|
|
James Yonan wrote: > I'd have to say that one of the "breakthroughs" in improving OpenVPN's MTU > handling from 1.x to 2.0 was in acknowledging that IP fragmentation and > PMTU discovery is basically broken on the modern internet, and that the > most-likely-to-work solution is to either (a) avoid fragmentation in the > first place (--mssfix), or (b) fragment internally, so that UDP packets > sent between OpenVPN are never subject to IP fragmentation (--fragment). How do you prevent the UDP packets sent between OpenVPN from being fragmented, if you do not know the path MTU between the OpenVPN nodes. More realistically, what if the path MTU is dynamic because it can be over whatever strange network the road warrier is plugged into from time to time. That's the biggest problem I've had with OpenVPN's MTU handling. Usually the network I'm using is fine with 1500 byte packets, but occasionally I've been on networks where those don't work, and my tunnel stops being reliable. Unfortunately, the only solution I found was to manually lower the client end's tun0 MTU to 308, which is of course far from optimal most of the time, but necessary for it to be reliable some of the time. Fwiw, I'm using an OpenVPN 2.x client connecting to an OpenVPN 1.x server. -- Jamie |