merge master

Signed-off-by: Marek Küthe <m.k@mk16.de>
This commit is contained in:
Marek Küthe 2023-01-04 18:22:48 +01:00
commit 15deb9e4c8
No known key found for this signature in database
GPG Key ID: 7E869146699108C7
2 changed files with 53 additions and 1 deletions

View File

@ -103,9 +103,20 @@ The last thing to configure now is to rise the interface up when fastd starts (a
Fastd can provide a tunnel with `multitap` mode on layer 2 or a tunnel with `tun` mode on layer 3. Note that the fatsd has 20 bytes less overhead when using tun. Fastd can provide a tunnel with `multitap` mode on layer 2 or a tunnel with `tun` mode on layer 3. Note that the fatsd has 20 bytes less overhead when using tun.
### A peer is not publicly reachable ### MTU
The default MTU of a fastd tunnel is 1500 bytes. However, this can be problematic if the Internet uplink also has an MTU of 1500 or less. In this case IP fragmentation can occur. This is usually something you want to avoid.
To calculate the appropriate MTU, you must first calculate the fastd overhead:
The default overhead is 28. If the `null` method is used, add 1, if the `null@l2tp` method is used, add 8, and for all other methods, add 24. If TAP is used instead of TUN, add 14. If the tunnel is established over IPv6, add 20.
Now calculate the MTU of the uplink (often 1500) minus the number you just calculated and you get the MTU that must be used in the fastd tunnel.
You can configure this with the parameter `mtu`:
```
mtu <mtu>;
```
Replace `<mtu>` with the calculated number.
You can either write this statement in the configuration file. Then it applies to all configured peers. Alternatively, you can put it in the `peer` block on a per-peer basis.
### Starting and maintaining the daemon ### Starting and maintaining the daemon
@ -123,3 +134,8 @@ Run `systemctl start fastd@crxn` to bring up the tunnel
Run `systemctl stop fastd@crxn` to bring down the tunnel Run `systemctl stop fastd@crxn` to bring down the tunnel
To enable the systemd unit on startup run `systemctl enable fastd@crxn` To enable the systemd unit on startup run `systemctl enable fastd@crxn`
## Further links
- [fastd documentation](https://fastd.readthedocs.io/en/stable/)
- [fastd mtu documentation](https://fastd.readthedocs.io/en/stable/manual/mtu.html)

View File

@ -71,6 +71,41 @@ For example, if a keepalive signal is to be sent every 20ms and the peer is to b
keepalive 20 120 keepalive 20 120
``` ```
### MTU
OpenVPN uses an MTU of 1500 in the tunnel by default. The problem with this, however, is that most Internet connections also have an MTU of 1500. However, since the OpenVPN packets are both encapsulated and encrypted, the MTU must be lower than that of the Internet interface. If an MTU of 1500 is used in the tunnel, this will cause the OpenVPN packets to be larger than 1500 bytes, which is the MTU of the Internet interface. This leads to IP packet fragmentation. Fragmentation is again something that you generally want to prevent. Therefore it is necessary to adjust the MTU in OpenVPN manually.
OpenVPN has provided two flags for this purpose. However, one flag is deprecated since version 2.6 and should therefore no longer be used. The other flag is `tun-mtu`. With this flag you can adjust the MTU of the tunnel interface. However, this must be determined beforehand. For this you can send pings with different sized payloads in the tunnel and see if the OpenVPN packet gets fragmented.
To intercept fragmented IP packets with `tcpdump`, you can use the following command (only works for IPv4):
```
tcpdump -i <interface> '((ip[6:2] > 0) and (not ip[6] = 64))'
```
You should replace `<interface>` with the name of the Internet interface.
If you cannot detect fragmented packets via this command, you can modify tcpdump to filter every packet with the OpenVPN port. Use the flag `-v`. You will then recognize the fragmented packets by a `[+]` or the word `frag`:
```
tcpdump -i <interface> port <rport> or port <lport> -v
```
After that you can use the following command to determine the MTU.
```
ping <ip> -M do -s <payload>
```
Replace `<ip>` with the IP of the peer in the tunnel. `-M do` ensures that the ping packets are not fragmented. Replace `<payload>` with the size of the payload in bytes. Often the desired size is between 1300 and 1400. Now you adjust the size so that the OpenVPN packet fragments. You then reduce the size of the payload until there is no more fragmentation.
To get the size of the non-fragmented package you can use tcpdump:
```
tcpdump -i <ovpn> icmp or icmp6
```
Replace <ovpn> with the OpenVPN interface. The `echo request` should have `length <len>` at the end, where `<len>` is the length you are looking for. Now you can add the IP headers to it. This is 40 bytes for IPv6 and 20 bytes for IPv4.
This is then the size of the packet you transferred that was not fragmented. Therefore you can use this value as MTU:
```
tun-mtu <value>
```
This argument must be specified on both sides. If the circumstances of the connection, such as the protocol used, change, the MTU must be adjusted again. Since an IPv4 packet is smaller than an IPv6 packet, it is recommended that the OpenVPN connection is established over IPv4 if possible.
## Automatic start with systemd ## Automatic start with systemd
If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start: If you save the OpenVPN configuration under `/etc/openvpn/<filename>.conf`, you can use systemd to start the OpenVPN connection or set an automatic start:
@ -85,3 +120,4 @@ systemctl enable openvpn@<filename>
- [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/) - [Reference manual for OpenVPN 2.6](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/)
- [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn) - [dn42 OpenVPN Guide](https://dn42.dev/howto/openvpn)
- [Optimizing OpenVPN Throughput](https://hamy.io/post/0003/optimizing-openvpn-throughput/)