Date: Mon, 05 Feb 2024 13:30:21 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 276838] ovpn(4) DCO module breaks SSH connectivity Message-ID: <bug-276838-7501-T31G4PnRa6@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-276838-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-276838-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276838 Gert Doering <gert@greenie.muc.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gert@greenie.muc.de --- Comment #1 from Gert Doering <gert@greenie.muc.de> --- As discussed on IRC, there are good chances that this is MTU related. If `mssfix` is in use, this will cap TCP packet size to "small enough so outside UDP packets do not need to be fragmented". This works both sides, = so it's enough if one end does `mssfix`. As of today, kernel openvpn does not seem to support `mssfix`, so if *both* ends use DCO, no MSS manipulations are done, and you need to reduce interfa= ce MTU (`tun-mtu 1400`) to get the same effect. Now, why outside fragmentation breaks with IPv6 is another of these questio= ns - it shouldn't break, it is tested here in my FreeBSD 14 / DCO test scenario,= but for example `pf(4)` needed to be told to leave IPv6 fragments alone in earl= ier versions (not sure about 14). --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276838-7501-T31G4PnRa6>