[Bug 276838] ovpn(4) DCO module breaks SSH connectivity

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 05 Feb 2024 13:30:21 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276838

Gert Doering <gert@greenie.muc.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gert@greenie.muc.de

--- Comment #1 from Gert Doering <gert@greenie.muc.de> ---
As discussed on IRC, there are good chances that this is MTU related.

If `mssfix` is in use, this will cap TCP packet size to "small enough so
outside UDP packets do not need to be fragmented".  This works both sides, so
it's enough if one end does `mssfix`.

As of today, kernel openvpn does not seem to support `mssfix`, so if *both*
ends use DCO, no MSS manipulations are done, and you need to reduce interface
MTU (`tun-mtu 1400`) to get the same effect.

Now, why outside fragmentation breaks with IPv6 is another of these questions -
it shouldn't break, it is tested here in my FreeBSD 14 / DCO test scenario, but
for example `pf(4)` needed to be told to leave IPv6 fragments alone in earlier
versions (not sure about 14).

-- 
You are receiving this mail because:
You are on the CC list for the bug.