On 08/29/2014 07:10 PM, Jason Haar wrote: > Hi there > > I'm on an "openvpn optimization drive" (ie it's all working great and > I'm trying to squeeze more greatness out of it) and reading the Internet > (took a while ;-) leads me to a confused state on the usefulness of > "fragment". > > There are several postings by long-term openvpn gurus who seem to lead > their diagnostics of other people's openvpn connectivity problems with > "remove the fragment option". I, on the other hand, have found that I > have NEVER got openvpn-over-udp to work without it! It looks to me like > it cannot even get through the initial negotiation phase without > fragment being enabled at both ends (I use 1400 - but that's just a lazy > guess that works) > > In fact, I just did a related test. I removed "fragment" from the server > and only set it on the client - end result, NO CONNECTION. Put that one > line back (identical fragment values of course) and it all works again > > So I have two questions. > > 1. it looks to me like fragment is always needed for UDP. If so, > shouldn't that be declared more strongly (maybe even error-ing on > configs without it). > 2. shouldn't both ends negotiate the fragment option and both ends > should use the *smallest* value (or maybe "fragment automatic" as an > option to achieve it), so that the server can have it disabled, and the > client (where fragmentation issues are vastly more variable) can control > it. However, my test makes me think that maybe even openvpn negotiation > can create packets big enough to break negotiation? (ie that option has > to pre-date the initial connection) > > I know some people may come back with comments about there being > "something" on our network that is screwing with things, but that's the > point - I know everything about our server on our work network and > everything about (say) my client laptop on my home network - but > there's a vast range of "Internet" between the two that I know nothing > about, so it's not worth mentioning ;-) > > Thanks! >
My understanding of the TCP/IP fragment bit or flag is that packet fragmentation may be requested, but might not be allowable in some stacks. In those cases, an error is returned. At that point it needs to be decided what to do about it. In my experience, if something in the path doesn't allow fragmentation and it is needed, the point where fragmentation is not allowed WILL silently discard packets. OS X comes to mind most strongly here. ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users