Menu
▾
▴
Re: [Openvpn-users] Tun interface and mtu issues
|
From: Jan J. K. <ja...@ni...> - 2010-08-28 21:28:04
|
Hi Nikita, Nikita Koshikov wrote: > Hello openvpn/routing experts. > > Don't know is it right place to post this problem, redirect me if I'm wrong. > > Setup: > > openvpn-client --> openvpn-server --> local-net > tun0(mtu 1500) tun0(mtu 1300) eth0(mtu1500) > eth0(mtu 1500) > > I set mtu manually on openvpn server by 'ip link set tun0 mtu 1300'. Then I'm trying to ping machines from openvpn-client to local-net with command: > > ping -M dont -s 1400 192.168.1.1 > ^^^^ > DF bit is off. > And I got 3 pockets: > 1 echo request > 1+1 fragmented echo reply. Fragmentation was made by openvpn server. This is ok. > > Than, I changed the command to: > ping -M do -s 1400 192.168.1.1 > ^^ > DF bit is on! > And I still got fragmented replies. However, I must got icmp(Frag needed and DF set). > > Here is tcpdump, captured on openvpn-server tun0: > 172.16.0.127 - this is client IP > 192.168.1.1 - local-host > > 21:37:23.279886 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 1328) 172.16.0.127 > 192.168.1.1: ICMP echo request, id 58964, seq 1, length 1308 > 21:37:23.280093 IP (tos 0x0, ttl 63, id 8408, offset 0, flags [+], proto: ICMP (1), length: 1300) 192.168.1.1 > 172.16.0.127: ICMP echo reply, id 58964, seq 1, length 1280 > 21:37:23.280098 IP (tos 0x0, ttl 63, id 8408, offset 1280, flags [none], proto: ICMP (1), length: 48) 192.168.1.1 > 172.16.0.127: icmp > > Tcpdump captured on openvpn-server eth0: > > 22:07:40.973671 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: ICMP (1), length: 1428) 172.16.0.127 > 192.168.1.1: ICMP echo request, id 15958, seq 1, length 1408 > 22:07:40.973890 IP (tos 0x0, ttl 64, id 8411, offset 0, flags [none], proto: ICMP (1), length: 1428) 192.168.1.1 > 172.16.0.127: ICMP echo reply, id 15958, seq 1, length 1408 > > Can someone explain me, why tun interface not honor DF flag? Is it expected or it's a bug? > > For comparison, if I set mtu 1300 on eth0, I got as expected: > >From 172.16.0.127 icmp_seq=2 Frag needed and DF set (mtu = 1300) > > Some notes: > Openvpn-server OS: Centos 5.5 > Openvpn-server kernel: 2.6.18-194.8.1.el5xen x86_64 > Openvpn-server version: 2.1.1-1 > > interesting question ... there are a couple of things to try: - what happens if you specify tun-mtu 1400 in the server config file? does the DF work then - what happens if you switch to 'tap' ? a 'tun' device is a point-to-point device and is not the exact equivalent of an ethernet device. A 'tap' device comes much closer HTH, JJK |
