Re: [Openvpn-users] Fragment
Eh-up Chuck! On 09/03/2021 19:03, Gert Doering wrote: Hi, On Tue, Mar 09, 2021 at 07:55:11PM +0100, David Sommerseth wrote: What I suspect Gert meant was that you can add it in the client config on the clients - and each client config may have different --mssfix values. Actually I thought you could have it in ccd/ files (et al) on the server. Seems I was wrong there. There is no technical reason why one couldn't have different MSS settings for different clients - but it comes at an implementation cost (copy settings to the per-client context setting, etc.), which is quite likely why it was never done. I *do* think it is pushable (might be wrong again...) *and* since it does not matter whether --mssfix is operating on the client or server (it will manipulate both incoming and outgoing TCP SYN and SYN ACKs, so it is fully symmetric) - if you want lower limits for particular clients, it could be pushed. Or if I'm wrong again, put into the client config. (--mssfix does not need to be identical on client and server, or even set on both ends. The lower value "wins") Moments after sending I thought to myself: I bet Gert means it can simply be set in the client config ;-) Even so, the term "per-client basis", in the context of openvpn, is probably more widely understood to mean "a CCD configurable option". Generally, I use the term "non-symmetric" for things which can be configured on only one side. FTR: push "mssfix 1280" is also rejected by the client: 2021-03-09 19:33:20 us=365176 Options error: option 'mssfix' cannot be used in this context ([PUSH-OPTIONS]) R ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Fragment
Hi, On Tue, Mar 09, 2021 at 07:55:11PM +0100, David Sommerseth wrote: > What I suspect Gert meant was that you can add it in the client config > on the clients - and each client config may have different --mssfix values. Actually I thought you could have it in ccd/ files (et al) on the server. Seems I was wrong there. There is no technical reason why one couldn't have different MSS settings for different clients - but it comes at an implementation cost (copy settings to the per-client context setting, etc.), which is quite likely why it was never done. I *do* think it is pushable (might be wrong again...) *and* since it does not matter whether --mssfix is operating on the client or server (it will manipulate both incoming and outgoing TCP SYN and SYN ACKs, so it is fully symmetric) - if you want lower limits for particular clients, it could be pushed. Or if I'm wrong again, put into the client config. (--mssfix does not need to be identical on client and server, or even set on both ends. The lower value "wins") gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Fragment
On 09/03/2021 19:51, tincanteksup wrote: Hi, On 05/03/2021 18:43, Gert Doering wrote: Hi, On Fri, Mar 05, 2021 at 06:20:54PM +, tincanteksup wrote: All other clients behave normally but they do not use --fragment or --mssfix. It should be, but I'm not sure if --fragment can be set on a per-client basis (yet)... --mssfix can be set on a per-client basis FTR: --mssfix can *not* be set on a per-client basis ,my log: 2021-03-09 18:45:25 us=933178 tct.66.c.w7e/10.10.201.107:58670 OPTIONS IMPORT: reading client specific options from: tuns_12666u/CCD_net30/tct.66.c.w7e 2021-03-09 18:45:25 us=933308 tct.66.c.w7e/10.10.201.107:58670 Options error: option 'mssfix' cannot be used in this context (tuns_12666u/CCD_net30/tct.66.c.w7e) Server is: OpenVPN 2.6_git [git:master/a4eeef17b20541a7] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 13 2020 What I suspect Gert meant was that you can add it in the client config on the clients - and each client config may have different --mssfix values. -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Fragment
Hi, On 05/03/2021 18:43, Gert Doering wrote: Hi, On Fri, Mar 05, 2021 at 06:20:54PM +, tincanteksup wrote: All other clients behave normally but they do not use --fragment or --mssfix. It should be, but I'm not sure if --fragment can be set on a per-client basis (yet)... --mssfix can be set on a per-client basis FTR: --mssfix can *not* be set on a per-client basis ,my log: 2021-03-09 18:45:25 us=933178 tct.66.c.w7e/10.10.201.107:58670 OPTIONS IMPORT: reading client specific options from: tuns_12666u/CCD_net30/tct.66.c.w7e 2021-03-09 18:45:25 us=933308 tct.66.c.w7e/10.10.201.107:58670 Options error: option 'mssfix' cannot be used in this context (tuns_12666u/CCD_net30/tct.66.c.w7e) Server is: OpenVPN 2.6_git [git:master/a4eeef17b20541a7] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 13 2020 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] mssfix set to zero
On Tue, Mar 09, 2021 at 04:48:43PM +0100, Gert Doering wrote: > No. The code in question is not OS dependent (forward.c, mss.c, no > #ifdef _WIN32 anywhere close to "mss"). Some background: Actually, OpenVPN acts here as a firewall with inspection and mangling, as far as I understand, modifying packets as they flow. This is the equivalent of Linux iptables --clamp-mss-to-pmtu, except this autodetects from the interface, and OpenVPN probably substracts some more headers (its headers) from the total. Normally, the MSS is set during the initial TCP connection opening (the client sets one, the server sets one). Only by changing on-the-fly the TCP MSS can OpenVPN make that the client side, respectively the server side, respects the maximum possible MTU. Obviously this has no impact on UDP traffic. signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] mssfix set to zero
Thanks Gert, interesting ways indeed ! On 09/03/2021 15:48, Gert Doering wrote: Hi, On Tue, Mar 09, 2021 at 03:33:56PM +, tincanteksup wrote: what is the final effect of using `--mssfix 0` in a client config ? What I mean is, how would openvpn interpret this and what would it tell the TCP stack ? I don't need to know about MSS, I just want to know what openvpn would do with a setting of 0. I would expect things to break in most interesting ways. From what I can see, the code does not enforce a minimum value, but isn't directly *using* that value either. It will be modified by this macro mss_fixup_ipv6(&ipbuf, MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); to figure out the final MSS value to put into the TCP SYN/SYN ACK packets. Since "0" is the expected *outer* maximum, the net result is likely something negative, which will end up as a large positive number in the 16 bit MSS field. Run tcpdump/wireshark and find out :-) Also, would openvpn behave differently on *nix vs Windows with this setting. No. The code in question is not OS dependent (forward.c, mss.c, no #ifdef _WIN32 anywhere close to "mss"). gert ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] mssfix set to zero
Hi, On Tue, Mar 09, 2021 at 03:33:56PM +, tincanteksup wrote: > what is the final effect of using `--mssfix 0` in a client > config ? > > What I mean is, how would openvpn interpret this and what would > it tell the TCP stack ? > > I don't need to know about MSS, I just want to know what openvpn > would do with a setting of 0. I would expect things to break in most interesting ways. From what I can see, the code does not enforce a minimum value, but isn't directly *using* that value either. It will be modified by this macro mss_fixup_ipv6(&ipbuf, MTU_TO_MSS(TUN_MTU_SIZE_DYNAMIC(&c->c2.frame))); to figure out the final MSS value to put into the TCP SYN/SYN ACK packets. Since "0" is the expected *outer* maximum, the net result is likely something negative, which will end up as a large positive number in the 16 bit MSS field. Run tcpdump/wireshark and find out :-) > Also, would openvpn behave differently on *nix vs Windows with > this setting. No. The code in question is not OS dependent (forward.c, mss.c, no #ifdef _WIN32 anywhere close to "mss"). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] mssfix set to zero
Hi, what is the final effect of using `--mssfix 0` in a client config ? What I mean is, how would openvpn interpret this and what would it tell the TCP stack ? I don't need to know about MSS, I just want to know what openvpn would do with a setting of 0. Also, would openvpn behave differently on *nix vs Windows with this setting. Thanks. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users