I'm using Debian 12 Bookworm with OpenVPN 2.6.3 on the server and Arch
Linux with OpenVPN 2.6.5 [git:makepkg/cbc9e0ce412e7b42+] on the client.
This is the server config (I need a Layer 2 tunnel unfortunately):
port 1194
proto udp
dev tapvpn
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh none
ifconfig-pool-persist /var/log/openvpn/ipp.txt
server-bridge 192.168.2.1 255.255.255.0 192.168.2.230 192.168.2.239
keepalive 10 120
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
I create the tap device with NetworkManager:
nmcli connection add type tun ifname tapvpn con-name tapvpn slave-type
bridge master brCasa mode tap
# ip link show brCasa
5: brCasa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP mode DEFAULT group default qlen 1000
link/ether 96:34:13:ae:ba:dc brd ff:ff:ff:ff:ff:ff
# ip link show tapvpn
11: tapvpn: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master brCasa state UP mode DEFAULT group default qlen 1000
link/ether fa:44:69:d1:c0:c7 brd ff:ff:ff:ff:ff:ff
This is the client config:
client
dev tap
proto udp
remote PUBLICIP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/niko-casa.crt
key /etc/openvpn/client/niko-casa.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
$ ip link show tap0
85: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UNKNOWN mode DEFAULT group default qlen 1000
link/ether c2:bf:c5:45:7f:65 brd ff:ff:ff:ff:ff:ff
The server is connected to the internet via PPPoE (mtu 1492) and the
client is connected via PPPoE as well.
Today the best IPv6 ping I can get through without fragmentation has a
packet size of 1346:
$ ping -6 -M do -s 1346 -c 1 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 1346 data bytes
76 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=120 (truncated)
--- 2001:4860:4860::8888 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 57.377/57.377/57.377/0.000 ms
Yesterday I was able to achieve a packet size of 1452 for unknown
reasons.
Any idea why it might be worse today? It's the same client on the same
connection.
Anyway I've added mtu-test in both the client and the server and this is
the result (from the client logs):
NOTE: Empirical MTU test completed [Tried,Actual]
local->remote=[1556,426] remote->local=[1556,326]
I'm not sure how to read this, but for sure it's a completely different
value than the ping max packet size.
If I add fragment 1500 and mssfix to both the server and the client this
is the new mtu-test result from the client perspective:
NOTE: Empirical MTU test completed [Tried,Actual]
local->remote=[1222,792] remote->local=[1222,792]
Now the max packet size I can get through for pings is :
$ ping -6 -M do -s 1342 -c 1 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 1342 data bytes
76 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=120 (truncated)
--- 2001:4860:4860::8888 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 57.531/57.531/57.531/0.000 ms
Yesterday I was getting an higher packet size with fragment 1500 while
today it's slightly lower, so I'm a bit confused.
I really don't understand what value I should put in fragment and the
fact that things change a on day per day basis with apparently no reason
makes everything even more difficult to understand.
Thanks,
Niccolo'
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
