ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    A little confused on OpenVPN MTU

    IT Discussion
    mtu openvpn edgemax edgeos 1.7 edgerouter ubiquiti pppoe
    2
    4
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by

      I have a lot of Ubiquiti ERL scattered around generally working great.

      Today I had a really odd connectivity issues while working remote via ScreenConnect at a client site. This site has always seemed slow, but I just wrote it off to "DSL."

      This site is the only site that uses DSL with PPPoE for their service. The ERL is handling the PPPoE auth and everything has been in place for more than a year.

      This evening I decided to look into it closer.

      The router was originally setup with the PPPoE wizard which created a few settings.

      firewall

      modify PPPoE_OUT {
    description "TCP clamping"
    rule 1 {
        action modify
        modify {
            tcp-mss 1452
        }
        protocol tcp
        tcp {
            flags SYN
        }
    }
}

      interfaces

      ethernet eth2 {
    description WAN
    duplex auto
    pppoe 0 {
        default-route auto
        firewall {
            in {
                name PPPoE_IN
            }
            local {
                name PPPoE_LOCAL
            }
            out {
                modify PPPoE_OUT
            }
        }
        mtu 1492
        name-server auto
        password xxxxxxxxx
        user-id xxxxxxxxxx
    }
    speed auto
}

      Wondering about the seemingly harsh MSS clamping, I started tinkering with MTU.
      I removed the firewall out rule and then tinkered with various MTU settings on the eth2 and pppoe 0 interfaces.

      Eventually I determined that having no MTU specified gives me what I would expect. I lose 8 bytes over a straight Ethernet connection. This means eth2 auto negotiates to 1500 and pppoe 0 then sets itself to 1492.

      a bunch of ping -c 1 -s 1472 -M do 8.8.8.8 and ping -c 1 -s 1464 -M do 8.8.8.8 later confirms that this works like I think. The 1472 needs fragmented and the 1464 works.

      Great, I have confirmed everything works like I expect and I have removed the odd firewall modify rule.

      So now I do some internal pings across the OpenVPN tunnel. I am assuming I have additional overhead that needs accounted for, but I start with the 1464 just because. To my surprise, ping -c 1 -s 1464 -M do 10.204.1.1 works. Testing lets it go all they way up to ping -c 1 -s 1472 -M do 10.204.1.1. This is the value you would expect from a normal 1500 MTU Ethernet line.

      Now the OpenVPN config has no Specific MTU applied, so I assume it is setting itself to 1500 like anything else.

      openvpn vtun10 {
    description "Site A to Site B"
    local-address 10.204.9.2 {
    }
    local-port 1195
    mode site-to-site
    openvpn-option --comp-lzo
    remote-address 10.204.9.1
    remote-host vpn.domain.com
    remote-port 1195
    shared-secret-key-file /config/auth/xxxxxxxxxx
}

      But the tunnel has to go through pppoe 0 to get out, so how the hell does that work?

      Does the encrypted packet just get broken into 1464 chucks and the ping command just does not know it because it is inside the encrypted packet? If so, should I set the tunnel to a lower MTU manually so that each individual encrypted packet will not get fragmented when sent? If so, how much overhead does OpenVPN have?

      1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch
        last edited by JaredBusch

        Google tells me to set openvpn options to link-mtu 1472 for a normal ethernet line and thus I would think that I need to set it to 1468 for my pppoe example.

        with the erl that would make the above OpenVPN seciton look like this.

        openvpn vtun10 {
    description "Site A to Site B"
    local-address 10.204.9.2 {
    }
    local-port 1195
    mode site-to-site
    openvpn-option "--tun-mtu 1464"
    openvpn-option --comp-lzo
    remote-address 10.204.9.1
    remote-host vpn.domain.com
    remote-port 1195
    shared-secret-key-file /config/auth/xxxxxxxxxx
}

        Doing that results in ping -c 1 -s 1436 -M do 10.204.1.1 being the largest unfragmented ping I can do through the tunnel.

        1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch
          last edited by

          So someone tell me if I am off base or doing a good thing here.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Everything that you are doing sounds logical and makes sense to me. I'm pretty confident you are not going to hurt anything here. Will it help dramatically? No idea there. But I think it is likely to help without much risk. Seems like a good idea.

            1 Reply Last reply Reply Quote 0
            • 1 / 1
            • First post
              Last post