suggested MSS feature for "proto tcp" operation
Posted: Thu May 05, 2011 2:37 pm
We are using OpenVPN 2.1 to traverse a Cisco ASA firewall and are running in TCP mode since the firewall is configured to block UDP. Discovered that by default the ASA rewrites the MSS field in all new connections with the value 1380. This is intended to guarantee TCP packets will fit in IPSEC tunnels without fragmentation, but is applied to all traffic regardless of whether it traverses an IPSEC tunnel.
Presently OpenVPN is unaware of the MSS adjustment and the default MSS values result in packet fragmentation in the OpenVPN tunnel. We found that this is corrected with "link-mtu 1368" added to the configuration on both ends. Possibly "tun-mtu 1420" would produce the same effect but we did not try it.
Suggestion is to have OpenVPN read the connection MSS value with a 'getsockopt(TCP_MAXSEG)' call and then calculate the optimal tunnel inner MTU value using it.
Also could the documentation for "tun-mtu" and "link-mtu" be expanded and clarified somewhat? Found it confusing and had to experiment quite a bit to figure it out.
Presently OpenVPN is unaware of the MSS adjustment and the default MSS values result in packet fragmentation in the OpenVPN tunnel. We found that this is corrected with "link-mtu 1368" added to the configuration on both ends. Possibly "tun-mtu 1420" would produce the same effect but we did not try it.
Suggestion is to have OpenVPN read the connection MSS value with a 'getsockopt(TCP_MAXSEG)' call and then calculate the optimal tunnel inner MTU value using it.
Also could the documentation for "tun-mtu" and "link-mtu" be expanded and clarified somewhat? Found it confusing and had to experiment quite a bit to figure it out.