Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    INFO: OpenVPN and MTU

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 17.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil.davis
      last edited by

      I had some trouble with OpenVPN links when we changed to a different ISP. We found we could ping across the OpenVPN site-to-site link with packet size up to 1291 bytes:

      ping other-end-pfsense -l 1291

      But 1292 or bigger failed.
      We could ping the public IP of other-end-pfsense with any packet size.
      It seems that somehow the process of OpenVPN encrypting and adding its headers/protocol etc to the packets makes them too big for something across the new ISP link.
      To fix this we tried putting the following in the Advanced box at each end of the site-to-site OpenVPN link:

      fragment 1400;mssfix

      This causes OpenVPN to internally fragment packets over 1400 bytes. "mssfix" causes it to notify the sender of TCP packets about the issue, so for TCP the sender can adjust their packet size.
      The OpenVPN documentation says that using "fragment" adds 4 bytes to the OpenVPN header. We did indeed see that now we could ping to a maximum of 1287 bytes (compared to 1291 previously).
      Up to 1287 is fine, 1288 to 1308 bytes would not ping, 1309 and above worked. Presumably a 1309 byte raw packet translates into a 1400 byte OpenVPN encrypted and encapsulated packet, and the "fragment 1400" causes that to be fragmented and happily sent across the link. Packets from 1288 to 1308 bytes were not fragmented, and did not get across the link.
      We reduced the fragment parameter to see the effect:

      fragment 1390;mssfix

      Up to 1287 is fine, 1288 to 1298 bytes would not ping, 1299 and above worked.

      fragment 1380;mssfix

      Up to 1287 is fine, 1288 bytes would not ping, 1289 and above worked. With this there is just one exact packet size that does not transit the link OK!

      fragment 1379;mssfix

      ping works for all packet sizes.

      Lessons:

      1. Get an ISP backbone that takes the default packet sizes; failing that;
      2. Be aware that with a largish fragment size there can be a middle range of packet sizes that still do not work. Mess with the setting and test a lot of different packet sizes, otherwise you might have really odd problems if some particular packet sizes do not work.
      3. Reduce fragment nnnn a bit below what you exactly need - should help when your ISP gets even worse.
      4. Test a good range of packets sizes every now and then to see if your ISP has got worse (or better) then adjust "fragment nnnn" appropriately.

      Please comment if you have other useful experience of this stuff.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.