MTU problem. Based on tests of the OpenVPN server it has (always had) the setting “tun-mtu 1472” in the server.conf file. Here is my confusion...

When I remote to the machine of the person having trouble to determine the MTU, pinging from the client machine to the public IP of the LAN gateway, without the VPN connected, the MTU is also 1472.

Here is the user’s .ovpn config file:
Client Config
1
tls-client
2
client
3
nobind
4
dev tun
5
proto udp
6
tun-mtu 1472
7
remote xxx.xxx.xxx.xxx 1194
8
pkcs12 jqpublic.p12
9
cipher AES-256-CBC
10
auth SHA512
11
tls-auth ta.key
12
verb 3
13
remote-cert-tls server
14
verify-x509-name xxx.xxx.xxx.xxx name
15
mssfix 0
16
auth-user-pass
17
auth-nocache

But, when I connect the VPN on the users machine, it's still not able to access the file server shares. So I checked to see what the MTU was between the client and the file server with the VPN connected. The MTU for that connection turns out to be 1340!?

So I changed the "tun-mtu 1472" line in the user’s .ovpn config file to "tun-mtu 1340" and reconnected the VPN. There are some red lines in the connection dialog box about a mismatch in the MTU between the client and the server. But when the connection is made, I can now open/access the shared folders on the Windows server.

It appears that MTUs can be volatile. Is editing the client.ovpn file the right way to deal with MTU volatility? According to my research, a more “elegant” way to solve MTU issues (especially volatility) is to use mssfix. I tried that, but when I checked the mssfix box on the server and set the fragment size to 1400, all my users lost access to the file server.

What if I leave "tun-mtu 1472" and instead add an “mssfix 1300” setting only in the client configs? Is that going to be a better solution for dealing with "volatile" MTUs and clients have different MTUs? Am I misunderstanding this stuff? Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Ball of confusion: MTU, mssfix and fragment

Post by TinCanTech » Tue Feb 23, 2021 6:25 pm

Openvpn does not have a good track record of dealing with MTU issues.

It offers highly untested options which may or may not do what they say on the tin.

If you don't understand how to deal with network PMTU problems then you will either have to hire someone who does or hope and pray. Study the manual at length..

If all else fails then I am available for hire.

barkingdoggy
OpenVpn Newbie
Posts: 10
Joined: Mon May 23, 2016 4:29 pm

Re: Ball of confusion: MTU, mssfix and fragment

Post by barkingdoggy » Thu Feb 25, 2021 9:42 pm

How do I hire you?

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Ball of confusion: MTU, mssfix and fragment

Post by TinCanTech » Thu Feb 25, 2021 9:48 pm

This is my email: tincanteksup <at> gmail

Post Reply