Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 05 Feb 2024 13:30:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 276838] ovpn(4) DCO module breaks SSH connectivity
Message-ID:  <bug-276838-7501-T31G4PnRa6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-276838-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-276838-7501@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276838

Gert Doering <gert@greenie.muc.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gert@greenie.muc.de

--- Comment #1 from Gert Doering <gert@greenie.muc.de> ---
As discussed on IRC, there are good chances that this is MTU related.

If `mssfix` is in use, this will cap TCP packet size to "small enough so
outside UDP packets do not need to be fragmented".  This works both sides, =
so
it's enough if one end does `mssfix`.

As of today, kernel openvpn does not seem to support `mssfix`, so if *both*
ends use DCO, no MSS manipulations are done, and you need to reduce interfa=
ce
MTU (`tun-mtu 1400`) to get the same effect.

Now, why outside fragmentation breaks with IPv6 is another of these questio=
ns -
it shouldn't break, it is tested here in my FreeBSD 14 / DCO test scenario,=
 but
for example `pf(4)` needed to be told to leave IPv6 fragments alone in earl=
ier
versions (not sure about 14).

--=20
You are receiving this mail because:
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276838-7501-T31G4PnRa6>