Re: [Openvpn-users] mssfix set to zero

[Gert Doering]

Hi,

On Thu, Mar 11, 2021 at 03:25:25PM +0000, tincanteksup wrote:
> I was expecting that openvpn configure MSS at the IP level so
> that only the kernel manages that side of the packet creation.

This is hard to impossible for "locally created TCP sessions", and
totally impossible for TCP sessions passing through OpenVPN as a router.

> However, the above does match what I find:
> 
> With
> --ncp-disable --cipher AES-256-CBC --mssfix 1280 NO --fragment
> 
> Sender:
> 14:38:26.920435 IP 10.33.20.26.49268 > 10.33.20.1.80: Flags [S], seq 
> 1427850990, win 64240, options [mss 1460,sackOK,TS val 3860999194 ecr 
> 0,nop,wscale 6], length 0

This is the kernel MSS.

> 14:38:26.922145 IP 10.33.20.1.80 > 10.33.20.26.49268: Flags [S.], seq 
> 1973493569, ack 1427850991, win 65160, options [mss 1115,sackOK,TS val 
> 329730242

This is the SYN ACK coming back, also subject to MSS manipulation.

> Receiver:
> 14:38:26.967006 IP 10.33.20.26.49268 > 10.33.20.1.80: Flags [S], seq 
> 1427850990, win 64240, options [mss 1115,sackOK,TS val 3860999194 ecr 
> 0,nop,wscale 6], length 0

This is the original SYN, after OpenVPN manipulated it.

> 14:38:26.967037 IP 10.33.20.1.80 > 10.33.20.26.49268: Flags [S.], seq 
> 1973493569, ack 1427850991, win 65160, options [mss 1460,sackOK,TS val 
> 3297302424 ecr 3860999194,nop,wscale 7], length 0

This is the SYN ACK, before OpenVPN got its hand on it.

> Both ends create a packet with mss 1460
> Both end receive a packet with mss 1115

Yes: because packet creation is "before OpenVPN got its hands on it",
and reception is "after OpenVPN".

(Now 1115 hints at "something isn't counting right", but it could be
that with peer-id we indeed end up with an odd number of bytes for
the per-packet overhead)

> Instead, using only --link-mtu 1280 + --ncp-disable
> 
> Sender:
> 14:51:29.642213 IP 10.33.20.6.52306 > 10.33.20.1.80: Flags [S], seq 
> 3997192232, win 64670, options [mss 1115,sackOK,TS val 69514149 ecr 
> 0,nop,wscale 6], length 0

This is interesting.  But it could be a caching effect (kernel learns
the other end wants 1115, so remembers this).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users