OpenVPN MTU Size
By Phil on Thursday, January 8 2009, 09:34 - Linux & Open Source - Permalink
I came across a problem recently while attempting to transfer a largish (23mb) file from my web server to my file server via my OpenVPN tunnel.
The tunnel has been working perfectly since it was first established. SSH and small file copies went fine. But this copy would get to 2,112kb and then stall. No matter how many times I attempted it. I attempted the same transfer using the public interwebs (I was scp'ing so it was encrypted anyway) and this worked perfectly, so there was obviously a problem with the OpenVPN tunnel.
Doing a tcpdump on both ends, and the firewall where the tunnel terminates showed that the traffic would flow freely up to the 2,112kb mark, then you could see packets entering the tunnel at the web server end, but not exiting at the firewall end.
A quick Google and scan through the OpenVPN book pointed at using this command to test the maximum MTU of the tunnel:
mtu-test
So I added this to the tunnel config on the web server end, and restarted the tunnel. Logs reported:
openvpn[8177]: NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
And a short time later:
openvpn[8177]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1445] remote->local=[1557,1557] openvpn[8177]: NOTE: This connection is unable to accomodate a UDP packet size of 1557. Consider using --fragment or --mssfix options as a workaround.
So I took the advice of the computer, and added those 2 configuration options to the config file:
fragment 1400 mssfix
Now my tunnel works perfectly again
Comments
Hi Phil!
We have a split network between two sites distant several hundred miles.
After changing ISP on one hand our OpenVPN link underwent major failures.
Thank you for providing the right answer: it now runs much smoother.
Obotor
split network between two sites distant several hundred miles.
After changing ISP on one hand our OpenVPN link underwent major failures.