[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] UDP Tunneling?

  • Subject: Re: [Openvpn-users] UDP Tunneling?
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Mon, 10 Nov 2003 20:51:51 -0000

Leo Vetterli <leo.vetterli@xxxxxxxxxxx> said:

> Does anybody know if openvpn supports UDP Tunneling? I mean that the UDP
> Protocol on a Sub-LAN is tunneled with Openvpn to the LAN?

Absolutely.  People commonly tunnel NFS or VoIP over OpenVPN.  Since OpenVPN
fully supports UDP as the tunnel carrier, when you are tunneling a UDP
application stream, you get the clean encapsulation semantics of UDP over UDP.

The one gotcha to keep in mind is that when OpenVPN encrypts and encapsulates
a UDP packet, some security-related overhead is added to the packet size.

The result is that the MTU is somewhat less than it would be over a direct
connection with no VPN involved.  This can create a performance bottleneck or
even lock up the connection if IP fragmentation is disabled by routers in the

OpenVPN has a workaround for this: the --fragment option which does
fragmentation internally.  This is really a last-resort for intractable
fragmentation problems since it exacts a performance penalty.  Note that the
--mssfix option does not work in this case -- it's designed to work only with
TCP streams which are tunneled over OpenVPN.

The best solution is to lower the UDP MTU used by the application which is
being tunneled to a level just below the fragmentation threshold.


Openvpn-users mailing list