From patchwork Sat Jun 25 13:41:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2556 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +KUcLJOdt2K/GwAAIUCqbw (envelope-from ) for ; Sat, 25 Jun 2022 19:43:15 -0400 Received: from proxy7.mail.iad3b.rsapps.net ([172.31.255.6]) by director13.mail.ord1d.rsapps.net with LMTP id OOQCLJOdt2LrGAAA91zNiA (envelope-from ) for ; Sat, 25 Jun 2022 19:43:15 -0400 Received: from smtp24.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3b.rsapps.net with LMTPS id QCH4I5Odt2JbRgAAQkQ5tQ (envelope-from ) for ; Sat, 25 Jun 2022 19:43:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 94bb3818-f4e0-11ec-9973-525400892b35-1-1 Received: from [216.105.38.7] ([216.105.38.7:34062] helo=lists.sourceforge.net) by smtp24.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0B/84-25362-39D97B26; Sat, 25 Jun 2022 19:43:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o5FPk-0003EL-5y; Sat, 25 Jun 2022 23:42:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o5FPi-0003E1-I8 for openvpn-devel@lists.sourceforge.net; Sat, 25 Jun 2022 23:42:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zhD6qxxHmlfwpZUMsbUfOFE7FMH7GjsjTxPsn1G8p2w=; b=OJdw9RqP2flLFkyOBCasATFB/K npEAx8+2FG9fscjz7U0MtpF/Pv5KyKPeAodiTuNrnBurb6WbBQQyL2/EfW3IBTBSgCdenx9cJAfz9 A+webkGHUksD5GnqJmXCJ/o3Gk4QcdcEtMsP/hkCUatCYWOC79IkcUqsG4f6lkdOjGMQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zhD6qxxHmlfwpZUMsbUfOFE7FMH7GjsjTxPsn1G8p2w=; b=gGXTIf/6TixwIyq9xwl3aqhMpG ZfRqhySZSGrvYdEanQE/Wxy5vsdxQNqNoCzRGbMaP39DztoabaeUP9Br/MmwJkD83FBLOZQ1x8ItW xtENkCQ1cMWW9135wVM08TPxOKXPLYNmV7TRySK1ncTVDhdjh4MKF8AivGXEE+6fUC/A=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o5FPf-00Dy3D-1b for openvpn-devel@lists.sourceforge.net; Sat, 25 Jun 2022 23:42:06 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o5FPT-000Iij-1q for openvpn-devel@lists.sourceforge.net; Sun, 26 Jun 2022 01:41:51 +0200 Received: (nullmailer pid 3398918 invoked by uid 10006); Sat, 25 Jun 2022 23:41:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 26 Jun 2022 01:41:48 +0200 Message-Id: <20220625234150.3398864-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220625234150.3398864-1-arne@rfc2549.org> References: <20220625234150.3398864-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: To maximise compatibility allow to lie our MTU in the default OCC message. Patch v2: improve documentation Patch v3: split changing default MTU into its own patch Signed-off-by: Arne Schwabe --- Changes.rst | 5 +++++ doc/man-sections/vpn-network-options.rst | 27 ++++++++++++++++++++---- src/openvpn/options.c | 21 ++++++++++++++++-- src/openvp [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o5FPf-00Dy3D-1b Subject: [Openvpn-devel] [PATCH v3 3/5] Push server mtu to client when support and support occ mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox To maximise compatibility allow to lie our MTU in the default OCC message. Patch v2: improve documentation Patch v3: split changing default MTU into its own patch Signed-off-by: Arne Schwabe Acked-by: Heiko Hund --- Changes.rst | 5 +++++ doc/man-sections/vpn-network-options.rst | 27 ++++++++++++++++++++---- src/openvpn/options.c | 21 ++++++++++++++++-- src/openvpn/options.h | 1 + src/openvpn/push.c | 16 ++++++++++++++ 5 files changed, 64 insertions(+), 6 deletions(-) diff --git a/Changes.rst b/Changes.rst index 8462f7888..616a977ed 100644 --- a/Changes.rst +++ b/Changes.rst @@ -149,6 +149,11 @@ User-visible Changes - Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration - :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are called with parameters. This parameter is unreliable and no longer internally calculated. +- the default of ``--tun-mtu`` has been changed to ``--tun-mtu 1420 1500`` when + running in server mode. This will create an MTU mismatch with older clients + (newer clients allow pushable mtu) but the most common server platforms + (Linux and FreeBSD) allow receiving 1500 byte packets even when tun-mtu is + set to 1420, still allowing larger packets from clients with 1500 byte MTU. Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 2d0e662e4..9a09aef8b 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -500,10 +500,25 @@ routing. arguments of ``--ifconfig`` to mean "address netmask", no longer "local remote". ---tun-mtu n - Take the TUN device MTU to be **n** and derive the link MTU from it - (default :code:`1500`). In most cases, you will probably want to leave - this parameter set to its default value. +--tun-mtu args + + Valid syntaxes: + :: + + tun-mtu tun-mtu + tun-mtu tun-mtu occ-mtu + + Take the TUN device MTU to be ``tun-mtu`` and derive the link MTU from it. + In most cases, you will probably want to leave this parameter set to + its default value. + + Starting with OpenVPN 2.6 when running server mode (``--mode server``, + ``--server``, or ``-server-ipv6`` options present in the configuration), + the default will be 1420 for the tun mtu size and 1500 for the ``occ-mtu``. + + The OCC MTU can be used to avoid warnings about mismatched MTU from + clients. If :code:`occ-mtu` is not specified, it will to default to the + tun-mtu. The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. @@ -516,6 +531,10 @@ routing. It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal with MTU sizing issues. + Note: Depending on the platform, the operating system allows to receive + packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms + (like macOS) limit received packets to the same size as the MTU. + --tun-max-mtu maxmtu This configures the maximum MTU size that a server can push to ``maxmtu``. The default for ``maxmtu`` is 1600. This will increase internal buffers diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c14ab1330..f162b0b41 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -814,6 +814,7 @@ init_options(struct options *o, const bool init_gc) o->status_file_version = 1; o->ce.bind_local = true; o->ce.tun_mtu = TUN_MTU_DEFAULT; + o->ce.occ_mtu = 0; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; o->ce.mssfix = 0; @@ -4018,7 +4019,15 @@ options_string(const struct options *o, buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); - buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + if (o->ce.occ_mtu != 0) + { + buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu); + } + else + { + buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + } + buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); @@ -6262,11 +6271,19 @@ add_option(struct options *options, options->ce.link_mtu = positive_atoi(p[1]); options->ce.link_mtu_defined = true; } - else if (streq(p[0], "tun-mtu") && p[1] && !p[2]) + else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1]); options->ce.tun_mtu_defined = true; + if (p[2]) + { + options->ce.occ_mtu = positive_atoi(p[2]); + } + else + { + options->ce.occ_mtu = 0; + } } else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 52d6436b8..bf17764f0 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -118,6 +118,7 @@ struct connection_entry const char *socks_proxy_authfile; int tun_mtu; /* MTU of tun device */ + int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ int tun_mtu_max; /* maximum MTU that can be pushed */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 63257348a..8a396a82c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -603,6 +603,22 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, { push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm"); } + + /* Push our mtu to the peer if it supports pushable MTUs */ + int client_max_mtu = 0; + const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc); + + if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1) + { + push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu); + if (client_max_mtu < o->ce.tun_mtu) + { + msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower " + "than MTU used on the server (%d). Add tun-max-mtu %d " + "to client configuration.", client_max_mtu, + o->ce.tun_mtu, o->ce.tun_mtu); + } + } return true; }