Hi,

   At this point I am not going to change anything and risk people getting mad at me :-). The VPN is working properly everywhere except for rogers on LTE. So I am using 3G, and it is working properly.  IPV6 has been disabled by Rogers. Not too terrible.

On 10/17/18 06:25, Jan Just Keijser wrote:
On 15/10/18 16:53, Kristian McColm wrote:
Re: [Openvpn-users] iphone7 with keynote

Hi Frank,

Did you try :

link-mtu 1440

or lower on the server config, and removing other MTU/MSS related settings? This made it work for me. What Rogers are doing is forcing your handset back to dual-stacked mode so that the connection will be over native IPv4 instead of 6to4 (NAT64) which will make it work again, but you should probably be thinking about enabling native IPv6 on your VPN anyway right?

In 99 out of a 100 cases you do not (should not!) want to mess with tun-mtu or link-mtu.
If your provider screws up UDP traffic then you should first try
  fragment 1400
  mssfix
before attempting anything else - that way, the default MTU is left intact but the OpenVPN data traffic is broken into smaller fragments.

If that does not work, then try getting a tcpdump log on both client and server side, to see which packets are mangled and/or dropped.

HTH,

JJK


*From:*Frank [mailto:ve2...@ve2cii.com]
*Sent:* October 15, 2018 09:39
*To:* openvpn-users@lists.sourceforge.net
*Subject:* Re: [Openvpn-users] iphone7 with keynote

    Hi Everyone,

    Here is an update for this issue.

  I have upgraded the openvpn server to 2.4.6.  I upgraded all the client vpn's to 2.4.6. I then called Rogers for the 2 phones.  They confirmed there is an issue with vpn in general and IPV6.  Their solution was to first redo my phone config on their server. Now 3G openvpn works properly on my phone. LTE still does not work. At least it is a start. The next thing they said they are going to do is to remove our 2 phones from the IPV6 configuration which takes 48 hrs. I am going to wait a couple of days and
see what happens.
    So basically Rogers changed the config on their end and I changed nothing, and it is working
on 3G.

On 9/26/18 11:05, Gregory Sloop wrote:

    I don't have time to walk you through all the details and
    troubleshoot - but while 1440 might be a good choice, I'd
    probably pick something like 1400 or even 1380. As I've said a
    few times - if you pick an MTU of 1440 and you really needed
    1339, it won't work. But if you pick 1400 and it could have been
    as big as 1440 it will still work, with *slightly* less efficient
    through-put of useable data.

    Picking exactly 1440, trying one MTU and giving up, seems pretty
    counter-productive. [There are some tutorials on testing and
    picking the optimal MTU, a Google search might be useful.
    However, IME, picking something a bit smaller than your tested
    optimal MTU helps should something else occur that reduces the
    MTU further in a different/new connection.]

    Test several MTU sizes; I tend to vary them by say 20 bytes each try.

    [TLDR; I'd rather have my MTU 100 bytes too small than 1 byte too
    large - because one byte too large will probably fail and 100
    bytes too small will still work [while being slightly less
    efficient than the maximum.]

    Good luck!


    *F>     I am unable to compile 2.4.6.  I had compiled 2.4.4 but
    it would not
    F> run.
    F> I just tried setting the link-mtu to 1440 with 2.0.9 on the
    server and that
    F> did not work. I was able to connect but still server errors
    when trying
    F> to surf. Plus it
    F> gave me inconsistant mtu errors in the log.

    F> On 9/26/18 10:42, Gert Doering wrote:
    >> HI,

    >> On Wed, Sep 26, 2018 at 10:13:09AM -0400, Frank wrote:
    >>>       The server has an IPV6 address, and it is dual stack.
     I am not
    >>> sure if openvpn was compiled
    >>> with ipv6 support. It is openvpn-2.0.9.  Let me see what I
    can do.
    >> If you run openvpn 2.0.9 on the *server*, you should upgrade.

    >> Like, yesterday...

    >> Current release is 2.4.6.  More modern cipher support
    (AES-GCM), much
    >> better IPv6 support (inside and outside the tunnel), a number
    of security
    >> issues fixed, ...

    >> gert



    F> _______________________________________________
    F> Openvpn-users mailing list
    *F> Openvpn-users@lists.sourceforge.net
    <mailto:Openvpn-users@lists.sourceforge.net>
    F> https://lists.sourceforge.net/lists/listinfo/openvpn-users
    <https://lists.sourceforge.net/lists/listinfo/openvpn-users>

    /--
    Gregory Sloop, Principal: Sloop Network & Computer Consulting
    Voice: 503.251.0452 x82
    EMail: /gr...@sloop.net <mailto:gr...@sloop.net>
    http://www.sloop.net
    /--- /





_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to