0

I'm trying to see if I can access a particular type of switches over an OpenVPN connection. I have the following situation;

enter image description here

I can't access the management console of these type of switches, as they have bugs dealing with packet fragmentation and maximum packet size. The switches must be considered dumb and must be able to communicate assuming the packet fragment size of any incoming and outgoing message is always exactly 1,500 bytes. This happens to match the maximum size supported by the internet connection in between, so I'd like a solution without Jumbo Frames.

By default, openVPN will use packet fragmentation messages to tell the devices involved to limit their packet size to say 1,470 or whatever fits within the encapsulation. But these devices will simply ignore such things and keep sending (and expecting to receive, when getting POST requests) 1,500 byte TCP packets, ignoring the PMTUD requests.

Is there a way to modify or configure openVPN so that it will fragment and reassemble packets instead (I understand this will lower performance, but this is just a management network, so that is of little concern)? Then all the relevant bits of the network are under my control and I can get the device the packet size it wants.

OpenVPN configuration is notoriously terrible to use. What options do I set to what values to get this to work?

Improve this question
4
  • 1
    To be frank, it seems to me you are "making things up". (I mean like, it's just that you thought the reason is MTU-related.) The switch won't even be what deals with PMTUD. The server, which acts as the router between your "LAN" and the VPN network, is the host that is relevant. With the default configuration of OpenVPN, you shouldn't have any problem (at least not non-performance ones) as long as its "LAN" interface has an MTU that is no less than 1500, because the default tun MTU is 1500 as well, which means the de-encapsulated packet should not be larger than 1500 bytes anyway.
    – Tom Yan
    Commented Jun 20 at 14:49
  • The default tun mtu on some openvpn (2.4) is 1450, not 1500. Try changing the MTU in openvpn conf and if it doesn’t help also try clamping the MSS. The settings are: tun-mtu 1500, mssfix 1460. The MSS should be MTU-40. If that doesn’t help, while your VPN connection still allows to reach other resources behind the VPN, your issue is not MTU related. Note I don’t remember if you need to change the tun-mtu/fixmss on server only or both server and client, it’s been a while since I had to do that. Check the docs.
    – Robert Glonek
    Commented Jun 20 at 18:41
  • Note to both: I am trying to access a web interface on the switch over the VPN. Its webserver is not standards compliant, and has problems with MTU values other than 1500+, where it will actively refuse connections.
    – npr_se
    Commented Jun 24 at 13:57
  • @npr_se the thing is, using openvpn is not going to make the de-encapsulates packet has a size larger than 1500, and if it's a TCP SYN, the MSS would not be larger than 1460 either. Note that de-encapsulation occurs on the OpenVPN server before the packets from the clients get out of the tun interface of the server, let alone being IP forwarded to the switch. (So maybe the actual problem is, it would ignore the smaller MSS advertised by the client and stick to 1460 that is advertised by itself, while OpenVPN can't by default really handle such "large" replies from the webserver.)
    – Tom Yan
    Commented Jun 24 at 16:47

1 Answer 1

Reset to default
0

The correct approach, at least in one case, appeared to be the following:

  1. Ping the target switch with packets of various sizes using the do-not-fragment bit (the -f option) until you find the largest size, name this x.
  2. Configure tun-mtu x; mssfix x-40;

I can't provide a detailed explanation why this works, only that it (in some cases) did.

Improve this answer
2
  • So, since you are talking about a specific webserver on a specific device (are you?), what's the x you end up getting? Because with at least recent versions of OpenVPN, the tun-mtu is 1500 by default, and when it is the case (on the client), programs / the OS should be advertising an MSS of 1460 in SYNs. (I admit that I don't know if OpenVPN would by default "fix"/lower the MSS even if you don't specify any mssfix in your client conf.) Also, what do you mean by "cases"?
    – Tom Yan
    Commented Jun 24 at 16:35
  • Usually about x=1470 is the highest number that a packet got through unfragmented. Setting tun-mtu 1470; mssfix 1430 did the trick. That worked for all devices on that network. Didn't work on some other network, but that also had VLAN tags added in, which were applied 'behind' the VPN connection, still preventing me from accessing the switch..
    – npr_se
    Commented Jun 26 at 8:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .