From patchwork Wed Nov 9 15:48:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2845 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id YNB5Mv7La2N7VwAAIUCqbw (envelope-from ) for ; Wed, 09 Nov 2022 10:49:18 -0500 Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6]) by director13.mail.ord1d.rsapps.net with LMTP id cOqQMv7La2MhIwAA91zNiA (envelope-from ) for ; Wed, 09 Nov 2022 10:49:18 -0500 Received: from smtp12.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3b.rsapps.net with LMTPS id yJpAKv7La2NnUgAA/F5p9A (envelope-from ) for ; Wed, 09 Nov 2022 10:49:18 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 11614332-6046-11ed-ad79-525400ae1f9d-1-1 Received: from [216.105.38.7] ([216.105.38.7:35580] helo=lists.sourceforge.net) by smtp12.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CD/16-08564-DFBCB636; Wed, 09 Nov 2022 10:49:18 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1osnJP-0000YS-8x; Wed, 09 Nov 2022 15:48:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1osnJN-0000YM-MK for openvpn-devel@lists.sourceforge.net; Wed, 09 Nov 2022 15:48:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CCRo6y6mAyTbPNCi/TSbqQYzJXfzwaErgsc3eioP9nw=; b=mQy1IjR3cSi2RRFO1NMehrwsml mSEKULFk1Jo23OdcRa541SuScXTY9fPnoVG2rs0d4k2+J55kEKAfqe7aL5aTSalVjm8nsIBqsrUpT X0Xq8Fr+YhCgmNeDvxt2r+qp+/kT4Gz6UkfOe4FOjSi42Wtc47hCkHiQBc/TEPvlPfyo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CCRo6y6mAyTbPNCi/TSbqQYzJXfzwaErgsc3eioP9nw=; b=eY+kaHiSg50dgUj0wwPObBPhCN 2E9J9z1onwFVB5EJinQXs1wWJSnuRjMezxaowaLhM/iynRVc3FRFDLU0Y0kXwvAFxOV7O7B1fd497 8NvbKWAalIzbGnSv2/iV5hSLNQsXI6LhxI/tQPbwb2lkZT39r8ptFerZHBHpylWLwHUI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1osnJJ-00054E-DY for openvpn-devel@lists.sourceforge.net; Wed, 09 Nov 2022 15:48:21 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1osnJC-000Dvl-Pv for openvpn-devel@lists.sourceforge.net; Wed, 09 Nov 2022 16:48:10 +0100 Received: (nullmailer pid 1268454 invoked by uid 10006); Wed, 09 Nov 2022 15:48:10 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 9 Nov 2022 16:48:10 +0100 Message-Id: <20221109154810.1268403-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221109154810.1268403-1-arne@rfc2549.org> References: <20221109154810.1268403-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: To maximise compatibility allow to lie our MTU in the default OCC message. Patch v2: improve documentation Patch v3: split changing default MTU into its own patch Patch v5: remove leftover mentions to default MTU Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1osnJJ-00054E-DY Subject: [Openvpn-devel] [PATCH v5 2/2] Push server mtu to client when supported and support occ mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox To maximise compatibility allow to lie our MTU in the default OCC message. Patch v2: improve documentation Patch v3: split changing default MTU into its own patch Patch v5: remove leftover mentions to default MTU Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 6 +++++- doc/man-sections/vpn-network-options.rst | 25 ++++++++++++++++++++---- src/openvpn/options.c | 21 ++++++++++++++++++-- src/openvpn/options.h | 1 + src/openvpn/push.c | 16 +++++++++++++++ 5 files changed, 62 insertions(+), 7 deletions(-) diff --git a/Changes.rst b/Changes.rst index 889689877..a158143a7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -184,7 +184,11 @@ User-visible Changes - control channel packet maximum size is no longer influenced by ``--link-mtu``/``--tun-mtu`` and must be set by ``--max-packet-size`` now. The default is 1250 for the control channel size. - +- the default of ``--tun-mtu`` has been changed to ``--tun-mtu 1420 1500`` when + running in server mode. This will create an MTU mismatch with older clients + (newer clients allow pushable mtu) but the most common server platforms + (Linux and FreeBSD) allow receiving 1500 byte packets even when tun-mtu is + set to 1420, still allowing larger packets from clients with 1500 byte MTU. - In point-to-point OpenVPN setups (no ``--server``), using ``--explict-exit-notiy`` on one end would terminate the other side at session end. This is considered a no longer useful default and has diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 2d0e662e4..6bd41bf5f 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -500,10 +500,23 @@ routing. arguments of ``--ifconfig`` to mean "address netmask", no longer "local remote". ---tun-mtu n - Take the TUN device MTU to be **n** and derive the link MTU from it - (default :code:`1500`). In most cases, you will probably want to leave - this parameter set to its default value. +--tun-mtu args + + Valid syntaxes: + :: + + tun-mtu tun-mtu + tun-mtu tun-mtu occ-mtu + + Take the TUN device MTU to be ``tun-mtu`` and derive the link MTU from it. + In most cases, you will probably want to leave this parameter set to + its default value. + + The default for :code:`tun-mtu` is 1500. + + The OCC MTU can be used to avoid warnings about mismatched MTU from + clients. If :code:`occ-mtu` is not specified, it will to default to the + tun-mtu. The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. @@ -516,6 +529,10 @@ routing. It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal with MTU sizing issues. + Note: Depending on the platform, the operating system allows to receive + packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms + (like macOS) limit received packets to the same size as the MTU. + --tun-max-mtu maxmtu This configures the maximum MTU size that a server can push to ``maxmtu``. The default for ``maxmtu`` is 1600. This will increase internal buffers diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 235d1f6cd..33b7c698d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -825,6 +825,7 @@ init_options(struct options *o, const bool init_gc) o->status_file_version = 1; o->ce.bind_local = true; o->ce.tun_mtu = TUN_MTU_DEFAULT; + o->ce.occ_mtu = 0; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.tls_mtu = TLS_MTU_DEFAULT; o->ce.mtu_discover_type = -1; @@ -4193,7 +4194,15 @@ options_string(const struct options *o, buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); - buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + if (o->ce.occ_mtu != 0) + { + buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu); + } + else + { + buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + } + buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); @@ -6447,11 +6456,19 @@ add_option(struct options *options, options->ce.link_mtu = positive_atoi(p[1]); options->ce.link_mtu_defined = true; } - else if (streq(p[0], "tun-mtu") && p[1] && !p[2]) + else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1]); options->ce.tun_mtu_defined = true; + if (p[2]) + { + options->ce.occ_mtu = positive_atoi(p[2]); + } + else + { + options->ce.occ_mtu = 0; + } } else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index a2bc13a1c..68ad0cacb 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -118,6 +118,7 @@ struct connection_entry const char *socks_proxy_authfile; int tun_mtu; /* MTU of tun device */ + int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ int tun_mtu_max; /* maximum MTU that can be pushed */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index b2e46f1ca..3d32669af 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -678,6 +678,22 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, push_option_fmt(gc, push_list, M_USAGE, "protocol-flags%s", buf_str(&proto_flags)); } + /* Push our mtu to the peer if it supports pushable MTUs */ + int client_max_mtu = 0; + const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc); + + if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1) + { + push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu); + if (client_max_mtu < o->ce.tun_mtu) + { + msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower " + "than MTU used on the server (%d). Add tun-max-mtu %d " + "to client configuration.", client_max_mtu, + o->ce.tun_mtu, o->ce.tun_mtu); + } + } + return true; }