MTU issue? unable transmit large data

wjs

I've got openVPN running successfully. I can see all of the machines on the local network and communicate with them.

The problem occurs when I try any kind of 'heavy' ssh traffic or 'heavy' samba traffic.
With ssh I am able to log in and run basic commands (uptime, cd, top) without issue.  If I try an ls of a large directory I get maybe 1/3 through the listing and the output hangs(the location is fairly reproducible) it will continue eventually and takes about 2 minutes to run the entire command (according to the time command). If i run the same command and pipe the output to something off screen it takes less than 1 second to complete.

With samba shares I can generally navigate through them but if I arrive at a folder with a large amount of (usually) large files everything slows way down, almost as if its hanging temporarily like with ssh. If I try to open a file i am unable to and the explorer window often becomes unresponsive.

My research has led me to believe that it could be an issue with mtu size although I do not see mtu errors in the logs.

Any help or advice would be greatly appreciated!!

Setup:
'road warrior' laptop(currently not firewalled) talking to a wrt54gl running ddwrt. This 'ap' is doing little more than dhcp; there is no wan connection to it. Its mtu size is set at 1500. The wifi is plugged into the wan port on a pfsense box. This box acts as a vpn endpoint for secure wifi access to the lan. There is another pfsense box with active wan points which provides internet access and other services to the lan.

wifi clients -> wifi ap -> pfsense box 1 ->{lan servers, hardwired desktops} <-pfsense box 2 <-{internet}

I can post logs/configs as needed.

wjs

Well i've been doing some more research…
I am able to pull down large files (linux iso's, etc) at a speed reasonable for my wan connections via http.
Skype works just fine. As does Google talk.

I am unable to use windows remote desktop to connect to computers on the lan through the vpn.

so what do ssh, samba and rdc have in common that http and skype don't?

wjs

I've found people with similar problems but from several years ago.
see this thread:
http://openvpn.net/archive/openvpn-users/2003-09/msg00038.html

I've tried their suggestions about mtu sizes with no luck.

does anyone have a working openvpn road warrior setup they would like to share?

chazers18

i know that RDP is a TCP program and untill Pfsense is upgraded with a Wan Accelerator any thing that is "TCP Chatty" is going to be slower than ideal.

i do have a working config but it is just the same as some of the Vanilla configs out there.

also i have dual wans so i have the fail over retry config here

float
port 1194
dev tun
dev-node vpn
#dev-node ovpn <-ovpn is the name of the renamed interface
proto tcp-client
remote ip.ad.dr.ess 1194
remote ip.ad.dr.ess  1194
resolv-retry 30
ping 10
persist-tun
persist-key
tls-client
ca ca.crt
cert cert.crt
key key.key
ns-cert-type server
#comp-lzo <- to enable remove the #
pull
verb 4

GruensFroeschli

@wjs:

does anyone have a working openvpn road warrior setup they would like to share?

pfSense config autocreated by the GUI:

$ less /var/etc/openvpn_server0.conf
writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 10.0.3.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
lport 1194
push "dhcp-option DISABLE-NBT"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
push "route 10.0.0.0 255.255.254.0"

windows-client:
client
dev tun
proto tcp
remote myserver.mydomain.internet 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert dskt6624.crt
key dskt6624.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3

wjs

Thanks chazers18 and GruensFroeschli for your replies.

I don't see any major differences between your posts and mine. I'm thinking that I might have miss-configured something in the routing or nating on one of the boxes.

As a follow up, RDC also 'kinda works'. I can connect to one machine (of the two that I tried so far). That being said the connection is unusable; it drops in and out, doesn't hardly refresh, and is unresponsive to input.

I am thinking about merging the functionality of the two machines to see if that fixes this. It should simplify things at least…

Oh well, wish me luck.