From patchwork Fri Jun 24 01:13:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2550 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id CIP6EJKctWKNWQAAIUCqbw (envelope-from ) for ; Fri, 24 Jun 2022 07:14:26 -0400 Received: from proxy4.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id mPzNEJKctWLUYgAAalYnBA (envelope-from ) for ; Fri, 24 Jun 2022 07:14:26 -0400 Received: from smtp36.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3b.rsapps.net with LMTPS id UO6cC5KctWLIEAAA9crAow (envelope-from ) for ; Fri, 24 Jun 2022 07:14:26 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: ce4721ce-f3ae-11ec-8369-5254003a7283-1-1 Received: from [216.105.38.7] ([216.105.38.7:37820] helo=lists.sourceforge.net) by smtp36.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0D/47-07313-19C95B26; Fri, 24 Jun 2022 07:14:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o4hFj-0004xq-A2; Fri, 24 Jun 2022 11:13:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o4hFi-0004xb-D0 for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 11:13:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cia1HAh0zfkVse+s9ApcH0NLIijKUYLMhUb0M/jqUTQ=; b=e+yY7qc2vpjAt0Aj7SSvIcKq7s oquj4p1NyBY5jVVwQ7kgFMpWRhvT5NGjY3ciCh8PWVfQuiUbOj4GBOJK3W2Wg07UmniqAwSr2XqX0 H2ZGrM3utmPwNqSlhzFcy3FwmMNcfAHesmLpwUxarsmG0cSvrQERO/ONuIo1/neUqVaA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cia1HAh0zfkVse+s9ApcH0NLIijKUYLMhUb0M/jqUTQ=; b=ABKvx+QC+99bEE9y2UviACbf5p tZ/B0G3ccU16FQ56P7+TQz+ev41YGd6oP3T5E7SpvZwoSTgSZLUVCSHy0xW8Hs+Xnhai4Nmhq1Dtb PSIhcUfQW324EKdxzetB51eppV8Sr/4yCTLVfcwLngOoGFcUoqbz3PTUANjwCxP64VGs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o4hFf-0002aE-UG for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 11:13:29 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o4hFX-0007m7-4b for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 13:13:19 +0200 Received: (nullmailer pid 3220034 invoked by uid 10006); Fri, 24 Jun 2022 11:13:19 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Jun 2022 13:13:17 +0200 Message-Id: <20220624111318.3219982-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220624111318.3219982-1-arne@rfc2549.org> References: <20220624111318.3219982-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the default MTU of the tun-mtu to 1420 to avoid MTU related issues that are even more prominent when DCO server or clients are involved. To maximise compatibility to lie our MTU in the default OCC message and also push the real MTU to clients that support pushing the MTU. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1o4hFf-0002aE-UG Subject: [Openvpn-devel] [PATCH v2 3/4] Change default MTU in server mode to 1420 and push it to client X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This changes the default MTU of the tun-mtu to 1420 to avoid MTU related issues that are even more prominent when DCO server or clients are involved. To maximise compatibility to lie our MTU in the default OCC message and also push the real MTU to clients that support pushing the MTU. Patch v2: improve documentation Signed-off-by: Arne Schwabe --- Changes.rst | 5 +++ doc/man-sections/vpn-network-options.rst | 44 +++++++++++++++++++----- src/openvpn/options.c | 31 +++++++++++++++-- src/openvpn/options.h | 1 + src/openvpn/push.c | 16 +++++++++ 5 files changed, 86 insertions(+), 11 deletions(-) diff --git a/Changes.rst b/Changes.rst index 67a23c792..98d6df60d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -141,6 +141,11 @@ User-visible Changes - Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration - :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are called with parameters. This parameter is unreliable and no longer internally calculated. +- the default of ``--tun-mtu`` has been changed to ``--tun-mtu 1420 1500`` when + running in server mode. This will create an MTU mismatch with older clients + (newer clients allow pushable mtu) but the most common server platforms + (Linux and FreeBSD) allow receiving 1500 byte packets even when tun-mtu is + set to 1420, still allowing larger packets from clients with 1500 byte MTU. Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 5b2f84707..26b37dc36 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -500,21 +500,47 @@ routing. arguments of ``--ifconfig`` to mean "address netmask", no longer "local remote". ---tun-mtu n - Take the TUN device MTU to be **n** and derive the link MTU from it - (default :code:`1500`). In most cases, you will probably want to leave - this parameter set to its default value. +--tun-mtu args + + Valid syntaxes: + :: + + tun-mtu tun-mtu + tun-mtu tun-mtu occ-mtu + + Take the TUN device MTU to be ``tun-mtu`` and derive the link MTU from it. + In most cases, you will probably want to leave this parameter set to + its default value. + + Starting with OpenVPN 2.6 when running server mode (``--mode server``, + ``--server``, or ``-server-ipv6`` options present in the configuration), + the default will be 1420 for the tun mtu size and 1500 for the ``occ-mtu``. + + The OCC MTU can be used to avoid warnings about mismatched MTU from + clients. If :code:`occ-mtu` is not specified, it will to default to the + tun-mtu. The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. OpenVPN requires that packets on the control and data channels be sent unfragmented. - MTU problems often manifest themselves as connections which hang during - periods of active usage. - - It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal - with MTU sizing issues. + A VPN protocol like OpenVPN adds encapsulation overhead in each packet. If a + VPN packet with the encapsulation becomes larger than the transport network + MTU (typically 1500 or 1492) the packet will become fragmented or completely + dropped. These problems can manifest themselves as connections which hang + during periods of active usage or slower performance. To avoid these problems + it is generally advisable to set the tun MTU small enough to avoid these + problems. The default of 1420 is chosen to be safe with default parameters + and a (transport) network MTU of 1492. + + If lowering the tun MTU to avoid MTU related problems (e.g. when tap is used + and an MTU of 1500 is required), the ``--fragment`` and/or ``--mssfix`` + options can be also used to deal with MTU sizing issues. + + Note: Depending on the platform, the operating system allows to receive + packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms + (like macOS) limit received packets to the same size as the MTU. --tun-mtu-extra n Assume that the TUN/TAP device might return as many as ``n`` bytes more diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9a0634a5e..b30c05eba 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -814,6 +814,7 @@ init_options(struct options *o, const bool init_gc) o->status_file_version = 1; o->ce.bind_local = true; o->ce.tun_mtu = TUN_MTU_DEFAULT; + o->ce.occ_mtu = 0; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; o->ce.mssfix = 0; @@ -3031,6 +3032,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) if (!ce->tun_mtu_defined && !ce->link_mtu_defined) { ce->tun_mtu_defined = true; + if (o->mode == MODE_SERVER && dev != DEV_TYPE_TAP) + { + /* If we are running in P2MP mode we default to a MTU + * that is low enough by default to fit into a 1492 + * MTU UDP IPv6 packet: + * + */ + ce->tun_mtu = frame_calculate_default_mtu(o); + ce->occ_mtu = TUN_MTU_DEFAULT; + } } if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined) { @@ -4018,7 +4029,15 @@ options_string(const struct options *o, buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); - buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + if (o->ce.occ_mtu != 0) + { + buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu); + } + else + { + buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + } + buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); @@ -6262,11 +6281,19 @@ add_option(struct options *options, options->ce.link_mtu = positive_atoi(p[1]); options->ce.link_mtu_defined = true; } - else if (streq(p[0], "tun-mtu") && p[1] && !p[2]) + else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1]); options->ce.tun_mtu_defined = true; + if (p[2]) + { + options->ce.occ_mtu = positive_atoi(p[2]); + } + else + { + options->ce.occ_mtu = 0; + } } else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c2937dc37..1085a462a 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -118,6 +118,7 @@ struct connection_entry const char *socks_proxy_authfile; int tun_mtu; /* MTU of tun device */ + int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ int tun_mtu_extra; bool tun_mtu_extra_defined; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 63257348a..8a396a82c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -603,6 +603,22 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, { push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm"); } + + /* Push our mtu to the peer if it supports pushable MTUs */ + int client_max_mtu = 0; + const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc); + + if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1) + { + push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu); + if (client_max_mtu < o->ce.tun_mtu) + { + msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower " + "than MTU used on the server (%d). Add tun-max-mtu %d " + "to client configuration.", client_max_mtu, + o->ce.tun_mtu, o->ce.tun_mtu); + } + } return true; }