wintun head/tail value is over capacity

[Joemadden1989]

Our VPN connection using wintun, but does not work - no traffic passes.

2021-04-07 11:37:10 us=895201 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-04-07 11:37:10 us=895201 Current Parameter Settings:
2021-04-07 11:37:10 us=895201 config = 'SVD_AT_RA.ovpn'
2021-04-07 11:37:10 us=895201 mode = 0
2021-04-07 11:37:10 us=895201 show_ciphers = DISABLED
2021-04-07 11:37:10 us=895201 show_digests = DISABLED
2021-04-07 11:37:10 us=895201 show_engines = DISABLED
2021-04-07 11:37:10 us=895201 genkey = DISABLED
2021-04-07 11:37:10 us=895201 genkey_filename = '[UNDEF]'
2021-04-07 11:37:10 us=895201 key_pass_file = '[UNDEF]'
2021-04-07 11:37:10 us=895201 show_tls_ciphers = DISABLED
2021-04-07 11:37:10 us=895201 connect_retry_max = 0
2021-04-07 11:37:10 us=895201 Connection profiles [0]:
2021-04-07 11:37:10 us=895201 proto = udp
2021-04-07 11:37:10 us=895201 local = '[UNDEF]'
2021-04-07 11:37:10 us=895201 local_port = '[UNDEF]'
2021-04-07 11:37:10 us=895201 remote = 'coles.25.hatms.co.uk'
2021-04-07 11:37:10 us=895201 remote_port = '1194'
2021-04-07 11:37:10 us=895201 remote_float = DISABLED
2021-04-07 11:37:10 us=895201 bind_defined = DISABLED
2021-04-07 11:37:10 us=895201 bind_local = DISABLED
2021-04-07 11:37:10 us=895201 NOTE: --mute triggered...
2021-04-07 11:37:10 us=895201 281 variation(s) on previous 20 message(s) suppressed by --mute
2021-04-07 11:37:10 us=895201 OpenVPN 2.5.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 24 2021
2021-04-07 11:37:10 us=895201 Windows version 10.0 (Windows 10 or greater) 64bit
2021-04-07 11:37:10 us=895201 library versions: OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10
Enter Management Password:
2021-04-07 11:37:10 us=895201 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25368
2021-04-07 11:37:10 us=895201 Need hold release from management interface, waiting...
2021-04-07 11:37:11 us=395513 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25368
2021-04-07 11:37:11 us=504619 MANAGEMENT: CMD 'state on'
2021-04-07 11:37:11 us=504619 MANAGEMENT: CMD 'log all on'
2021-04-07 11:37:11 us=582549 MANAGEMENT: CMD 'echo all on'
2021-04-07 11:37:11 us=582549 MANAGEMENT: CMD 'bytecount 5'
2021-04-07 11:37:11 us=582549 MANAGEMENT: CMD 'hold off'
2021-04-07 11:37:11 us=582549 MANAGEMENT: CMD 'hold release'
2021-04-07 11:37:13 us=691939 MANAGEMENT: CMD 'password [...]'
2021-04-07 11:37:13 us=691939 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-04-07 11:37:13 us=691939 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-04-07 11:37:13 us=691939 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-04-07 11:37:13 us=691939 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2021-04-07 11:37:13 us=691939 MANAGEMENT: >STATE:1617791833,RESOLVE
_{2021-04-07 11:37:13 us=723375 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-04-07 11:37:13 us=723375 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-07 11:37:13 us=723375 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-07 11:37:13 us=723375 TCP/UDP: Preserving recently used remote address: [AF_INET]82.71.233.57:1194
2021-04-07 11:37:13 us=723375 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-04-07 11:37:13 us=723375 UDP link local: (not bound)
2021-04-07 11:37:13 us=723375 UDP link remote: [AF_INET]####:1194
2021-04-07 11:37:13 us=723375 MANAGEMENT: >STATE:1617791833,WAIT}
2021-04-07 11:37:13 us=741728 MANAGEMENT: >STATE:1617791833,AUTH
_{2021-04-07 11:37:13 us=741728 TLS: Initial packet from [AF_INET]####:1194, sid=dca5563f 1f2e4af8
2021-04-07 11:37:13 us=817068 VERIFY OK: ###
2021-04-07 11:37:13 us=817068 VERIFY OK: ###
2021-04-07 11:37:13 us=817068 VERIFY KU OK
2021-04-07 11:37:13 us=817068 Validating certificate extended key usage
2021-04-07 11:37:13 us=817068 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-04-07 11:37:13 us=817068 VERIFY EKU OK
2021-04-07 11:37:13 us=817068 VERIFY OK: depth=0 ####
2021-04-07 11:37:13 us=957802 #### Peer Connection Initiated with [AF_INET]82.71.233.57:1194
2021-04-07 11:37:15 us=76336 MANAGEMENT: >STATE:1617791835,GET_CONFIG}
2021-04-07 11:37:15 us=76336 SENT CONTROL ####: 'PUSH_REQUEST' (status=1)
2021-04-07 11:37:15 us=97911 PUSH: Received control message: 'PUSH_REPLY,route 10.51.4.0 255.255.255.128,route 10.53.4.0 255.255.255.128,route 10.57.4.0 255.255.255.128,route 10.57.5.0 255.255.255.128,route 10.59.78.1,topology net30,ping 10,ping-restart 120,ifconfig 10.59.78.6 10.59.78.5,peer-id 0,cipher AES-256-GCM'
2021-04-07 11:37:15 us=97911 OPTIONS IMPORT: timers and/or timeouts modified
2021-04-07 11:37:15 us=97911 OPTIONS IMPORT: --ifconfig/up options modified
2021-04-07 11:37:15 us=97911 OPTIONS IMPORT: route options modified
2021-04-07 11:37:15 us=97911 OPTIONS IMPORT: peer-id set
2021-04-07 11:37:15 us=97911 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-04-07 11:37:15 us=97911 OPTIONS IMPORT: data channel crypto options modified
2021-04-07 11:37:15 us=97911 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-04-07 11:37:15 us=97911 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
2021-04-07 11:37:15 us=97911 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-04-07 11:37:15 us=97911 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-04-07 11:37:15 us=97911 interactive service msg_channel=628
2021-04-07 11:37:15 us=97911 ROUTE_GATEWAY 138.104.152.254/255.255.0.0 I=26 HWADDR=54:bf:64:87:6d:d2
2021-04-07 11:37:15 us=97911 open_tun
2021-04-07 11:37:15 us=113548 Ring buffers registered via service
2021-04-07 11:37:15 us=113548 wintun device [Local Area Connection 2] opened
2021-04-07 11:37:15 us=113548 do_ifconfig, ipv4=1, ipv6=0
2021-04-07 11:37:15 us=113548 MANAGEMENT: >STATE:1617791835,ASSIGN_IP,,10.59.78.6
2021-04-07 11:37:15 us=113548 INET address service: add 10.59.78.6/30
2021-04-07 11:37:15 us=113548 IPv4 MTU set to 1500 on interface 75 using service
2021-04-07 11:37:15 us=113548 MANAGEMENT: >STATE:1617791835,ADD_ROUTES
_{2021-04-07 11:37:15 us=113548 C:\WINDOWS\system32\route.exe ADD 10.51.4.0 MASK 255.255.255.128 10.59.78.5
2021-04-07 11:37:15 us=144633 Route addition via service succeeded
2021-04-07 11:37:15 us=144633 C:\WINDOWS\system32\route.exe ADD 10.53.4.0 MASK 255.255.255.128 10.59.78.5
2021-04-07 11:37:15 us=160140 Route addition via service succeeded
2021-04-07 11:37:15 us=160140 C:\WINDOWS\system32\route.exe ADD 10.57.4.0 MASK 255.255.255.128 10.59.78.5
2021-04-07 11:37:15 us=175778 Route addition via service succeeded
2021-04-07 11:37:15 us=175778 C:\WINDOWS\system32\route.exe ADD 10.57.5.0 MASK 255.255.255.128 10.59.78.5
2021-04-07 11:37:15 us=175778 Route addition via service succeeded
2021-04-07 11:37:15 us=175778 C:\WINDOWS\system32\route.exe ADD 10.59.78.1 MASK 255.255.255.255 10.59.78.5
2021-04-07 11:37:15 us=191400 Route addition via service succeeded
2021-04-07 11:37:15 us=191400 Initialization Sequence Completed
2021-04-07 11:37:15 us=191400 MANAGEMENT: >STATE:1617791835,CONNECTED,SUCCESS,10.59.78.6,82.71.233.57,1194}
2021-04-07 11:37:25 us=482783 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:25 us=482783 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:25 us=501785 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:25 us=501785 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:25 us=717841 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:25 us=717841 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:25 us=740846 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:25 us=740846 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:25 us=967909 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:25 us=967909 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:25 us=980913 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:25 us=980913 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:26 us=458040 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:26 us=458040 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:26 us=461038 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:26 us=461038 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:27 us=422435 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:27 us=422435 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:27 us=437808 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:27 us=437808 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:29 us=333273 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:29 us=333273 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:29 us=428153 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:29 us=428153 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:33 us=178431 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:33 us=178431 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:33 us=365649 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:33 us=365649 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:40 us=919327 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:40 us=919327 write to TUN/TAP : No error (code=0)
2021-04-07 11:37:41 us=521171 write_wintun(): head/tail value is over capacity
2021-04-07 11:37:41 us=521171 write to TUN/TAP : No error (code=0)

client
dev tun
windows-driver wintun
proto udp
auth SHA512
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 4
explicit-exit-notify 2
keepalive 10 120
mute 20
remote-random
####################################################################
#
# User configured bits go here
#
# Edit this section to specify where you keep keys and certificates
#
# Change the name of the certificate & key files to match your
# e-mail address as shown for the e-mail address
# eamonn.patton@…
tls-auth "C:
Users
mad56570
openvpn
svdatra
svdatra_ta.key" 1
pkcs12 "C:
Users
mad56570
openvpn
svdatra
Joe.Madden-svdalertingtoolra.p12"
####################################################################
#
# Uncomment the remote statement depending on your access need
# Remove the "#" from the start of the line with the remote statement on it
#
remote #### 1194
#SWRCC
remote #### 1194

Tap works fine, Not quite sure what the issue here is.

[Joemadden1989]

The write_wintun(): head/tail value is over capacity only starts when i try to ssh/ping a remote endpoint, until this point openvpn thinks everything is okay.

[tct]

This almost sounds like an MTU issue, try --tun-mtu 1400 or lower on both server and client.

[Gert Döring]

So, @stipa, is there something we can do about it? Or just recommend that users move to 2.6.0 and DCO?