CRXN
/
docs
mirror of https://codeberg.org/CRXN/docs.git
1
0
Fork 0
Code Releases Activity

add docs for manuelly adjusting mtu 

Signed-off-by: Marek Küthe <m.k@mk16.de>
This commit is contained in:
Marek Küthe 2023-01-04 11:27:29 +01:00
parent cb26cf4001
commit 5dc59893f4
No known key found for this signature in database
GPG Key ID: 7E869146699108C7
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
docs/tunneling/openvpn.md
View File

@ -71,6 +71,41 @@ For example, if a keepalive signal is to be sent every 20ms and the peer is to b
keepalive 20 120
```
### MTU
OpenVPN uses an MTU of 1500 in the tunnel by default. The problem with this, however, is that most Internet connections also have an MTU of 1500. However, since the OpenVPN packets are both encapsulated and encrypted, the MTU must be lower than that of the Internet interface. If an MTU of 1500 is used in the tunnel, this will cause the OpenVPN packets to be larger than 1500 bytes, which is the MTU of the Internet interface. This leads to IP packet fragmentation. Fragmentation is again something that you generally want to prevent. Therefore it is necessary to adjust the MTU in OpenVPN manually.
OpenVPN has provided two flags for this purpose. However, one flag is deprecated since version 2.6 and should therefore no longer be used. The other flag is `tun-mtu`. With this flag you can adjust the MTU of the tunnel interface. However, this must be determined beforehand. For this you can send pings with different sized payloads in the tunnel and see if the OpenVPN packet gets fragmented.
To intercept fragmented IP packets with `tcpdump`, you can use the following command (only works for IPv4):
```
tcpdump -i <interface> '((ip[6:2] > 0) and (not ip[6] = 64))'
```
You should replace `<interface>` with the name of the Internet interface.
If you cannot detect fragmented packets via this command, you can modify tcpdump to filter every packet with the OpenVPN port. Use the flag `-v`. You will then recognize the fragmented packets by a `[+]` or the word `frag`:
```
tcpdump -i <interface> port <rport> or port <lport> -v
```
After that you can use the following command to determine the MTU.
```
ping <ip> -M do -s <payload>
```
Replace `<ip>` with the IP of the peer in the tunnel. `-M do` ensures that the ping packets are not fragmented. Replace `<payload>` with the size of the payload in bytes. Often the desired size is between 1300 and 1400. Now you adjust the size so that the OpenVPN packet fragments. You then reduce the size of the payload until there is no more fragmentation.
To get the size of the non-fragmented package you can use tcpdump:
```
tcpdump -i <ovpn> icmp or icmp6
```
Replace <ovpn> with the OpenVPN interface. The `echo request` should have `length <len>` at the end, where `<len>` is the length you are looking for. Now you can add the IP headers to it. This is 40 bytes for IPv6 and 20 bytes for IPv4.
This is then the size of the packet you transferred that was not fragmented. Therefore you can use this value as MTU:
```
tun-mtu <value>
```
This argument must be specified on both sides. If the circumstances of the connection, such as the protocol used, change, the MTU must be adjusted again. Since an IPv4 packet is smaller than an IPv6 packet, it is recommended that the OpenVPN connection is established over IPv4 if possible.
## Automatic start with systemd
If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start: