Menu
▾
▴
openvpn-users
|
From: J W. <jw....@gm...> - 2012-08-15 10:22:18
|
Is there a method to torubleshoot mtu settings or is it just trial and error by lowering the mtu? Does the client mtu setting take priority over the server mtu settings? I am trying to browse video and websites through the VPN but it is very slow and stutters a lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' |
|
From: David S. <ope...@to...> - 2012-08-15 10:51:16
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15/08/12 12:22, J Webster wrote: > Is there a method to torubleshoot mtu settings or is it just trial > and error by lowering the mtu? Does the client mtu setting take > priority over the server mtu settings? I am trying to browse video > and websites through the VPN but it is very slow and stutters a > lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used > inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed > Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently, > local='tun-mtu 1500', remote='tun-mtu 1532' If you read the man page properly, you see there is a feature in OpenVPN called --mtu-test kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlArfxMACgkQDC186MBRfroIUgCbBZeGgsUrqy7ubHpn04MidQT9 9r8AnjjA7Ib7etAVcv6827NeiNmQA8+V =9PYq -----END PGP SIGNATURE----- |
|
From: J W. <jw....@gm...> - 2012-08-15 12:16:06
|
I added fragmentation and mssfix but cannot browse any internet via the VPN. client dev tun proto udp remote 84.xxx.xxx.xx 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert name.crt key name.key comp-lzo verb 3 ;link-mtu 1472 fragment 1400 mssfix ;mtu-test Wed Aug 15 13:09:36 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Aug 15 13:09:36 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Aug 15 13:09:36 2012 Re-using SSL/TLS context Wed Aug 15 13:09:36 2012 LZO compression initialized Wed Aug 15 13:09:36 2012 Control Channel MTU parms [ L:1546 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed Aug 15 13:09:36 2012 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Aug 15 13:09:36 2012 Data Channel MTU parms [ L:1546 D:1400 EF:46 EB:135 ET:0 EL:0 AF:3/1 ] Wed Aug 15 13:09:36 2012 Fragmentation MTU parms [ L:1546 D:1400 EF:45 EB:135 ET:1 EL:0 AF:3/1 ] Wed Aug 15 13:09:36 2012 Local Options hash (VER=V4): 'c086e1aa' Wed Aug 15 13:09:36 2012 Expected Remote Options hash (VER=V4): '8e7959c7' Wed Aug 15 13:09:36 2012 UDPv4 link local: [undef] Wed Aug 15 13:09:36 2012 UDPv4 link remote: 84.xxx.xxx.xx:1194 Wed Aug 15 13:09:36 2012 TLS: Initial packet from 84.xxx.xxx.xx:1194, sid=0d745bf4 7653f4d5 Wed Aug 15 13:09:38 2012 VERIFY OK: depth=1, /C=FR/ST=FR/L=Paris/O=MySiteFR/CN=MySiteFR_CA/emailAddress=ai...@My... Wed Aug 15 13:09:38 2012 VERIFY OK: depth=0, /C=FR/ST=FR/L=Paris/O=MySiteFR/CN=MySite.eu/emailAddress=ai...@My... Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' Wed Aug 15 13:09:45 2012 WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic' Wed Aug 15 13:09:45 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Aug 15 13:09:45 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Aug 15 13:09:45 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Aug 15 13:09:45 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Aug 15 13:09:45 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Wed Aug 15 13:09:45 2012 [MySite.eu] Peer Connection Initiated with 84.xxx.xxx.xx:1194 Wed Aug 15 13:09:47 2012 SENT CONTROL [MySite.eu]: 'PUSH_REQUEST' (status=1) Wed Aug 15 13:09:47 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 213.171.192.249,dhcp-option DNS 213.171.192.245,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5' Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: timers and/or timeouts modified Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: --ifconfig/up options modified Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: route options modified Wed Aug 15 13:09:47 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Aug 15 13:09:47 2012 Preserving previous TUN/TAP instance: Local Area Connection 10 Wed Aug 15 13:09:47 2012 Initialization Sequence Completed On 15/08/2012, David Sommerseth <ope...@to...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 15/08/12 12:22, J Webster wrote: >> Is there a method to torubleshoot mtu settings or is it just trial >> and error by lowering the mtu? Does the client mtu setting take >> priority over the server mtu settings? I am trying to browse video >> and websites through the VPN but it is very slow and stutters a >> lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used >> inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed >> Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently, >> local='tun-mtu 1500', remote='tun-mtu 1532' > > If you read the man page properly, you see there is a feature in > OpenVPN called --mtu-test > > > kind regards, > > David Sommerseth > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAlArfxMACgkQDC186MBRfroIUgCbBZeGgsUrqy7ubHpn04MidQT9 > 9r8AnjjA7Ib7etAVcv6827NeiNmQA8+V > =9PYq > -----END PGP SIGNATURE----- > |
|
From: Andy W. <aw...@aa...> - 2012-08-15 13:40:40
|
-----Original Message----- >From: J Webster [mailto:jw....@gm...] >Sent: August-15-12 8:16 AM >To: David Sommerseth >Cc: openvpn-users >Subject: Re: [Openvpn-users] how to troubleshoot mtu settings >I added fragmentation and mssfix but cannot browse any internet via the VPN. >client >dev tun >proto udp .. >fragment 1400 >mssfix One more thing, the "fragment xxxx" should apply to both sides, server's config and client's config and they should use the same value. Regards, Andy |
|
From: David S. <ope...@to...> - 2012-08-15 15:33:55
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You also haven't fixed these issues still ... On 15/08/12 14:15, J Webster wrote: > Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used > inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed > Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently, > local='tun-mtu 1500', remote='tun-mtu 1532' Wed Aug 15 13:09:45 > 2012 WARNING: 'mtu-dynamic' is present in local config but missing > in remote config, local='mtu-dynamic' You need to use either --link-mtu or --tun-mtu on both sides and set it to the proper size on *both* server and client. Then you can start playing with --fragment and --mssfix. These warnings might very well explain why browsing the Internet doesn't work via the VPN. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlArwVEACgkQDC186MBRfrrPIwCff8tZOJsfbP/5bUEAUJXInXik jT4AnRQSJlekn3jnZa6PJWlVp+mT1N8e =MfPy -----END PGP SIGNATURE----- |
|
From: Andy W. <aw...@aa...> - 2012-08-15 13:40:42
|
-----Original Message----- From: J Webster [mailto:jw....@gm...] Sent: August-15-12 8:16 AM To: David Sommerseth Cc: openvpn-users Subject: Re: [Openvpn-users] how to troubleshoot mtu settings I added fragmentation and mssfix but cannot browse any internet via the VPN. client dev tun proto udp remote 84.xxx.xxx.xx 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert name.crt key name.key comp-lzo verb 3 ;link-mtu 1472 fragment 1400 mssfix ;mtu-test On 15/08/2012, David Sommerseth <ope...@to...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 15/08/12 12:22, J Webster wrote: >> Is there a method to torubleshoot mtu settings or is it just trial >> and error by lowering the mtu? Does the client mtu setting take >> priority over the server mtu settings? I am trying to browse video >> and websites through the VPN but it is very slow and stutters a >> lot: Wed Aug 15 11:09:37 2012 WARNING: 'link-mtu' is used >> inconsistently, local='link-mtu 1542', remote='link-mtu 1574' Wed >> Aug 15 11:09:37 2012 WARNING: 'tun-mtu' is used inconsistently, >> local='tun-mtu 1500', remote='tun-mtu 1532' > > If you read the man page properly, you see there is a feature in > OpenVPN called --mtu-test > > > kind regards, > > David Sommerseth > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAlArfxMACgkQDC186MBRfroIUgCbBZeGgsUrqy7ubHpn04MidQT9 > 9r8AnjjA7Ib7etAVcv6827NeiNmQA8+V > =9PYq > -----END PGP SIGNATURE----- > Please try the "magic number" - fragment 1300. ( works for me. ) Regards, Andy |
|
From: David S. <ope...@to...> - 2012-08-15 16:27:37
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15/08/12 15:28, Andy Wang wrote:
> On 15/08/2012, David Sommerseth <ope...@to...>
> wrote: On 15/08/12 12:22, J Webster wrote:
>>>> Is there a method to torubleshoot mtu settings or is it just
>>>> trial and error by lowering the mtu? Does the client mtu
>>>> setting take priority over the server mtu settings? I am
>>>> trying to browse video and websites through the VPN but it is
>>>> very slow and stutters a lot: Wed Aug 15 11:09:37 2012
>>>> WARNING: 'link-mtu' is used inconsistently, local='link-mtu
>>>> 1542', remote='link-mtu 1574' Wed Aug 15 11:09:37 2012
>>>> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu
>>>> 1500', remote='tun-mtu 1532'
>
> If you read the man page properly, you see there is a feature in
> OpenVPN called --mtu-test
>
>
> kind regards,
>
> David Sommerseth
>
>>
>
> Please try the "magic number" - fragment 1300. ( works for me. )
>
But that does still not solve this issue, which is actually more
important to fix:
> Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used
> inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed
> Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently,
> local='tun-mtu 1500', remote='tun-mtu 1532'
If the MTU values are not correct, even though a lower --fragment
value might help, this MTU trouble might stab you in the back later on
in another scenario.
Rule of thumb when it comes to solving OpenVPN issues:
* Fix all warnings in the log before doing anything else *
Those warnings are there for a reason, and if you don't fix them, it
will most likely hurt you later on.
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlArzeYACgkQDC186MBRfrq3UACgh+pOPK8tBQxgTEWEe1dO92nl
c3gAmQFeVDu6PQXyFhIWOdszopba2acc
=Z5xA
-----END PGP SIGNATURE-----
|
|
From: J W. <jw....@gm...> - 2012-08-15 17:17:13
|
>> Please try the "magic number" - fragment 1300. ( works for me. ) >> > But that does still not solve this issue, which is actually more > important to fix: > >> Wed Aug 15 13:09:45 2012 WARNING: 'link-mtu' is used >> inconsistently, local='link-mtu 1546', remote='link-mtu 1574' Wed >> Aug 15 13:09:45 2012 WARNING: 'tun-mtu' is used inconsistently, >> local='tun-mtu 1500', remote='tun-mtu 1532' > If the MTU values are not correct, even though a lower --fragment > value might help, this MTU trouble might stab you in the back later on > in another scenario. > > Rule of thumb when it comes to solving OpenVPN issues: > > * Fix all warnings in the log before doing anything else * > > Those warnings are there for a reason, and if you don't fix them, it > will most likely hurt you later on. > > > kind regards, > > David Sommerseth > I ran openvpn --mtu-test --dev tun0 but it doesn't output anything to do with mtu settings I then changed the server.conf and added mtu-test, but even after 3mins there is nothing in the logs showing mtu settings. The clients connect but I'm wondering if the routing on the server is not permitting pages to be viewed? It should be forwarded correctly using: net.ipv4.ip_forward = 1 sysctl -p iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
|
From: J W. <jw....@gm...> - 2012-08-15 17:23:24
|
* Fix all warnings in the log before doing anything else * Those warnings are there for a reason, and if you don't fix them, it will most likely hurt you later on. kind regards, David Sommerseth I get this in the server.log now: Wed Aug 15 19:18:05 2012 namecert/86.xx.xx.xxx:1678 Replay-window backtrack occurred [2] |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X