Am 01.04.21 um 14:37 schrieb Gert Doering: > Hi, > > On Thu, Apr 01, 2021 at 02:16:25PM +0200, Antonio Quartulli wrote: >>> (Of course it makes lots of sense to defer this to iptables etc. on >>> all platforms that have DCO *and* a reasonable firewall layer... dco-win >>> will be interesting) >> >> Features that are not compatible with DCO are being documented in the >> code as we go. >> >> If you try to explicitly use one of those with DCO, openvpn2 will log a >> big warning and will tell you that it is switching to non-DCO mode to >> make sure your connection can work. > > Which is actually interesting for mssfix, as that is "on by default", > so "all configs are incompatible with DCO", by that definition :-)
Yes. With DCO we currently discovering that the OpenVPN way of doing things with MTU set to 1500, doing mssfix and hoping that this will clamp everything to 1450-overhead, while working quite well has a lot of problems compared to just setting a proper MTU in the first case. Currently setting tun-mtu 1400 manually workaround these problems but we need to figure out a good way to solve this MTU mess. The current working idea is to allow MTU 1500 on receive but use a correct MTU on receive and on the interface (at least on platforms where you can receive larger packets than MTU). But currently we are just on the "we are aware of it" stage. And too busy with other things to actually tackle that too right now. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
