Home » Setting correct MTU for OpenVPN

Setting correct MTU for OpenVPN

  • by

Finding correct Setting correct MTU for OpenVPN and MSSFIX settings can really drive you batty. No really. It’s ridiculous how much trouble MTU settings can cause and how often people don’t realize that MTU is actually what’s causing the problem!

VPN connections can be sensitive to incorrect or low MTU set within your network, or on networks between you and your server. It is important that the correct MTU is set, to ensure fast and error-free VPN performance.

Symptoms of mistaken MTU

  • Incomplete page load of resources via HTTP over VPN
  • Slow VPN performance

TCP vs UDP for OpenVPN

Before we get to fixing our OpenVPN MTU issues, let’s first take a minute to recognize the difference between UDP and TCP. Trust me, this is really worth appreciation and it can have major impacts on your VPN’s average performance.

TCP is an acronym for Transmission Control Protocol. UDP is an acronym for User Datagram Protocol. While we’re no longer going to go into all of the gory element of variations between these protocols there are a few matters that are very vital to understand.

First, TCP creates a session between two gadgets and tests to make certain the packet used to be delivered. If the a reply is now not obtained inside the limits of the described TTL (time-to-live) the information will be retransmitted. This ensures shipping even over unstable connections.

UDP on the different hand is session-less. It sincerely fires a packet down the wire and hopes for the best. If the different give up by no means receives the information nothing happens, it is truly lost.

In the case of transmitting a file such as a phrase document, if a some of the data doesn’t arrive, the report will be corrupted and unreadable. In the case of streaming music, you’ll simply get some degraded sound best for a second. This is why most file transfers used TCP and most streaming makes use of UDP.

Understanding MTU

MTU is an acronym for Maximum Transmission Unit. Simply put, it defines the maximum size of a packet traversing the network. Anything better than this quantity have to be damaged into more than one packets. The default MTU for Ethernet is 1500 bytes. For two gadgets to communicate they want to recognize this number. If they transmit packets large than 1500 bytes the packets will be discarded with the aid of one of the community devices.

In the case of OpenVPN MTU settings, its necessary to comprehend that we’re tunneling records and that the VPN overhead is going to take away some of our MTU!

So here’s the trouble I right here all of the time: “My OpenVPN works pleasant for TCP traffic, however UDP site visitors is very buggy and solely works sometimes.” Why is this? Because TCP has many mechanisms to deal with networks and it will decrease its Maximum Segment Size (MSS) and attempt once more (retransmit). UDP being furnace and forget will in no way recognize there was once a trouble and simply hold firing these oversize packets into oblivion to be dropped via the VPN tunnel!

In my case this translated to SSH and web sessions working perfectly, however video streams and VoIP jogging over the tunnel would fail miserably, ensuing is stuttering and uneven video and audio.

Setting correct MTU for OpenVPN

click for zoom

Finding correct MTU

Discovering the correct MTU is very straightforward and can be achieved using ping, use the respective following commands (change www.devninja.net to suit)

for windows

ping -n 1 -l 1500 -f www.devninja.net

for Linux

ping -M do -s 1500 -c 1 www.devninja.net

for Mac OSX

ping -D -v -s 1500 -c 1 www.devninja.net

Once you have test and get time out. try decrease the 1500 value by 10 each time, until the ping succeeds. Once the ping succeeds, the value used is the MTU you should use.

Setting the MTU

OpenVPN requires a value called the MSS to be set. The MSS is the value for the MTU minus 40.

Eg. If your MTU is 1460, your MSS is 1420

MSS = MTU  - 40
MSS = 1460 - 40
MSS = 1420

To set the MSS for OpenVPN, in your OpenVPN configuration file (the file originally sent ending in .ovpn), add the following configuration line (replacing 1420 with the appropriate value).

mssfix 1420

Leave a Reply

Your email address will not be published.

14 + eleven =