[Bug 276838] ovpn(4) DCO module breaks SSH connectivity
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 05 Feb 2024 13:30:21 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276838 Gert Doering <gert@greenie.muc.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gert@greenie.muc.de --- Comment #1 from Gert Doering <gert@greenie.muc.de> --- As discussed on IRC, there are good chances that this is MTU related. If `mssfix` is in use, this will cap TCP packet size to "small enough so outside UDP packets do not need to be fragmented". This works both sides, so it's enough if one end does `mssfix`. As of today, kernel openvpn does not seem to support `mssfix`, so if *both* ends use DCO, no MSS manipulations are done, and you need to reduce interface MTU (`tun-mtu 1400`) to get the same effect. Now, why outside fragmentation breaks with IPv6 is another of these questions - it shouldn't break, it is tested here in my FreeBSD 14 / DCO test scenario, but for example `pf(4)` needed to be told to leave IPv6 fragments alone in earlier versions (not sure about 14). -- You are receiving this mail because: You are on the CC list for the bug.