Hi, I'd thoroughly test this with protocols like Google's QUIC, which uses UDP > underneath. How does it respond to such ICMP messages? what does it do to > throughput? >
I tested sending ICMP "destination unreachable/fragmentation needed" with Chrome as QUIC client and turns out that it fallbacks to TCP if MTU is less than 1378 (IP header + UDP header + QUIC packet 1350) In Wireshark I observed: quic client hello -> icmp dest unreachable -> quic connection close 1350 seems to be a maximum (as well as minimum) packet size, it doesn't get bigger than that, see https://groups.google.com/a/chromium.org/forum/#!topic/proto-quic/uKWLRh9JPCo you seem to be talking about the mssfix size, wheras I am talking about the > tun-mtu size. When you add > link-mtu 1500 > ncp-disable > (and no fragment or mssfix) > to a server config file, an OpenVPN 2.4 server starts up using > openvpn 2.4.6 -> mtu = 1379 > whereas an OpenVPN 2.3 server starts with > openvpn 2.3.18 -> mtu = 1431 > To me, this difference is inexplicable and annoying. > > (see the mail thread titled "Overhead TUN vs TAP mode" on Openvpn-users). > I think this is caused by "Add server-side support for cipher negotiation" patch https://github.com/OpenVPN/openvpn/commit/a17aa98180319f34c3240aea617bf8114d0bcaf7#diff-ecafa727f56e9ae02ef3b19924c46f24R2334 /* Compute MTU parameters (postpone if we push/pull options) */ if (c->options.pull || c->options.mode == MODE_SERVER) { /* Account for worst-case crypto overhead before allocating buffers */ frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); } else { crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, options->replay, packet_id_long_form); } In 2.3 we always adjusted frame parameters according to actual cipher (else branch). We probably should not account for maximum overhead if ncp-disable is set, so following patch seems to make things better (I got 1443 on a server and 1440 on a client). diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d24634cc..c1c951b3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2715,7 +2715,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); /* Compute MTU parameters (postpone if we push/pull options) */ - if (c->options.pull || c->options.mode == MODE_SERVER) + if (c->options.pull || (c->options.mode == MODE_SERVER && c->options.ncp_enabled)) { /* Account for worst-case crypto overhead before allocating buffers */ frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); -- -Lev
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
