From owner-freebsd-net@FreeBSD.ORG  Tue Sep 21 13:38:29 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BB32216A4CE
	for <freebsd-net@freebsd.org>; Tue, 21 Sep 2004 13:38:29 +0000 (GMT)
Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CF28743D45
	for <freebsd-net@freebsd.org>; Tue, 21 Sep 2004 13:38:27 +0000 (GMT)
	(envelope-from aragon@geek.sh)
Received: by mail.geek.sh (Postfix, from userid 1000)
	id 825BA24D14; Tue, 21 Sep 2004 15:38:25 +0200 (SAST)
Date: Tue, 21 Sep 2004 15:38:25 +0200
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-net@freebsd.org
Message-ID: <20040921133825.GB37317@phat.za.net>
Mail-Followup-To: freebsd-net@freebsd.org
References: <20040920184431.GA89606@phat.za.net>
	<20040921084112.GA21160@phat.za.net> <414FEB86.5CA8694F@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <414FEB86.5CA8694F@freebsd.org>
User-Agent: Mutt/1.4i
X-Operating-System: FreeBSD 4.8-RELEASE-p1 i386
Subject: Re: Wierd tunnel+MTU issue
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Sep 2004 13:38:29 -0000

| By Andre Oppermann <andre@freebsd.org>
|                                          [ 2004-09-21 10:51 +0200 ]
> You are onto something.  It seems tcp_output() doesn't handle the error
> cases it gets from ip_output() all too well these days.  I suspect this
> is the same problem we have in kern/71184.  I'll look into it later today.

Andre, don't let me stop your bughunting, but I think I've found a nifty
workaround for now. :)

OpenVPN has an "mssfix" setting. (something vtun seems to lack)

It looks like it does nothing more than rewrite the MSS field of TCP SYN
packets that flow over the tunnel.  It is making things work now.  Here are
two tcpdump transcripts, one from each machine:

>From <host>:

15:20:01.440318 <host>.1580 > <notebook>.80: S 1953310673:1953310673(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 613304556 0> (DF) [tos 0x10]
15:20:01.628822 <notebook>.80 > <host>.1580: S 4026187601:4026187601(0) ack 1953310674 win 65535 <mss 1328,nop,wscale 1,nop,nop,timestamp 337184221 613304556> (DF)


>From <notebook>:

15:20:01.603596 <host>.1580 > <notebook>.80: S 1953310673:1953310673(0) win 57344 <mss 1328,nop,wscale 0,nop,nop,timestamp 613304556 0> (DF) [tos 0x10] 
15:20:01.603771 <notebook>.80 > <host>.1580: S 4026187601:4026187601(0) ack 1953310674 win 65535 <mss 1452,nop,wscale 1,nop,nop,timestamp 337184221 613304556> (DF)


Notice the altered MSS after it's passed through the tunnel.

The above example was performed after increasing the tunnel interface's MTU
to 1412 as well (I felt like experimenting further).  So far so good. 
Everything that was broken prior to this change is now working.

In case anyone else has this problem, here are the settings I added to my
openvpn config:

link-mtu 1456
mssfix 1412

The mssfix setting should only need to be set on one of the VPN end-points,
but setting it on both shouldn't break anything (I think).  I increased
link-mtu just for the sake of maybe getting better performance.  If you
decide to stick with OpenVPN's default MTU you'll probably need an mssfix
value of about 1200.


Regards,
Aragon