This allows tun-mtu to pushed but only up to the size of the preallocated
buffers. This is not a perfect solution but should allow most of the use
cases where the mtu is close enough to 1500 (or smaller).
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Patch v4: rebase for check_session_cipher name change
Patch v5: remove mention of change of default mtu, remove leftover code
from an earlier approach.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
Changes.rst | 5 +++
doc/man-sections/client-options.rst | 4 +++
doc/man-sections/vpn-network-options.rst | 5 +++
src/openvpn/init.c | 44 ++++++++++++++++++++----
src/openvpn/mtu.c | 1 +
src/openvpn/mtu.h | 3 ++
src/openvpn/options.c | 15 +++++++-
src/openvpn/options.h | 3 ++
src/openvpn/ssl.c | 3 ++
9 files changed, 75 insertions(+), 8 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index 657227c0f..889689877 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -105,6 +105,11 @@ Secure renegotiation
previously authenticated peer can do trigger renegotiation and complete
renegotiations. This also closes CVE-2021-3568.
+Tun MTU can be pushed
+ The client can now also dynamically configure its MTU and the server
+ will try to push the client MTU when the client supports it. The
+ directive ``--tun-mtu-max`` has been introduced to specify the maximum
+ pushable MTU size (defaults to 1600).
Improved control channel packet size control (``max-packet-size``)
The size of control channel is no longer tied to
diff --git a/doc/man-sections/client-options.rst
b/doc/man-sections/client-options.rst
index 5a906895b..07651479f 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -363,6 +363,10 @@ configuration.
The client announces the list of supported ciphers configured with the
``--data-ciphers`` option to the server.
+ :code:`IV_MTU=<max_mtu>`
+ The client announces the support of pushable MTU and the maximum MTU
+ it is willing to accept.
+
:code:`IV_GUI_VER=<gui_id> <version>`
The UI version of a UI if one is running, for example
:code:`de.blinkt.openvpn 0.5.47` for the Android app.
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 5b2f84707..2d0e662e4 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -516,6 +516,11 @@ routing.
It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
with MTU sizing issues.
+--tun-max-mtu maxmtu
+ This configures the maximum MTU size that a server can push to ``maxmtu``.
+ The default for ``maxmtu`` is 1600. This will increase internal buffers
+ allocation for larger packet sizes.
+
--tun-mtu-extra n
Assume that the TUN/TAP device might return as many as ``n`` bytes more
than the ``--tun-mtu`` size on read. This parameter defaults to 0, which
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c6f6865a8..02714b43d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2312,7 +2312,8 @@ pull_permission_mask(const struct context *c)
| OPT_P_ECHO
| OPT_P_PULL_MODE
| OPT_P_PEER_ID
- | OPT_P_NCP;
+ | OPT_P_NCP
+ | OPT_P_PUSH_MTU;
if (!c->options.route_nopull)
{
@@ -2475,6 +2476,25 @@ do_deferred_options(struct context *c, const unsigned
int found)
}
}
+ /* Cipher is considered safe, so we can use it to calculate the max
+ * MTU size */
+ if (found & OPT_P_PUSH_MTU)
+ {
+ /* MTU has changed, check that the pushed MTU is small enough to
+ * be able to change it */
+ msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d",
c->options.ce.tun_mtu);
+
+ struct frame *frame = &c->c2.frame;
+
+ if (c->options.ce.tun_mtu > frame->tun_max_mtu)
+ {
+ msg(D_PUSH_ERRORS, "Server pushed a large mtu, please add "
+ "tun-mtu-max %d in the client configuration",
+ c->options.ce.tun_mtu);
+ }
+ frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
+ }
+
return true;
}
@@ -2635,10 +2655,16 @@ frame_finalize_options(struct context *c, const struct
options *o)
struct frame *frame = &c->c2.frame;
frame->tun_mtu = get_frame_mtu(c, o);
+ frame->tun_max_mtu = o->ce.tun_mtu_max;
+
+ /* max mtu needs to be at least as large as the tun mtu */
+ frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
- /* We always allow at least 1500 MTU packets to be received in our buffer
- * space */
- size_t payload_size = max_int(1500, frame->tun_mtu);
+ /* We always allow at least 1600 MTU packets to be received in our buffer
+ * space to allow server to push "baby giant" MTU sizes */
+ frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu);
+
+ size_t payload_size = frame->tun_max_mtu;
/* we need to be also large enough to hold larger control channel packets
* if configured */
@@ -2650,9 +2676,9 @@ frame_finalize_options(struct context *c, const struct
options *o)
payload_size += o->ce.tun_mtu_extra;
}
- /* Add 100 byte of extra space in the buffer to account for slightly
- * mismatched MUTs between peers */
- payload_size += 100;
+ /* Add 32 byte of extra space in the buffer to account for small errors
+ * in the calculation */
+ payload_size += 32;
/* the space that is reserved before the payload to add extra headers to it
@@ -3215,6 +3241,10 @@ do_init_frame_tls(struct context *c)
c->c2.frame.buf.payload_size);
frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
"Control Channel MTU parms");
+
+ /* Keep the max mtu also in the frame of tls multi so it can access
+ * it in push_peer_info */
+ c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
}
if (c->c2.tls_auth_standalone)
{
diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c
index f60f48534..a74a08153 100644
--- a/src/openvpn/mtu.c
+++ b/src/openvpn/mtu.c
@@ -222,6 +222,7 @@ frame_print(const struct frame *frame,
buf_printf(&out, " max_frag:%d", frame->max_fragment_size);
#endif
buf_printf(&out, " tun_mtu:%d", frame->tun_mtu);
+ buf_printf(&out, " tun_max_mtu:%d", frame->tun_max_mtu);
buf_printf(&out, " headroom:%d", frame->buf.headroom);
buf_printf(&out, " payload:%d", frame->buf.payload_size);
buf_printf(&out, " tailroom:%d", frame->buf.tailroom);
diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h
index 370806fb5..badb3a6a8 100644
--- a/src/openvpn/mtu.h
+++ b/src/openvpn/mtu.h
@@ -138,6 +138,9 @@ struct frame {
* control frame payload (although most of
* code ignores it)
*/
+ int tun_max_mtu; /**< the maximum tun-mtu size the buffers are
+ * are sized for. This is the upper bound
that
+ * a server can push as MTU */
int extra_tun; /**< Maximum number of bytes in excess of
* the tun/tap MTU that might be read
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8027c572f..235d1f6cd 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6449,10 +6449,23 @@ add_option(struct options *options,
}
else if (streq(p[0], "tun-mtu") && p[1] && !p[2])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
options->ce.tun_mtu = positive_atoi(p[1]);
options->ce.tun_mtu_defined = true;
}
+ else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ int max_mtu = positive_atoi(p[1]);
+ if (max_mtu < 68 || max_mtu > 65536)
+ {
+ msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
+ }
+ else
+ {
+ options->ce.tun_mtu_max = max_mtu;
+ }
+ }
else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index b165ee5b7..a2bc13a1c 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -118,6 +118,8 @@ struct connection_entry
const char *socks_proxy_authfile;
int tun_mtu; /* MTU of tun device */
+ int tun_mtu_max; /* maximum MTU that can be pushed */
+
bool tun_mtu_defined; /* true if user overriding parm with command line
option */
int tun_mtu_extra;
bool tun_mtu_extra_defined;
@@ -730,6 +732,7 @@ struct options
#define OPT_P_CONNECTION (1<<27)
#define OPT_P_PEER_ID (1<<28)
#define OPT_P_INLINE (1<<29)
+#define OPT_P_PUSH_MTU (1<<30)
#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 31bea2b23..443613096 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2061,6 +2061,9 @@ push_peer_info(struct buffer *buf, struct tls_session
*session)
/* support for AUTH_FAIL,TEMP control message */
iv_proto |= IV_PROTO_AUTH_FAIL_TEMP;
+
+ /* support for tun-mtu as part of the push message */
+ buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu);
}
/* support for Negotiable Crypto Parameters */
--
2.37.0 (Apple Git-136)
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
