-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ------- Original Message ------- On Friday, July 28th, 2023 at 14:52, Niccolò Belli <darkba...@linuxsystems.it> wrote:
> Il 2023-07-24 13:23 tincantech ha scritto: > > > If your PMTU is changing "on a daily basis" then you should probably > > report > > that as a fault to your Internet Service Provider(s). > > > Forgot what I've written before: I've did many more tests and apparently > my connection(s)' MTU is not changing but something else is going on > with openvpn. My analysis of your test data, reduces to the following comment: Personally, I do not consider Google to be a valid target to test against. root@home ~ # ping -M do -s 1252 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 1252(1280) bytes of data. ^C --- 8.8.8.8 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3003ms root@home ~ # ping -M do -s 1252 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 1252(1280) bytes of data. 1260 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=13.5 ms 1260 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=13.1 ms ^C --- 1.1.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 13.142/13.312/13.482/0.170 ms I'll leave that hanging ... The value of PMTU, or Path MTU, is really only valid between your source location and your destination location. Testing against a third party is less valid, as seen above. However, considering the data you have posted, I think OpenVPN has documented the most simple solution. The example given is to use these options: --tun-mtu 1500 --fragment 1300 --mssfix If you are confident that you have established the genuine PMTU between your client and server then adjust the --tun-mtu value as you see fit. Then, starting with the --fragment value given, adjust --fragment until you establish the likely maximum. With regard to your multi-path tests, it's complicated and above my pay grade.. Regards -- > > From the server: > > # traceroute --mtu 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 65000 byte packets > 1 16.806 ms F=1492 16.665 ms 16.546 ms > 2 16.304 ms 16.381 ms 16.289 ms > 3 16.488 ms 16.550 ms 16.091 ms > 4 17.593 ms 16.074 ms 16.125 ms > 5 17.159 ms 74.125.245.241 (74.125.245.241) 17.205 ms 17.850 ms > 6 16.904 ms 142.250.211.23 (142.250.211.23) 16.462 ms > 142.251.235.175 (142.251.235.175) 16.407 ms > 7 dns.google (8.8.8.8) 16.685 ms 16.334 ms 16.434 ms > > The server has an MTU of 1492 and I can confirm it with the following: > ping -M do -s 1464 -c 1 8.8.8.8 //OK > 1464 + 28 (20 bytes for the IPv4 header and 8 bytes for the ICMP header) > = 1492 > > My primary Tiscali connection which I use for the client has an MTU of > 1460: > ping -M do -s 1432 -c 1 8.8.8.8 //OK > (1432+28=1460) > > If I connect with the Tiscali client and try to ping over the tunnel I > get to an MTU of 1394 for the tunnel: > ping -M do -s 1366 -c 1 192.168.2.1 //OK > (1366+28=1394) > > So I guess that the encryption overhead accounts for 66 bytes > (1460-1394=66). > > The Tiscali connection (which is a 200Mps/20Mbps FTTC) is weird in my > opinion, because the PPPoE header should be 8 bytes and that should > translate to a 1492 MTU, not 1460. > Also apparently a traceroute --mtu suggests 1492 as well, but there are > only asterisks which is even weirder: > > # traceroute --mtu 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 65000 byte packets > 1 _gateway (192.168.1.1) 1.219 ms F=1500 0.876 ms 0.986 ms > 2 * F=1492 * * > 3 * * * > 4 * * * > 5 * * * > 6 * * * > 7 * * * > 8 * * * > 9 * * * > 10 * * * > 11 * * * > 12 * * * > 13 * * * > 14 * * * > 15 * * * > 16 * * * > 17 * * * > 18 * * * > 19 * * * > 20 * * * > [...] > > So I decided to try connecting to my openvpn server from an Iliad > hotspot, which under normal circumstances has an MTU of 1420: > > # traceroute --mtu 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 65000 byte packets > 1 _gateway (192.168.61.7) 2.465 ms F=1500 2.290 ms 2.329 ms > 2 * F=1420 * * > 3 * 192.168.3.14 (192.168.3.14) 87.831 ms 56.965 ms > 4 192.168.255.3 (192.168.255.3) 55.863 ms 55.182 ms 54.250 ms > 5 66.312 ms 64.891 ms 63.330 ms > 6 54.089 ms 51.763 ms * > 7 64.521 ms 71.594 ms 59.795 ms > 8 54.797 ms 71.373 ms 69.394 ms > 9 * * * > 10 dns.google (8.8.8.8) 68.258 ms 69.061 ms 142.250.211.30 > (142.250.211.30) 64.794 ms > > ping -M do -s 1392 -c 1 8.8.8.8 //OK > (1392+28=1420) > > Traceroute seems to work via the Iliad connection. > > Which payload size would you expect me to be able to ping over the > openvpn tunnel? > > If you guessed 1392-66=1326 you would be wrong. I can get up to the full > 1500 MTU: > ping -M do -s 1472 -c 1 192.168.2.1 //OK > (1472+28=1500) > > This is WITHOUT fragment being set. In fact I use the very config I > previously used with the Tiscali connection on the same laptop. > > I've double checked switching between Tiscali and Iliad multiple times. > > What's happening? Is fragment being silently enabled? Why only on the > Iliad connection? Traceroute somehow not working on Tiscali might be at > play here. > > Niccolo' -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBYJkxTqICZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAACzHwgArYsp+0db4duKupqurr8BhjohFLWcN2ZbF8H97toPHOZI9nPT dCN3jh3shLYxokqau5ahqC8Da/vGi9uqZxsr+BpZiMHEN/oK2aVCclikra8L ncFNDMkuCg62eMWtdR4kWltbRn0kxFCfouf5aM1nI3zmLQH/ce4Yj3cSlKnS a4j3oqyaKPSxQLrJ7ie7zw2fAuXv3cztszaBkSp9+ek/1fX1HpfMSBLkg1cq pdtyH1K8iCpJlf+jKz7kPKHEde2IDVA5F9sZckzm0qeJX3ZpmD5UhvCm+TNU Koyo+nAk//0syvwux1KobRADBDVKNWj6/or/QGqIqE/uDirE3mHtuQ== =NHIz -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
