search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.25k stars 2.92k forks source link

[REGRESSION] MTU is not set correctly #562

Closed ildar closed 1 month ago

ildar commented 1 month ago

Describe the bug upgrading from 2.5.6 to 2.6.10 shown the regression: MTU is set to 1500. With 2.5 it was set to 14xx (correct)

To Reproduce

$  pkexec /usr/sbin/openvpn --config /tmp/1.conf 
2024-05-31 10:50:40 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-31 10:50:40 OpenVPN 2.6.10 x86_64-alt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
2024-05-31 10:50:40 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-05-31 10:50:40 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: ********                
2024-05-31 10:50:44 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2024-05-31 10:50:44 UDPv4 link local: (not bound)
2024-05-31 10:50:44 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
2024-05-31 10:50:44 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2024-05-31 10:50:44 [xx.xx.xx.xx] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
2024-05-31 10:50:44 TUN/TAP device tun0 opened
2024-05-31 10:50:44 /usr/bin/ip link set dev tun0 up mtu 1500
2024-05-31 10:50:44 /usr/bin/ip link set dev tun0 up
2024-05-31 10:50:44 /usr/bin/ip addr add dev tun0 local 10.10.99.10 peer 10.10.99.9
...

Expected behavior A clear and concise description of what you expected to happen.

Version information (please complete the following information):

Additional context I usually run tunnel with NetworkManager.

schwabe commented 1 month ago

Please provide a log at verb 4. I suspect that your server is also running mtu 1500 and the client simply now inherits the same MTU as the server to avoid mismatched MTU on client and server.

ildar commented 1 month ago

ov.log.txt

ildar commented 1 month ago

yes, this is true. The server has MTU=1500. But that's wrong AFAIK

ildar commented 1 month ago

the server's config also doesn't set mtu implicitly, see config: vtun99.conf.txt

schwabe commented 1 month ago

the default for the tun mtu is 1500. Since 2.6.x tun mtu is pushable and the client will try to match whatever mtu the server has/pushes and that is happening in you setup. If you want a lower mtu add something like tun-mtu 1400 in your server configuration.

ildar commented 1 month ago

I see. But why server's openvpn doesn't set mtu to a reasonable value? is it fixed since 2.6.0 ?