From 5dc59893f4fc8869d90dffeb081dab5ae3873878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Wed, 4 Jan 2023 11:27:29 +0100 Subject: [PATCH 1/4] add docs for manuelly adjusting mtu MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/openvpn.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md index 786bad5..71c5e83 100644 --- a/docs/tunneling/openvpn.md +++ b/docs/tunneling/openvpn.md @@ -71,6 +71,41 @@ For example, if a keepalive signal is to be sent every 20ms and the peer is to b keepalive 20 120 ``` +### MTU + +OpenVPN uses an MTU of 1500 in the tunnel by default. The problem with this, however, is that most Internet connections also have an MTU of 1500. However, since the OpenVPN packets are both encapsulated and encrypted, the MTU must be lower than that of the Internet interface. If an MTU of 1500 is used in the tunnel, this will cause the OpenVPN packets to be larger than 1500 bytes, which is the MTU of the Internet interface. This leads to IP packet fragmentation. Fragmentation is again something that you generally want to prevent. Therefore it is necessary to adjust the MTU in OpenVPN manually. + +OpenVPN has provided two flags for this purpose. However, one flag is deprecated since version 2.6 and should therefore no longer be used. The other flag is `tun-mtu`. With this flag you can adjust the MTU of the tunnel interface. However, this must be determined beforehand. For this you can send pings with different sized payloads in the tunnel and see if the OpenVPN packet gets fragmented. + +To intercept fragmented IP packets with `tcpdump`, you can use the following command (only works for IPv4): +``` +tcpdump -i '((ip[6:2] > 0) and (not ip[6] = 64))' +``` +You should replace `` with the name of the Internet interface. +If you cannot detect fragmented packets via this command, you can modify tcpdump to filter every packet with the OpenVPN port. Use the flag `-v`. You will then recognize the fragmented packets by a `[+]` or the word `frag`: +``` +tcpdump -i port or port -v +``` + +After that you can use the following command to determine the MTU. +``` +ping -M do -s +``` +Replace `` with the IP of the peer in the tunnel. `-M do` ensures that the ping packets are not fragmented. Replace `` with the size of the payload in bytes. Often the desired size is between 1300 and 1400. Now you adjust the size so that the OpenVPN packet fragments. You then reduce the size of the payload until there is no more fragmentation. + +To get the size of the non-fragmented package you can use tcpdump: +``` +tcpdump -i icmp or icmp6 +``` +Replace with the OpenVPN interface. The `echo request` should have `length ` at the end, where `` is the length you are looking for. Now you can add the IP headers to it. This is 40 bytes for IPv6 and 20 bytes for IPv4. + +This is then the size of the packet you transferred that was not fragmented. Therefore you can use this value as MTU: +``` +tun-mtu +``` + +This argument must be specified on both sides. If the circumstances of the connection, such as the protocol used, change, the MTU must be adjusted again. Since an IPv4 packet is smaller than an IPv6 packet, it is recommended that the OpenVPN connection is established over IPv4 if possible. + ## Automatic start with systemd If you save the OpenVPN configuration under `/etc/openvpn/.conf`, you can use systemd to start the OpenVPN connection or set an automatic start: From 94ea94276b01f53963910eb1f36027eba257a27f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Wed, 4 Jan 2023 11:49:08 +0100 Subject: [PATCH 2/4] add docs for fastd mtu and add reference links MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/fastd.md | 18 ++++++++++++++++++ docs/tunneling/openvpn.md | 1 + 2 files changed, 19 insertions(+) diff --git a/docs/tunneling/fastd.md b/docs/tunneling/fastd.md index a4c5ebc..b767c89 100644 --- a/docs/tunneling/fastd.md +++ b/docs/tunneling/fastd.md @@ -100,6 +100,19 @@ Now we need to fill in the peer details of the node you are connecting to: The last thing to configure now is to rise the interface up when fastd starts (as it normally doesn't rise it for you), all occurences of `` here should match the one in the `interface ;` declaration as shown earlier. +### MTU + +The default MTU of a fastd tunnel is 1500 bytes. However, this can be problematic if the Internet uplink also has an MTU of 1500 or less. In this case IP fragmentation can occur. This is usually something you want to avoid. + +To calculate the appropriate MTU, you must first calculate the fastd overhead: +The default overhead is 28. If the `null` method is used, add 1, if the `null@l2tp` method is used, add 8, and for all other methods, add 24. If TAP is used instead of TUN, add 14. If the tunnel is established over IPv6, add 20. +Now calculate the MTU of the uplink (often 1500) minus the number you just calculated and you get the MTU that must be used in the fastd tunnel. +You can configure this with the parameter `mtu`: +``` +mtu ; +``` +Replace `` with the calculated number. + ### Starting and maintaining the daemon You can then start the daemon as follows: @@ -116,3 +129,8 @@ Run `systemctl start fastd@crxn` to bring up the tunnel Run `systemctl stop fastd@crxn` to bring down the tunnel To enable the systemd unit on startup run `systemctl enable fastd@crxn` + +## Further links + +- [fastd documentation](https://fastd.readthedocs.io/en/stable/) +- [fastd mtu documentation](https://fastd.readthedocs.io/en/stable/manual/mtu.html) diff --git a/docs/tunneling/openvpn.md b/docs/tunneling/openvpn.md index 71c5e83..53a0a18 100644 --- a/docs/tunneling/openvpn.md +++ b/docs/tunneling/openvpn.md @@ -120,3 +120,4 @@ systemctl enable openvpn@ - [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) - [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn) +- [Optimizing OpenVPN Throughput](https://hamy.io/post/0003/optimizing-openvpn-throughput/) From fa6b22326b4363006427ad69e4b56c7e97fb74ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Wed, 4 Jan 2023 12:09:34 +0100 Subject: [PATCH 3/4] fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/fastd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tunneling/fastd.md b/docs/tunneling/fastd.md index b767c89..6e240de 100644 --- a/docs/tunneling/fastd.md +++ b/docs/tunneling/fastd.md @@ -46,7 +46,7 @@ peer "" { remote "" port ; key ""; - interface "$INTERFACE"; + interface ""; float yes; } From 1a523e30834848be909b59c0cfebe2602d3ce06f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Wed, 4 Jan 2023 12:12:56 +0100 Subject: [PATCH 4/4] add hint where to place the mtu command for fastd tunnels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/tunneling/fastd.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/tunneling/fastd.md b/docs/tunneling/fastd.md index 6e240de..89879b9 100644 --- a/docs/tunneling/fastd.md +++ b/docs/tunneling/fastd.md @@ -113,6 +113,8 @@ mtu ; ``` Replace `` with the calculated number. +You can either write this statement in the configuration file. Then it applies to all configured peers. Alternatively, you can put it in the `peer` block on a per-peer basis. + ### Starting and maintaining the daemon You can then start the daemon as follows: