Hi, On Tue, Sep 03, 2024 at 07:29:41PM +0200, Marian ??urkovi?? wrote: > on MacOS, ICMP Fragmentation needed messages only work for TCP protocol. > They are never delivered to any UDP application. For this reason, sending > ICMP messages is useless for anything else than TCP on MacOS.
This is a curious statement to make.
If there is anything in your packet path that can not handle 1500 byte
packets (like, a 1492 byte PPPoE based Internet router), applications
will receive ICMP frag required when sending 1500 byte packets, and
will have to deal with them. And this is working mostly well (unless
someone filters ICMP), completely unrelated to "OpenVPN".
So, bringing in OpenVPN - if you use 2.x, and configure "--tun-mtu 1400",
this is EXACTLY what is happening - application generates a 1500 byte
packet, operating system looks at the outgoing interface, sees 1400 byte
MTU, and the OS will then generate said ICMP packet.
I agree that the decision by Connect to do "1500 byte MTU, but generate
the ICMP itself" (instead of doing ifconfig with lower MTU) is somewhat
questionablex - but for the application, the net result should be the
same - packet too big, ICMP message, deal with it.
If you accept 1500 byte packets into the tunnel, you'll end up with
external fragmentation, which causes more issues overall (due to broken
NAT routers, over-eager firewalls, anti-ddos boxes rate-limiting fragments,
etc.).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
