We have dozens of embedded devices installed at customers, all calling home to our OpenVPN service. That works fine in general, but a few of our customers have severe path MTU issues. Our influence on the customers to fix their networks is limited, so we need OpenVPN to deal with it. In a nutshell, my question is:
How can i mitigate the low path MTUs of some clients on a per-client bases, that is without using global settings accommodating the worst case for all clients
Note that our worst case it pretty bad: path MTU 576, drops all fragments, doesn't fragment itself, doesn't honour DF-bit. You see why i'd prefer to not solve this issue globally.
The OpenVPN manpage offers a number of MTU related options, most notably --link-mtu, --tun-mtu, --fragment and --mssfix
. But it also says
–link-mtu […] It's best not to set this parameter unless you know what you're doing.
–tun-mtu […] It's best to use the –fragment and/or –mssfix options to deal with MTU sizing issues.
So i started experimenting with --fragment
and --mssfix
but soon had to realize that at least the former must be set not only client-side, but also server-side. I then looked into server-side per-client config via --client-config-dir
but it says
The following options are legal in a client-specific context: –push, –push-reset, –iroute, –ifconfig-push, and –config.
No mention of MTU options!
So here are my more specific questions:
- Why exactly are
link-mtu
andtun-mtu
discouraged? What are the potential problems with these options? Note that i am quite comfortable with low-level IP header munging. - Which of the options
link-mtu tun-mtu fragment mssfix
have to be mirrored on the server-side in order to work? - Which of the options
link-mtu tun-mtu fragment mssfix
can be used inclient-config-dir
? - In case all four options have to be mirrored server-side, and cannot be used inside
client-config-dir
: Are there any alternatives to combat low path MTU per client?
Notes:
- Parts of my questions have already been asked 5 years ago here, But they haven't really been answered back then, hence i dare to duplicate them.
- The OpenVPN server is currently 2.2.1 on Ubuntu 12.04. We are preparing an upgrade to 2.3.2 on Ubuntu 14.04
- The OpenVPN clients are 2.2.1 on Debian 7.6
- I am happy to determine a customer's path-MTU myself manually
- Currently we cannot test much server-side. But we are building a complete separate test bed, should be ready soon.
I am thankful for any helpful advise.
Best Answer
I solved the problem on the client side by adding the option
mssfix 1300
to the config file.From the openvpn man page:
Original idea for my solution came from personalvpn.org