Hi there I'm on an "openvpn optimization drive" (ie it's all working great and I'm trying to squeeze more greatness out of it) and reading the Internet (took a while ;-) leads me to a confused state on the usefulness of "fragment".
There are several postings by long-term openvpn gurus who seem to lead their diagnostics of other people's openvpn connectivity problems with "remove the fragment option". I, on the other hand, have found that I have NEVER got openvpn-over-udp to work without it! It looks to me like it cannot even get through the initial negotiation phase without fragment being enabled at both ends (I use 1400 - but that's just a lazy guess that works) In fact, I just did a related test. I removed "fragment" from the server and only set it on the client - end result, NO CONNECTION. Put that one line back (identical fragment values of course) and it all works again So I have two questions. 1. it looks to me like fragment is always needed for UDP. If so, shouldn't that be declared more strongly (maybe even error-ing on configs without it). 2. shouldn't both ends negotiate the fragment option and both ends should use the *smallest* value (or maybe "fragment automatic" as an option to achieve it), so that the server can have it disabled, and the client (where fragmentation issues are vastly more variable) can control it. However, my test makes me think that maybe even openvpn negotiation can create packets big enough to break negotiation? (ie that option has to pre-date the initial connection) I know some people may come back with comments about there being "something" on our network that is screwing with things, but that's the point - I know everything about our server on our work network and everything about (say) my client laptop on my home network - but there's a vast range of "Internet" between the two that I know nothing about, so it's not worth mentioning ;-) Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
