Re: [PATCH v2] openvpn: Add MTU related options

2015-10-21 Thread Patrik Flykt

Hi,

On Wed, 2015-10-21 at 12:12 +0200, Daniel Wagner wrote:

> The use of the different MTU options depend on you server and link
> configuration. I don't think you can derive it. OpenVPN seems to offer
> an option to learn the MTU size by doing some measurements but that
> takes around 3 minutes according documentation. I recommend to just
> expose those options and let the user decide what he needs.

Well, now the problem is that I have no idea what to add as MTU values
if I need to... Sven's "documented" problem and solution was to use
--tun-mtu, if that is the max sized packet that can go through
unfragmented it looks like the only option one should specify. And
--fragment seems to be needed always in addition to any of the MTUs?
Unless it's the default behavior?

Cheers,

Patrik

___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman


Re: [PATCH v2] openvpn: Add MTU related options

2015-10-21 Thread Daniel Wagner
On 10/21/2015 12:25 PM, Patrik Flykt wrote:
> On Wed, 2015-10-21 at 12:12 +0200, Daniel Wagner wrote:
> 
>> The use of the different MTU options depend on you server and link
>> configuration. I don't think you can derive it. OpenVPN seems to offer
>> an option to learn the MTU size by doing some measurements but that
>> takes around 3 minutes according documentation. I recommend to just
>> expose those options and let the user decide what he needs.
> 
> Well, now the problem is that I have no idea what to add as MTU values
> if I need to... Sven's "documented" problem and solution was to use
> --tun-mtu, if that is the max sized packet that can go through
> unfragmented it looks like the only option one should specify. And
> --fragment seems to be needed always in addition to any of the MTUs?
> Unless it's the default behavior?

I don't know if there is a sane MTU configuration setting for OpenVPN. I
reread the documentation several times and it seems you need to pick the
options according your configuration.
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman


Re: [PATCH v2] openvpn: Add MTU related options

2015-10-21 Thread Sven Schwedas
On 2015-10-21 12:30, Daniel Wagner wrote:
> On 10/21/2015 12:25 PM, Patrik Flykt wrote:
>> On Wed, 2015-10-21 at 12:12 +0200, Daniel Wagner wrote:
>>
>>> The use of the different MTU options depend on you server and link
>>> configuration. I don't think you can derive it. OpenVPN seems to offer
>>> an option to learn the MTU size by doing some measurements but that
>>> takes around 3 minutes according documentation. I recommend to just
>>> expose those options and let the user decide what he needs.
>>
>> Well, now the problem is that I have no idea what to add as MTU values
>> if I need to... Sven's "documented" problem and solution was to use
>> --tun-mtu, if that is the max sized packet that can go through
>> unfragmented it looks like the only option one should specify. And
>> --fragment seems to be needed always in addition to any of the MTUs?
>> Unless it's the default behavior?
> 
> I don't know if there is a sane MTU configuration setting for OpenVPN. I
> reread the documentation several times and it seems you need to pick the
> options according your configuration.

Yeah. Those values are left alone for the large majority of deployments
and I've only seen them used to deal with wonky carriers in WWAN
deployments.

Personally, I'd be fine with using the OpenVPN.ConfigFile parameter for
the few cases I end up needing it. (And I'm not even sure whether we're
going to migrate to connman.)

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167
http://software.tao.at



signature.asc
Description: OpenPGP digital signature
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman

Re: [PATCH v2] openvpn: Add MTU related options

2015-10-21 Thread Daniel Wagner
On 10/21/2015 12:45 PM, Sven Schwedas wrote:
> On 2015-10-21 12:30, Daniel Wagner wrote:
>> On 10/21/2015 12:25 PM, Patrik Flykt wrote:
>>> On Wed, 2015-10-21 at 12:12 +0200, Daniel Wagner wrote:
>>>
 The use of the different MTU options depend on you server and link
 configuration. I don't think you can derive it. OpenVPN seems to offer
 an option to learn the MTU size by doing some measurements but that
 takes around 3 minutes according documentation. I recommend to just
 expose those options and let the user decide what he needs.
>>>
>>> Well, now the problem is that I have no idea what to add as MTU values
>>> if I need to... Sven's "documented" problem and solution was to use
>>> --tun-mtu, if that is the max sized packet that can go through
>>> unfragmented it looks like the only option one should specify. And
>>> --fragment seems to be needed always in addition to any of the MTUs?
>>> Unless it's the default behavior?
>>
>> I don't know if there is a sane MTU configuration setting for OpenVPN. I
>> reread the documentation several times and it seems you need to pick the
>> options according your configuration.
> 
> Yeah. Those values are left alone for the large majority of deployments
> and I've only seen them used to deal with wonky carriers in WWAN
> deployments.
> 
> Personally, I'd be fine with using the OpenVPN.ConfigFile parameter for
> the few cases I end up needing it. (And I'm not even sure whether we're
> going to migrate to connman.)

Good point. I completely forgot about ConfigFile. So

OpenVPN.MTU 

should map to

--tun-mtu  --fragment

?
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman


Re: [PATCH v2] openvpn: Add MTU related options

2015-10-21 Thread Sven Schwedas
On 2015-10-21 12:52, Daniel Wagner wrote:
> On 10/21/2015 12:45 PM, Sven Schwedas wrote:
>> On 2015-10-21 12:30, Daniel Wagner wrote:
>>> On 10/21/2015 12:25 PM, Patrik Flykt wrote:
 On Wed, 2015-10-21 at 12:12 +0200, Daniel Wagner wrote:

> The use of the different MTU options depend on you server and link
> configuration. I don't think you can derive it. OpenVPN seems to offer
> an option to learn the MTU size by doing some measurements but that
> takes around 3 minutes according documentation. I recommend to just
> expose those options and let the user decide what he needs.

 Well, now the problem is that I have no idea what to add as MTU values
 if I need to... Sven's "documented" problem and solution was to use
 --tun-mtu, if that is the max sized packet that can go through
 unfragmented it looks like the only option one should specify. And
 --fragment seems to be needed always in addition to any of the MTUs?
 Unless it's the default behavior?
>>>
>>> I don't know if there is a sane MTU configuration setting for OpenVPN. I
>>> reread the documentation several times and it seems you need to pick the
>>> options according your configuration.
>>
>> Yeah. Those values are left alone for the large majority of deployments
>> and I've only seen them used to deal with wonky carriers in WWAN
>> deployments.
>>
>> Personally, I'd be fine with using the OpenVPN.ConfigFile parameter for
>> the few cases I end up needing it. (And I'm not even sure whether we're
>> going to migrate to connman.)
> 
> Good point. I completely forgot about ConfigFile. So
> 
>   OpenVPN.MTU 
> 
> should map to
> 
>   --tun-mtu  --fragment
> 
> ?

I'll admit I don't understand OpenVPN enough to answer that. I know that
we're not specifying it, I was under the impression that the Kernel
network stack fragments itself with tun-mtu set, and that --fragment was
to bypass that for… reasons.

IMO one more reason to leave it out of the connman plugin and defer that
to the config file, lest people start tinkering with it without needing to.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167
http://software.tao.at
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman


Re: [PATCH v2] openvpn: Add MTU related options

2015-10-20 Thread Sven Schwedas
On 2015-10-20 14:04, Patrik Flykt wrote:
> Are any of these necessary for any use cases? If they are needed for
> something, could the currently specified OpenVPN.MTU be used to derive
> proper MTUs for the devices involved?

They are necessary for some mobile carriers. We're fixing the tun MTU to
576 so OpenVPN doesn't die on (I think) Vodafone Germany's networks.

(Though not yet with Connman, it's legacy deployments with
NetworkManager/manual OpenVPN, and some special industrial modems from
Vodafone. I can't say just how widespread the issue is otherwise.)


-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167
http://software.tao.at



signature.asc
Description: OpenPGP digital signature
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman

Re: [PATCH v2] openvpn: Add MTU related options

2015-10-20 Thread Patrik Flykt

Hi,

On Tue, 2015-10-20 at 14:26 +0200, Sven Schwedas wrote:
> On 2015-10-20 14:04, Patrik Flykt wrote:
> > Are any of these necessary for any use cases? If they are needed for
> > something, could the currently specified OpenVPN.MTU be used to derive
> > proper MTUs for the devices involved?
> 
> They are necessary for some mobile carriers. We're fixing the tun MTU to
> 576 so OpenVPN doesn't die on (I think) Vodafone Germany's networks.

Which of the mtu, fragment and/or mssfix options do you end up using and
with what value?

> (Though not yet with Connman, it's legacy deployments with
> NetworkManager/manual OpenVPN, and some special industrial modems from
> Vodafone. I can't say just how widespread the issue is otherwise.)

Cheers,

Patrik

___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman


Re: [PATCH v2] openvpn: Add MTU related options

2015-10-20 Thread Sven Schwedas
Hi,

On 2015-10-20 14:45, Patrik Flykt wrote:
> 
>   Hi,
> 
> On Tue, 2015-10-20 at 14:26 +0200, Sven Schwedas wrote:
>> On 2015-10-20 14:04, Patrik Flykt wrote:
>>> Are any of these necessary for any use cases? If they are needed for
>>> something, could the currently specified OpenVPN.MTU be used to derive
>>> proper MTUs for the devices involved?
>>
>> They are necessary for some mobile carriers. We're fixing the tun MTU to
>> 576 so OpenVPN doesn't die on (I think) Vodafone Germany's networks.
> 
> Which of the mtu, fragment and/or mssfix options do you end up using and
> with what value?

We only change the tun-mtu value, none of the others. It seems to be
recommended to change the others too, but it fixed the problems for us,
and I didn't want to experiment more at the time. Presumably connman
would need to support all?

> 
>> (Though not yet with Connman, it's legacy deployments with
>> NetworkManager/manual OpenVPN, and some special industrial modems from
>> Vodafone. I can't say just how widespread the issue is otherwise.)
> 
> Cheers,
> 
>   Patrik
> 
> ___
> connman mailing list
> connman@connman.net
> https://lists.connman.net/mailman/listinfo/connman
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167
http://software.tao.at



signature.asc
Description: OpenPGP digital signature
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman

Re: [PATCH v2] openvpn: Add MTU related options

2015-10-18 Thread Hannikainen, Jaakko
On Fri, 2015-10-16 at 13:33 +0200, Daniel Wagner wrote:
> OpenVPN has several command line option to configure how to handle
> the
> MTU of packets. The plugin accepts a OpenVPN.MTU options which is
> translated to '--mtu'. This options not available (has it ever
> existed?) since 2.0. We recommend at least version 2.2 of OpenVPN.

I'm currently rewriting plenty of documentation, other VPN types (or at
least L2TP and friends) also have this problem - several properties
which are simply incorrect and probably never used by anyone. I'll
check out the documentation and try to squash the rest of these today.

Jaakko
___
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman