Date: Tue, 21 Sep 2004 15:38:25 +0200 From: Aragon Gouveia <aragon@phat.za.net> To: freebsd-net@freebsd.org Subject: Re: Wierd tunnel+MTU issue Message-ID: <20040921133825.GB37317@phat.za.net> In-Reply-To: <414FEB86.5CA8694F@freebsd.org> References: <20040920184431.GA89606@phat.za.net> <20040921084112.GA21160@phat.za.net> <414FEB86.5CA8694F@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
| By Andre Oppermann <andre@freebsd.org> | [ 2004-09-21 10:51 +0200 ] > You are onto something. It seems tcp_output() doesn't handle the error > cases it gets from ip_output() all too well these days. I suspect this > is the same problem we have in kern/71184. I'll look into it later today. Andre, don't let me stop your bughunting, but I think I've found a nifty workaround for now. :) OpenVPN has an "mssfix" setting. (something vtun seems to lack) It looks like it does nothing more than rewrite the MSS field of TCP SYN packets that flow over the tunnel. It is making things work now. Here are two tcpdump transcripts, one from each machine: >From <host>: 15:20:01.440318 <host>.1580 > <notebook>.80: S 1953310673:1953310673(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 613304556 0> (DF) [tos 0x10] 15:20:01.628822 <notebook>.80 > <host>.1580: S 4026187601:4026187601(0) ack 1953310674 win 65535 <mss 1328,nop,wscale 1,nop,nop,timestamp 337184221 613304556> (DF) >From <notebook>: 15:20:01.603596 <host>.1580 > <notebook>.80: S 1953310673:1953310673(0) win 57344 <mss 1328,nop,wscale 0,nop,nop,timestamp 613304556 0> (DF) [tos 0x10] 15:20:01.603771 <notebook>.80 > <host>.1580: S 4026187601:4026187601(0) ack 1953310674 win 65535 <mss 1452,nop,wscale 1,nop,nop,timestamp 337184221 613304556> (DF) Notice the altered MSS after it's passed through the tunnel. The above example was performed after increasing the tunnel interface's MTU to 1412 as well (I felt like experimenting further). So far so good. Everything that was broken prior to this change is now working. In case anyone else has this problem, here are the settings I added to my openvpn config: link-mtu 1456 mssfix 1412 The mssfix setting should only need to be set on one of the VPN end-points, but setting it on both shouldn't break anything (I think). I increased link-mtu just for the sake of maybe getting better performance. If you decide to stick with OpenVPN's default MTU you'll probably need an mssfix value of about 1200. Regards, Aragon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040921133825.GB37317>