OpenVPN: How to mitigate path MTU issues on a per-client basis

ipip-fragmentationmtuopenvpn

We have dozens of embedded devices installed at customers, all calling home to our OpenVPN service. That works fine in general, but a few of our customers have severe path MTU issues. Our influence on the customers to fix their networks is limited, so we need OpenVPN to deal with it. In a nutshell, my question is:

How can i mitigate the low path MTUs of some clients on a per-client bases, that is without using global settings accommodating the worst case for all clients

Note that our worst case it pretty bad: path MTU 576, drops all fragments, doesn't fragment itself, doesn't honour DF-bit. You see why i'd prefer to not solve this issue globally.

The OpenVPN manpage offers a number of MTU related options, most notably --link-mtu, --tun-mtu, --fragment and --mssfix. But it also says

–link-mtu […] It's best not to set this parameter unless you know what you're doing.

–tun-mtu […] It's best to use the –fragment and/or –mssfix options to deal with MTU sizing issues.

So i started experimenting with --fragment and --mssfix but soon had to realize that at least the former must be set not only client-side, but also server-side. I then looked into server-side per-client config via --client-config-dir but it says

The following options are legal in a client-specific context: –push, –push-reset, –iroute, –ifconfig-push, and –config.

No mention of MTU options!

So here are my more specific questions:

  • Why exactly are link-mtu and tun-mtu discouraged? What are the potential problems with these options? Note that i am quite comfortable with low-level IP header munging.
  • Which of the options link-mtu tun-mtu fragment mssfix have to be mirrored on the server-side in order to work?
  • Which of the options link-mtu tun-mtu fragment mssfix can be used in client-config-dir?
  • In case all four options have to be mirrored server-side, and cannot be used inside client-config-dir: Are there any alternatives to combat low path MTU per client?

Notes:

  • Parts of my questions have already been asked 5 years ago here, But they haven't really been answered back then, hence i dare to duplicate them.
  • The OpenVPN server is currently 2.2.1 on Ubuntu 12.04. We are preparing an upgrade to 2.3.2 on Ubuntu 14.04
  • The OpenVPN clients are 2.2.1 on Debian 7.6
  • I am happy to determine a customer's path-MTU myself manually
  • Currently we cannot test much server-side. But we are building a complete separate test bed, should be ready soon.

I am thankful for any helpful advise.

Best Answer

I solved the problem on the client side by adding the option mssfix 1300 to the config file.

From the openvpn man page:

--mssfix max
    Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes.

Original idea for my solution came from personalvpn.org

Related Topic