Discussion:
[Openvpn-users] how to troubleshoot mtu settings
J Webster
2012-08-15 10:22:11 UTC
Permalink
Is there a method to torubleshoot mtu settings or is it just trial and
error by lowering the mtu?
Does the client mtu setting take priority over the server mtu settings?
I am trying to browse video and websites through the VPN but it is
very slow and stutters a lot:
Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used inconsistently,
local='link-mtu 1542', remote='link-mtu 1574'
Wed Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
David Sommerseth
2012-08-15 10:51:02 UTC
Permalink
Post by J Webster
Is there a method to torubleshoot mtu settings or is it just trial
and error by lowering the mtu? Does the client mtu setting take
priority over the server mtu settings? I am trying to browse video
and websites through the VPN but it is very slow and stutters a
lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed
Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
If you read the man page properly, you see there is a feature in
OpenVPN called --mtu-test


kind regards,

David Sommerseth
J Webster
2012-08-15 12:15:58 UTC
Permalink
I added fragmentation and mssfix but cannot browse any internet via the VPN.

client
dev tun
proto udp
remote 84.xxx.xxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert name.crt
key name.key
comp-lzo
verb 3
;link-mtu 1472
fragment 1400
mssfix
;mtu-test

Wed Aug 15 13:09:36 2012 WARNING: No server certificate verification
method has been enabled. See http://openvpn.net/howto.html#mitm for
more info.
Wed Aug 15 13:09:36 2012 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Wed Aug 15 13:09:36 2012 Re-using SSL/TLS context
Wed Aug 15 13:09:36 2012 LZO compression initialized
Wed Aug 15 13:09:36 2012 Control Channel MTU parms [ L:1546 D:138
EF:38 EB:0 ET:0 EL:0 ]
Wed Aug 15 13:09:36 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 15 13:09:36 2012 Data Channel MTU parms [ L:1546 D:1400 EF:46
EB:135 ET:0 EL:0 AF:3/1 ]
Wed Aug 15 13:09:36 2012 Fragmentation MTU parms [ L:1546 D:1400 EF:45
EB:135 ET:1 EL:0 AF:3/1 ]
Wed Aug 15 13:09:36 2012 Local Options hash (VER=V4): 'c086e1aa'
Wed Aug 15 13:09:36 2012 Expected Remote Options hash (VER=V4): '8e7959c7'
Wed Aug 15 13:09:36 2012 UDPv4 link local: [undef]
Wed Aug 15 13:09:36 2012 UDPv4 link remote: 84.xxx.xxx.xx:1194
Wed Aug 15 13:09:36 2012 TLS: Initial packet from 84.xxx.xxx.xx:1194,
sid=0d745bf4 7653f4d5
Wed Aug 15 13:09:38 2012 VERIFY OK: depth=1,
/C=FR/ST=FR/L=Paris/O=MySiteFR/CN=MySiteFR_CA/emailAddress=***@MySite.eu
Wed Aug 15 13:09:38 2012 VERIFY OK: depth=0,
/C=FR/ST=FR/L=Paris/O=MySiteFR/CN=MySite.eu/emailAddress=***@MySite.eu
Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used inconsistently,
local='link-mtu 1546', remote='link-mtu 1574'
Wed Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
Wed Aug 15 13:09:45 2012 WARNING: 'mtu-dynamic' is present in local
config but missing in remote config, local='mtu-dynamic'
Wed Aug 15 13:09:45 2012 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Wed Aug 15 13:09:45 2012 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Wed Aug 15 13:09:45 2012 Data Channel Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Wed Aug 15 13:09:45 2012 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Wed Aug 15 13:09:45 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Aug 15 13:09:45 2012 [MySite.eu] Peer Connection Initiated with
84.xxx.xxx.xx:1194
Wed Aug 15 13:09:47 2012 SENT CONTROL [MySite.eu]: 'PUSH_REQUEST' (status=1)
Wed Aug 15 13:09:47 2012 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway,dhcp-option DNS
213.171.192.249,dhcp-option DNS 213.171.192.245,route
10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6
10.8.0.5'
Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: route options modified
Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: --ip-win32 and/or
--dhcp-option options modified
Wed Aug 15 13:09:47 2012 Preserving previous TUN/TAP instance: Local
Area Connection 10
Wed Aug 15 13:09:47 2012 Initialization Sequence Completed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by J Webster
Is there a method to torubleshoot mtu settings or is it just trial
and error by lowering the mtu? Does the client mtu setting take
priority over the server mtu settings? I am trying to browse video
and websites through the VPN but it is very slow and stutters a
lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed
Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
If you read the man page properly, you see there is a feature in
OpenVPN called --mtu-test
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlArfxMACgkQDC186MBRfroIUgCbBZeGgsUrqy7ubHpn04MidQT9
9r8AnjjA7Ib7etAVcv6827NeiNmQA8+V
=9PYq
-----END PGP SIGNATURE-----
Andy Wang
2012-08-15 13:34:10 UTC
Permalink
-----Original Message-----
Sent: August-15-12 8:16 AM
To: David Sommerseth
Cc: openvpn-users
Subject: Re: [Openvpn-users] how to troubleshoot mtu settings
I added fragmentation and mssfix but cannot browse any internet via the VPN.
client
dev tun
proto udp
..
fragment 1400
mssfix
One more thing, the "fragment xxxx" should apply to both sides, server's config and client's config
and they should use the same value.

Regards,

Andy
Andy Wang
2012-08-15 13:28:14 UTC
Permalink
-----Original Message-----
From: J Webster [mailto:***@gmail.com]
Sent: August-15-12 8:16 AM
To: David Sommerseth
Cc: openvpn-users
Subject: Re: [Openvpn-users] how to troubleshoot mtu settings

I added fragmentation and mssfix but cannot browse any internet via the VPN.

client
dev tun
proto udp
remote 84.xxx.xxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert name.crt
key name.key
comp-lzo
verb 3
;link-mtu 1472
fragment 1400
mssfix
;mtu-test
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by J Webster
Is there a method to torubleshoot mtu settings or is it just trial
and error by lowering the mtu? Does the client mtu setting take
priority over the server mtu settings? I am trying to browse video
and websites through the VPN but it is very slow and stutters a
lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed
Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
If you read the man page properly, you see there is a feature in
OpenVPN called --mtu-test
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlArfxMACgkQDC186MBRfroIUgCbBZeGgsUrqy7ubHpn04MidQT9
9r8AnjjA7Ib7etAVcv6827NeiNmQA8+V
=9PYq
-----END PGP SIGNATURE-----
Please try the "magic number" - fragment 1300. ( works for me. )

Regards,

Andy
David Sommerseth
2012-08-15 16:27:22 UTC
Permalink
Post by David Sommerseth
Post by J Webster
Is there a method to torubleshoot mtu settings or is it just
trial and error by lowering the mtu? Does the client mtu
setting take priority over the server mtu settings? I am
trying to browse video and websites through the VPN but it is
very slow and stutters a lot: Wed Aug 15 11:09:37 2012
WARNING: 'link-mtu' is used inconsistently, local='link-mtu
1542', remote='link-mtu 1574' Wed Aug 15 11:09:37 2012
WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu
1500', remote='tun-mtu 1532'
If you read the man page properly, you see there is a feature in
OpenVPN called --mtu-test
kind regards,
David Sommerseth
Please try the "magic number" - fragment 1300. ( works for me. )
But that does still not solve this issue, which is actually more
Post by David Sommerseth
Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed
Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
If the MTU values are not correct, even though a lower --fragment
value might help, this MTU trouble might stab you in the back later on
in another scenario.

Rule of thumb when it comes to solving OpenVPN issues:

* Fix all warnings in the log before doing anything else *

Those warnings are there for a reason, and if you don't fix them, it
will most likely hurt you later on.


kind regards,

David Sommerseth
J Webster
2012-08-15 17:17:05 UTC
Permalink
Post by David Sommerseth
Post by Andy Wang
Please try the "magic number" - fragment 1300. ( works for me. )
But that does still not solve this issue, which is actually more
Post by Andy Wang
Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed
Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532'
If the MTU values are not correct, even though a lower --fragment
value might help, this MTU trouble might stab you in the back later on
in another scenario.
* Fix all warnings in the log before doing anything else *
Those warnings are there for a reason, and if you don't fix them, it
will most likely hurt you later on.
kind regards,
David Sommerseth
I ran openvpn --mtu-test --dev tun0 but it doesn't output anything to do
with mtu settings
I then changed the server.conf and added mtu-test, but even after 3mins
there is nothing in the logs showing mtu settings.
The clients connect but I'm wondering if the routing on the server is
not permitting pages to be viewed? It should be forwarded correctly using:

net.ipv4.ip_forward = 1

sysctl -p

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
J Webster
2012-08-15 17:23:16 UTC
Permalink
* Fix all warnings in the log before doing anything else * Those
warnings are there for a reason, and if you don't fix them, it will most
likely hurt you later on. kind regards, David Sommerseth

I get this in the server.log now:
Wed Aug 15 19:18:05 2012 namecert/86.xx.xx.xxx:1678 Replay-window
backtrack occurred [2]

David Sommerseth
2012-08-15 15:33:39 UTC
Permalink
You also haven't fixed these issues still ...
Post by J Webster
Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used
inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed
Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently,
local='tun-mtu 1500', remote='tun-mtu 1532' Wed Aug 15 13:09:45
2012 WARNING: 'mtu-dynamic' is present in local config but missing
in remote config, local='mtu-dynamic'
You need to use either --link-mtu or --tun-mtu on both sides and set
it to the proper size on *both* server and client. Then you can start
playing with --fragment and --mssfix.

These warnings might very well explain why browsing the Internet
doesn't work via the VPN.


kind regards,

David Sommerseth
Loading...