Opened 5 years ago

Last modified 13 months ago

#375 new Feature Wish

Improve MTU behavior

Reported by: amluto Owned by:
Priority: major Milestone:
Component: Networking Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


Current behavior with respect to MTU seems suboptimal. It mostly works for TCP (due to all kinds of magic related to mssfix), but it's problematic for everything else.

Currently, if mtu-disc is "yes", then an openvpn tunnel is a PMTU blackhole. (This is arguably a real bug, not just a feature request.) If mtu-disc is "maybe", then openvpn will send fragmented UDP packets if the encapsulated packet is too large and doesn't compress enough, which sucks

Here are a few thoughts for improving the situation.

  1. Add an option to respect the DF bit. If openvpn receives a packet that (in the worst case) would cause the encapsulated packet to be too large, then openvpn should drop it and generate an ICMP error. This might be a bit tricky to get completely right, especially on non-Linux platforms. Even on Linux, I'm not sure how easy it is to tell *which* UDP packet was dropped due to being too large. On the other hand, generating ICMP errors only for packets that would exceed the current estimated link mtu would probably be good enough for most uses, especially if openvpn were to send a very large ping at startup to bootstrap the PMTU discovery process.
  1. Automatically set the tunnel MTU. On Linux, at least, this could even be done dynamically. Even without dynamically changing the tunnel MTU, openvpn could quickly estimate link MTU at startup and get the tunnel MTU right most of the time. This way, at least when the tunnel MTU is right, PMTU discovery inside the VPN would work correctly.

If either of these options ends up working well, then turning them on (and possibly using mtu-disc=yes) might be a sensible default. This could remove any need to fiddle with tun-mtu, link-mtu, fragment, etc. (OK, this is a slight lie -- if the determined MTU is low enough that the implied tunnel MTU < 576 (IIRC), then fragment mode would have to be enabled to get a usable link.)

Change History (2)

comment:1 Changed 4 years ago by Samuli Seppänen

Component: Generic / unclassifiedNetworking
Version: 2.2.2git master branch

comment:2 Changed 13 months ago by mmokrejs

See also bug #1001.

Note: See TracTickets for help on using tickets.