Hello, I hope this question is appropriate for this list. I tried the openvpn-users list and did not get a response.
We use openvpn for router-to-router tunneling in a hub-and-spoke VPN deployment. We utilize the --fragment option to avoid IP-layer fragmentation. Recently we encountered a use case in which it became desirable to pass the ToS Byte from the inner IP payload to the OpenVPN IP header (we wish the outer IP header to inheret the ToS byte of the payload datagram). OpenVPN provides the --passtos option for this purpose, and when used without also implementing the --fragment option it works as advertised in our test lab. However, when we implement --passtos and --fragment together, the ToS byte of the inner payload datagram is not copied directly to the OpenVPN IP header. For example, if 0xB8 is the ToS byte value in the original payload, then the OpenVPN IP header is 0xC0. I suspect that this issue is related to the 4-byte reservation incurred by exercising the --fragment option. Is there anything we can do to enable us to use both options in conjunction? Thanks, frank
