Re: [Openvpn-users] Serious mssfix compatibility issue with OpenVPN Connect

[Gert D. <ge...@gr...>]

Hi,

On Wed, Sep 04, 2024 at 08:08:14AM +0200, Marian ??urkovi?? wrote:
> On Tue, 3 Sep 2024 21:42:23 +0200, Gert Doering wrote
> ...
> > I agree that the decision by Connect to do "1500 byte MTU, but 
> > generate the ICMP itself" (instead of doing ifconfig with lower MTU) 
> > is somewhat questionable - but for the application, the net result 
> > should be the same - packet too big, ICMP message, deal with it.
> 
> MacOS is very different from e.g. Linux in this regard.
> 
> If you set tun-mtu to 1400, the operating system correctly fragments UDP packets larger than interface MTU, or returns EMSGSIZE to sendto() call if the DF bit was set on the socket.
> 
> However, for non-TCP sockets, MacOS doesn't react on received ICMP Fragmentation needed. PMTU discovery is only available for TCP and I have it enabled:
> 
> net.inet.tcp.path_mtu_discovery: 1

So how does MacOS deal with intermediate routers that can only handle
1492?  This is a very common scenario for PPPoE-based DSL connections,
and since it's not "a local interface" it would have to handle the ICMPs
somehow.

I know that Linux can directly return the ICMP errors to the userland
socket (which no other platform supports, alas) - but Linux will also
put "packet too big" ICMPs into a route cache, so the next sendto() call
can do the fragmentation / EMSGSIZE return right away, not having to
wait for the incoming ICMP packet.  Doesn't MacOS has a comparable mechanism?

> Thus approach implemented by OpenVPN Connect doesn't work at all on MacOS and results in blackholing of non-TCP packets larger than mssfix.

I do wonder why.  MacOS needs to deal with MTU steps "on the path",
otherwise things would break more often.  So there should not be a 
fundamental difference here.

(I do agree that taking the --mssfix option and causing something else
not related to MSS is surprising at least, and not very logical - I can't
fix it, though, as I'm only working on OpenVPN 2.x)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             ge...@gr...