|
|
On Wed, 1 Sep 2004, Sean Patrick wrote: > Hi list, > > Thanks to your help, I have been able to get OpenVPN > 1.4.0b10 setup between our servers and remote client That version number doesn't look right. > sites. Getting the mssfix 1437 value fixed a lot of > problems between the client sites it seems. > > There is now an issue where rsync is running a backup > across OpenVPN between a windows machine (on cygwin), > and the Linux backup server. > > Large files of about 2GB appear to be hanging the > connection. Rsync looks to time out, and OpenVPN > appears to be resetting at about the same time. I'm > not sure where the problem may be, but any help would > be appreciated. > > There are also messages from OpenVPN about anti-replay > which sometimes occur around the same time as the > reconnects. > > A few questions for the list: > Is there a "safe" setting for anti-replay, and can it > be pushed to clients? Yes, take a look at --mute-replay-warnings in the man page. > Will using fragment in the config files with mssfix > provide a noticable stability increase, or just reduce > performance? --fragment will only really help when you are tunneling a UDP application protocol, where the UDP datagrams become too large for the transport MTU after the encryption/authentication related overhead is added to the packet. --mssfix reduces the TCP MSS size. This only works for TCP connections running over the tunnel. Using --fragment and --mssfix together is usually a good idea. Performance will only be reduced if --mssfix is not able to do its job and the packet needs to be internally fragmented. > Should the mssfix/fragment values be set lower than > the mtu-test returned value to be safe? Yes, this won't hurt anything. James > > ############################# > # TLS server config > # > port 55345 > dev tun > comp-lzo > > > > # be a multi-client udp server > mode server > > > > #TLS parms > tls-server > dh /some/place/dh1024.pem > ca /some/place/my-openvpn-keys/ca.crt > cert /some/place/com.crt > key /some/place/com.key > > > > # server's virtual end points > ifconfig 10.0.0.1 10.0.0.2 > > > > # pool of /30 subnets to allocate to clients. > ifconfig-pool 10.0.0.4 10.0.0.255 > > > > # push route to client binding it to our local > endpoint. > push "route 10.0.0.1 255.255.255.255" > > > > # client should attempt to reconnet on link failure. > ping 15 > ping-restart 120 > push "ping 10" > push "ping-restart 60" > > > > # route the pool range to the openvpn server. > route 10.0.0.0 255.255.255.0 > > > > # no privileges requires > user nobody > group nobody > > > > verb 3 > mute 10 > status openvpn-status.log > > > > tun-mtu 1500 > mssfix 1437 > ######################## > > > OpenVPN error message: > Aug 30 09:38:23 server001 openvpn[12164]: > client.systemsaligned.com/12.34.56.789:64646 > Authenticate/Decrypt packet error: bad packet ID (may > be a replay): [ #55473 ] -- see the man page entry for > --no-replay and --replay-window for more info or > silence this warning with --mute-replay-warnings > > > Rsync error message (this was not a user aborted > transfer, contrary to what the last line says): > Can't write 16 bytes to socket > Sending csums, cnt = 14876, phase = 1 > Read EOF: Connection reset by peer > Tried again: got 0 bytes > finish: removing in-process file User/Contacts.pst > Child is aborting > Done: 16431 files, 6833928626 bytes > Got fatal error during xfer (aborted by signal=PIPE) > Backup aborted by user signal > > > Thanks for your time. Any comments or ideas on solving > this issue would be greatly appreciated. > > Brian > > ______________________________________________________________________ > Post your free ad now! http://personals.yahoo.ca > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |