Hi Antonio,

on MacOS, ICMP Fragmentation needed messages only work for TCP protocol.
They are never delivered to any UDP application. For this reason, sending ICMP 
messages is useless for anything else than TCP on MacOS.

But the main problem here is, that mssfix OpenVPN config option was intended to 
manipulate solely the MSS parameter in TCP SYN packets and nothing else. It's 
completely valid approach to configure OpenVPN to send TCP traffic without 
fragmentation by reducing MSS, but allow full 1500-byte packets for UDP and 
other protocols.

To prevent fragmentation for *all* protocols, tun-mtu should be lowered 
instead. But for unknown reason, OpenVPN Connect tries to (ab)use completely 
unrelated config option to achieve the same effect, unfortunately its 
implementation is not suitable for all operating systems.


With kind regards,
MD


On Tue, 3 Sep 2024 15:53:36 +0200, Antonio Quartulli wrote
> Hi Marian,
> 
> I am back on this topic.
> 
> On 17/05/2024 08:10, Marian Ďurkovič wrote:
> 
> [...]
> 
> > Perhaps someone from this group could explain to OpenVPN Connect 
> > developers, that breaking OpenVPN and basic networking principles is never 
> > a good idea...
> 
> since QUIC packets come with the DF bit set and OpenVPN is sending 
> back an ICMP packet-too-big, why isn't QUIC just handling that? IT 
> seems QUIC is ignoring the ICMP message?
> 
> You said OpenVPN Connect is blackholing the packets, but it is 
> actually sending the ICMP back, so I don't think it can truly be 
> considered as such. Wouldn't you agree?
> 
> Cheers,
> 
> -- 
> Antonio Quartulli



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to