On Tue, Jul 23, 2024 at 08:51:19AM +0100, Tom Smyth wrote: > Folks, > > As an ISP we often have to manage wans for customers where we don't > have access to customers firewalls, and the customers expect full > sized frames / packets across the wan, > the issue is when we used 3rd party networks with constrained MTUs, > while we can adjust TCP MSS if we control the network devices putting > packets across the VPN, this is not always possible, > > IP fragmentation (sometimes) works but it breaks load balancing > (hashes of IP fragments do not match the hashes for original packet > being sent. but sometimes is not good enough. > > Possible solutions which we have seen in in other vendors > MLPPP on L2TP / PPPoE with MRRU (Maximum Received Reconstructed Unit) > which allowed for packet splitting outbound and reconstruction on > inbound > > OpenVPN have UDP fragment option (which works by encapsulating a > packet across 2 equal sided packets once the encapsulated packet would > be greater than 1/2 the size of the Max UDP fragment, ( packets would > have the same size, same src & destination port and src and > destination ip (so packet ordering / LACP load balancing path would be > consistent or at least more consistent for those packets > > OpenVPN & tap interface performance is not brilliant , so I'm hopping > there is a kernel driver device that would allow > > I was wondering if anyone else ran into this issue and resolved it > with an existing device driver in OpenBSD... >
I run gif tunnels over ipsec with MTU 1500 and the stack just does the fragmentation. Not sure if the performance of that is much better than OpenVPN. -- :wq Claudio
