It looks like on Windows, OpenVPN ignores the MTU it's supposed to be using and just queries the TAP driver for its MTU.
I suspect this was done in the past because there was no way to *set* the MTU that Windows was expected to use. That is no longer the case; recent versions of Windows let you do it by: netsh interface ipv[46] set subinterface $DEVICE mtu=$MTU store=active I do this in OpenConnect on Windows, and I suspect OpenVPN should too. I'm left with the question of what to do on older versions of Windows where we can't configure the MTU. One option which occurs to me is that we could actually send Windows back an ICMP 'too big' message when it receives a packet which is larger than the VPN MTU. This is horrid, but hey, it's Windows. We *already* do horrider things in TAP-Windows to fake ARP and ND. What do you think? -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
