OpenVPN & MTU Discovery Questions

xtlosx

Hey Guys, here is my current setup…

WAN ----------> pfsens ------> wifi-network (192.168.50.x)
                                    ------> Internal --> OpenVPN Server (192.168.1.x)

So here is my problem...  I have an Openvpn server inside of my LAN, I can successfully connect to it from the outside, can get to all of my routes, can do everything, except for... when I put heavy load under it, kernel building, system updates, things of that nature, the connection locks up... So I poked around on the openvpn site, and saw there were some MTU discovery options that I should enable in my config.. so I did..... still have the same issues... I got some advice from some people that my gateway, pfsense box, might be blocking mtu discovery packets.. although, from the external world, icmp is allowed to hit the pfsense gateway box.....

I use the VPN from work, and this happens.. I also use the pfsense box as a wifi ap, and secure the connection with openvpn as well, and everything works as it should that way too, just like external vpn, but when i put heavy load under it, the connection hangs.. so I have a feeling it is something to do with the pfsense box....

What else could be causing my woes, is there something I should do on the pfsense box that can remedy this?

Thanks for any help in advance!

GruensFroeschli

what kind of WAN connection do you use?

xtlosx

It is actually a PPPoE connection, which I read is known to cause issue with this….  For what it's worth.. I was having issues with my Xbox being able to get an open nat, miniupnpd didn't work either.. so I fiddled with NAT, and used manual outbound nat generation, and used static ports... that solved that... and now it seems like my tunnel isn't locking up......

which isn't related in any way but just an observation.....

It would be best to change the MTU to 1492 on all of the boxes behind my vpn gateway you think?

edit: changing the MTU on my boxes still hangs them... most notably.. on one of my gentoo boxes, emerge -uavDN world kills the connection, on a CentOS box, yum update kills it when it is updating the repo's..........

GruensFroeschli

I thought you might be using PPPoE.
The problem with PPPoE is that if you saturate one of the streams the other stream will becom really slow.
–> Heavy (down)load and you will get lots of timeouts.

you might want to use traffic-shaping since then you can define a max-traffic limit so that your line just not gets saturated (and thus does not lock up your other stream).

xtlosx

hmm… this puts a damper on say for instance, scp'ing things over the tunnel because it would be shaped in such a fashion as to keep it real low and not allow the full speed...

damnit PPPoE....

changing the MTU on either side of the tunnel won't do me any good eh?

This shouldn't affect the wifi clients who use my access points though since they don't touch the PPPoE interface.... simply changing the MTU on those machines should be fine?

GruensFroeschli

You shouldnt notice much of the shaping if it's setup correctly, since you should choose values that are just below your max speed.

I dont think you need to change the MTU.
Or are you experiencing the same problems if you are connecting directly via the WLAN?
If yes you might have undersized hardware. The VPN encryption takes quite a bit of CPU-power if you want high throughput. (ie the WRAP is hopelessly undersized) And if your CPU is maxed out you can get high pings and observe the "hanging".

xtlosx

I experience the same issue when I am on the wifi AP that pfsense runs as well…....

Both networks, which use openvpn exhibit the same behavior....

if it was the MTU, the wifi VPN would be just fine.. but it does the same thing.. which is weird to me.

xtlosx

so now here is what is weird… when a client connects to the wireless access point.... and then connects to the VPN server... the same thing happens, it locks up when I put some heavy work on the VPN....

what is going on with openvpn???