OpenVPN Tunnel MTU

asoofi

New Around Here
Hi All. I have an Asus AC1900 (RT-AC68U) router running asuswrt-merlin 386.3_2 sitting behind a separate Spectrum wireless router and a separate Spectrum cable modem.

The AC1900 connects and routes all traffic to an OpenVPN tunnel.

Per Spectrum, who recently updated my modem and router, I had to reduce the WAN MTU from 1500 down to 1479. This was easy. However, my tunnel became sluggish, with packet drops being frequent per various network tests. I _think_ I need to reduce the tunnel MTU too.

I don't see any UI options for modifying the tunnel VPN. I can set the mtu on "tun11" manually through SSH, but it will revert back to 1500 on restart of the device or when the tunnel renegotiates.

Can anyone point me in the right direction? I can post additional details/logs/settings if necessary.

Relevant log line:
Jan 2 07:35:53 ovpn-client1[28219]: /usr/sbin/ip link set dev tun11 up mtu 1500
 

ColinTaylor

Part of the Furniture
Try putting something like this (or changing an existing entry) in the VPN client's Custom Configuration:
Code:
tun-mtu 1460
 

asoofi

New Around Here
Thanks. mssfix in the local config file improved the situation. Unfortunately tun-mtu and fragment both have to be set on both sides of the tunnel. The other end of the tunnel is an OpenVPN server on a similar Asus AC1900 (RT-AC68U) router running asuswrt-merlin 386.3_2. Any ideas how to set the OpenVPN Server tun-mtu or fragment? Is there a static file I need to change via SSH? The UI for the OpenVPN Server has very few options.
 

ColinTaylor

Part of the Furniture
Unfortunately tun-mtu and fragment both have to be set on both sides of the tunnel.
I've only tried setting tun-mtu using a NordVPN connection but it seems to do what you wanted without any changes on the server side. In other words it changes the tun11 MTU as you asked.
Code:
Jan  8 23:04:59 ovpn-client1[4572]: /usr/sbin/ip link set dev tun11 up mtu 1400
Code:
tun11     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.1.6  P-t-P:10.8.1.6  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3420 (3.3 KiB)  TX bytes:3428 (3.3 KiB)

The same command can be put into the VPN server config (Advanced Settings) if required.
Code:
Jan  8 23:18:29 ovpn-server1[7987]: /usr/sbin/ip link set dev tun21 up mtu 1400
Code:
tun21     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.100.1  P-t-P:10.8.100.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
 
Last edited:

asoofi

New Around Here
Thanks for all your help.

Putting "tun-mtu 1200" in the .opvn file and uploading it to the asuswrt-merlin router has no effect. The custom settings section of the UI acknowledges the additional lines, but the tunnel mtu is unchanged.
1641822855827.png

1641822904447.png



As I mentioned in the original post, "/usr/sbin/ip link set dev tun11 up mtu 1200" absolutely works to set the tun11 mtu. I can set it manually via SSH, but it just resets on reboot or tunnel renegotiation.

UI limitation? Is there a file on the router I can add/edit via SSH?
 

ColinTaylor

Part of the Furniture
Putting "tun-mtu 1200" in the .opvn file and uploading it to the asuswrt-merlin router has no effect. The custom settings section of the UI acknowledges the additional lines, but the tunnel mtu is unchanged.
Why are you editing the opvn file directly? Try typing your settings into the Custom Configuration box directly and applying it from there.
 

asoofi

New Around Here
Thanks. Same result. Whether I put it in the ovpn file and upload the file via the UI, which ends up in the Custom Configuration textbox, or I manually edit the Custom Configuration textbox, neither seem to act on "tun-mtu 1200". Only applying 1200 via the "ip" command at the SSH command line changes the tunnel mtu. Does order matter? Should it be higher or lower or applied to a config file on the file system via SSH instead?
1641829575938.png
 

ColinTaylor

Part of the Furniture
What do you see in the syslog when it starts up?

I only tested it with a single tun-mtu line in the config, nothing else.
 

PR3MIUM

Regular Contributor
for me connecting to two different vpn servers with the same mtu 1500,
the mtu always changes/adjust itself to a lower 14xx or even higher 16xx.

maybe try:

Code:
tun-mtu 14xx
mssfix 14xx
 
Last edited:

eibgrad

Part of the Furniture
Before throwing various mtu values at it, it might be a good idea to remove mssfix and tun-mtu and add the mtu-test directive to actual have OpenVPN test the max size it can send. After about three minutes, you should see something like the following in the syslog.

Code:
Jan 10 09:16:31 lab-merlin1-1AB780F-C ovpn-client1[13822]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1525,1525] remote->local=[1525,1525]
 

eibgrad

Part of the Furniture
Would be interesting as well to try TCP rather than UDP. Most of these mtu related directives only apply to UDP.
 

PR3MIUM

Regular Contributor
ping if possible ?
ping -f” tells ping not to fragment the packet under any circumstances.
ping -l” tells ping the packet size to use.

Code:
ping -f <IP of Device on other end of VPN> -l <MTU to test>
ping -f 192.168.100.1 -l 1500
 

asoofi

New Around Here
What do you see in the syslog when it starts up?

I only tested it with a single tun-mtu line in the config, nothing else.
It is as you expected. Local log complains of a mismatch between local and remote tunnel mtu settings. So back to my question of how we set the OpenVPN Server tunnel MTU on a router running asuswrt-merlin 386.3_2?

Code:
Jan 11 17:58:39 ovpn-client1[15617]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1242', remote='link-mtu 1542'
Jan 11 17:58:39 ovpn-client1[15617]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1200', remote='tun-mtu 1500'
 

asoofi

New Around Here
Before throwing various mtu values at it, it might be a good idea to remove mssfix and tun-mtu and add the mtu-test directive to actual have OpenVPN test the max size it can send. After about three minutes, you should see something like the following in the syslog.

Code:
Jan 10 09:16:31 lab-merlin1-1AB780F-C ovpn-client1[13822]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1525,1525] remote->local=[1525,1525]
Spectrum said to use MTU 1479, which I could easily set on the WAN side. I can certainly test that number for the tunnel, but we will still have the same open question, which is how do we set the OpenVPN server side tunnel MTU on an Asus router running asuswrt-merlin 386.3_2? So far we only know how to set the client side tunnel mtu.
 

ColinTaylor

Part of the Furniture
I see the same messages, but they're only warnings. It's still setting the MTU on the interface which is what you wanted.

To change the MTU on the server, as I said before, just use the same tun-mtu statement on the server.
 

asoofi

New Around Here
ping if possible ?
ping -f” tells ping not to fragment the packet under any circumstances.
ping -l” tells ping the packet size to use.

Code:
ping -f <IP of Device on other end of VPN> -l <MTU to test>
ping -f 192.168.100.1 -l 1500
Actually ping on asuswrt-merlin 386.3_2 has very different syntax.
Before throwing various mtu values at it, it might be a good idea to remove mssfix and tun-mtu and add the mtu-test directive to actual have OpenVPN test the max size it can send. After about three minutes, you should see something like the following in the syslog.

Code:
Jan 10 09:16:31 lab-merlin1-1AB780F-C ovpn-client1[13822]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1525,1525] remote->local=[1525,1525]
I got the same numbers as you.

Code:
Jan 11 18:19:46 ovpn-client1[17699]: NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
Jan 11 18:22:50 ovpn-client1[17699]: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1525,1525] remote->local=[1525,1525]
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top