EFW Support

Hi Everyone,

I'm having issues trying to get the client to change its MTU, the VPN is connected and working, but its hideously slow because the ISP here doesn't Like MTU sizes above 1450 and it insists on connecting with an MTU size of 1500

I tried to set the MTU by changing the mssfix value to 1400 and also the tun-mtu value in /etc/openvpn/openvpn.conf.tmpl. to 1400 on both the openvpn server and the client but no dice....

Can anyone help me out? see the logs below...

Cheers!

OpenVPN
2012-06-06 19:16:10
wgevpn[14253]: Wed Jun 6 19:16:10 2012 [127.0.0.1] Peer Connection Initiated with 203.134.183.130:1194
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 TUN/TAP device tap1 opened
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 /sbin/ip link set dev tap1 up mtu 1500
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 /sbin/ip addr add dev tap1 172.31.56.100/16 broadcast 172.31.255.255
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 /usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/ tap1 1500 1574 172.31.56.100 255.255.0.0 init
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 Initialization Sequence Completed
OpenVPN
2012-06-06 19:08:14
wgevpn[10299]: Wed Jun 6 19:08:14 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
OpenVPN
2012-06-06 19:08:14
wgevpn[10299]: Wed Jun 6 19:08:14 2012 UDPv4 link remote: 203.134.183.130:1194
OpenVPN
2012-06-06 19:08:14
wgevpn[10299]: Wed Jun 6 19:08:14 2012 UDPv4 link local: [undef]
OpenVPN
2012-06-06 20:15:50
wgevpn[14253]: Wed Jun 6 20:15:50 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1474"
OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1432"
OpenVPN
2012-06-06 21:15:53
wgevpn[14253]: Wed Jun 6 21:15:53 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

You can set "tun-mtu xx" on client and check whether its working or not, set "verb 5" as well, this will give you more details while connecting. Secondly try to change the proto to tcp (default is udp) and see if there is any improvement in the performance. Kindly upload the code as well.

Hi Kashifmax,

I have tried setting tun-mtu 1400 on the client (efw 2.5.1 client) but i'm not sure i have the right config file. Do you know which config file is the correct one to modify?

I have also tried it as a TCP connection and that made things much worse and slower, it would drop out constantly and the pings weren't consistant as they are with UDP.

The config files that i have (i hope are the right ones) are below.. they are both From the endian FW that is the client by the way, the server config is no different though:

Thanks!

Ewan


/etc/openvpn/openvpn.conf.tmpl
#from endian.core.specialtypes import CIDR
; daemon configuration
daemon
mode server
tls-server
proto ${DS.OPENVPN.SETTINGS.OPENVPN_PROTOCOL}
port ${DS.OPENVPN.SETTINGS.OPENVPN_PORT}
tmp-dir /var/tmp

#if $PORT_SHARE == 'on'
port-share ${GREEN.settings.address} ${DS.HTTPD.SETTINGS.HTTPD_HTTPS_PORT}
#end if

multihome
user openvpn
group openvpn

cd /var/openvpn
; client-config-dir clients

script-security 2 system

; tunnel configuration

dev ${PURPLE_DEVICE}
#if $DS.OPENVPN.SETTINGS.BRIDGED == 'on'
; bridge to $DS.OPENVPN.SETTINGS.BRIDGE_TO
#set bridgenet = $getVar($DS.OPENVPN.SETTINGS.BRIDGE_TO).settings.ips_obj[0]
#set bridgeip = $getVar($DS.OPENVPN.SETTINGS.BRIDGE_TO).settings.address
#set bridgenetmask  = $getVar($DS.OPENVPN.SETTINGS.BRIDGE_TO).settings.netmask
server-bridge ${bridgeip} ${bridgenetmask} #slurp
${bridgenet.firstIp($DS.OPENVPN.SETTINGS.PURPLE_IP_BEGIN, calc=True)} #slurp
${bridgenet.firstIp($DS.OPENVPN.SETTINGS.PURPLE_IP_END, calc=True)}
push "route-gateway ${bridgeip}"
#else
; not bridged
#set server = CIDR($DS.OPENVPN.SETTINGS.PURPLE_NET)
server ${server.netaddress} ${server.netmask}
#end if

#if $DS.OPENVPN.SETTINGS.PUSH_GLOBAL_NETWORKS == 'on'
; push global networks
  #for $nets in $GLOBAL_NETWORKS_ARR
push "route ${nets.netaddress} ${nets.netmask}"
  #end for
#else
; don't push global networks
#end if

passtos
comp-lzo
management 127.0.0.1 5555
keepalive 8 30

tun-mtu 1400
tun-mtu-extra 32
mssfix 1400

persist-key
persist-tun
persist-local-ip
persist-remote-ip


; logging and status

writepid /var/run/openvpn/openvpn.pid
ifconfig-pool-persist openvpn.leases
status /var/log/openvpn/openvpn-status.log
verb 1


client-connect "/usr/local/bin/openvpn-client-connect"
client-disconnect "/usr/local/bin/openvpn-client-disconnect"

up "/usr/local/bin/dir.d-exec /etc/openvpn/ifup.server.d/"
down "/usr/local/bin/dir.d-exec /etc/openvpn/ifdown.server.d/"

; certificates and authentication

dh /var/efw/openvpn/dh1024.pem
pkcs12 /var/efw/openvpn/pkcs12.p12

#if $DS.OPENVPN.SETTINGS.DUPLICATE_CN == 'on'
duplicate-cn
#end if

#if $DS.OPENVPN.SETTINGS.AUTH_TYPE == 'psk'
client-cert-not-required
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
username-as-common-name
#else
ns-cert-type client
  #if $HAS_CRL == 'on'
crl-verify /var/efw/openvpn/crl.pem
  #end if
  #if $DS.OPENVPN.SETTINGS.AUTH_TYPE == 'certpsk'
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
username-as-common-name
  #end if
#end if

#if $DS.OPENVPN.SETTINGS.CLIENT_TO_CLIENT == 'on'
client-to-client
#end if

#try
#include "/var/efw/openvpn/openvpn.tmpl"
#except
#pass
#end try


/etc/openvpn/openvpn_wgevpn.conf


# Begin Additional configuration:
# (This is to cause the process to restart whenever
#  such a configuration value changes)
# NAT:
# Routetype: bridged
# Block DHCP:
# End Additional configuration

client
pull

comp-lzo yes

nobind
resolv-retry infinite
script-security 2 system
auth-retry nointeract

dev tap1
dev-type tap

ca /var/efw/openvpnclients/wgevpn/ca.pem
auth-user-pass /var/efw/openvpnclients/wgevpn/credentials


proto udp

remote 203.134.183.130 1194 udp


writepid /var/run/openvpn/client_wgevpn.pid

up-delay
up "/usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/"
down-pre
down "/usr/local/bin/dir.d-exec /etc/openvpn/ifdown.client.d/"

Most of the ISP uses 1500 MTU size but mine ISP is using 1492. Try this also in openvpn.conf


Don't restart the openvpn service via gui otherwise your entries will be vanished.

See these link
http://www.efwsupport.com/index.php?topic=2.0
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html

Hi there,

running ifconfig i can see that the uplink interface MTU is already set at 1400:

eth1      Link encap:Ethernet  HWaddr 00:0C:29:C9:62:5B
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fec9:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:2001251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1508616 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2148961406 (2.0 GiB)  TX bytes:278600755 (265.6 MiB)


running ifconfig also tells me that the VPN connection is @ 1500:

tap1      Link encap:Ethernet  HWaddr 7A:A6:0B:AE:DE:F3
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:15222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13799 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14164435 (13.5 MiB)  TX bytes:1487290 (1.4 MiB)


do you know how i get the client to connect using 1400mtu?
i have tried adding these to /etc/openvpn/openvpn_wgevpn.conf on the client and it is already in /etc/openvpn/openvpn.conf on the server efw....

Code:

tun-mtu 1400
tun-mtu-extra 32
mssfix 1400


but it doesn't do anything on the client and is working on the server, so its the cause of the mismatch i posted previously. The below log is from the client machine, the exact same thing appears on the serve but reversed.

OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1474"
OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1432"



there must be another config file its using to pull its connection settings from, do you know what it could be?

Thanks!

In my case the client file is "xx.ovpn" and when I was doing some experiments then this file was reflecting /etc/openvpn/openvpn.conf. There is some more information if you have visited the above links ?

Anyways, reset EFW and first try to change some settings only on the client side than move to configuration files.

Start setting from lower mtu size (1300 than 1400) in configurations and check one by one. If the above doesn't help you than use this command (windows) to set mtu.

1574 is weired :o I guess...

hmmm. Where abouts is this elusive xx.ovpn located on your box?

I did visit the above links, they weren't particularly helpful though unfortunately :( i can set the MTU on the red network interface quite alright, theres a setting in the endian GUI that allows for that, i did try that indeed, but it doesn't stop the VPN interface from connecting at 1500.... as you can see by the following:

eth1      Link encap:Ethernet  HWaddr 00:0C:29:C9:62:5B
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fec9:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:2001251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1508616 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2148961406 (2.0 GiB)  TX bytes:278600755 (265.6 MiB)


running ifconfig also tells me that the VPN connection is @ 1500 even though the red interface is 1400... stupid thing:

tap1      Link encap:Ethernet  HWaddr 7A:A6:0B:AE:DE:F3
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:15222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13799 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14164435 (13.5 MiB)  TX bytes:1487290 (1.4 MiB)

Windows commands won't help, its 2 endian firewalls one is a server, the other is a client doing the gw2gw thing. server side the MTU is what i set it to in the config, but i can't find the client side config to modify the settings on.... someone must know where this thing is kept or how to change it on the client side....

xx.ovpn is a CLIENT/WORKSTATION/PC (xx.ovpn) configuration file and the xx.pem is a certificate (or any other you have) that should be copied under windows location c:\program files\openvpn\config\ before connecting to SERVER (EFW)...

https://endian.zendesk.com/entries/21295696-how-to-configure-windows-openvpn-client-with-certificate-authentication

ahhhh i see, you're running a windows client! i'm not... its a gw2gw connection with 2 endian firewalls that i'm having this issue with and i can't seem to find the relevant config file on endian client firewall anywhere.


Can anyone else shed some light on this issue?

Yes but it also works on linux systems. Hmmmm i think it doesn't matter ? Anyways add gw2gw in the subject if possible...

Added GW2GW in the Subject, i wouldn't have thought it would be that hard to change the MTU on the client side, Where is it getting that first line from dammit!? :P

2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 /sbin/ip link set dev tap1 up mtu 1500
OpenVPN
2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 /sbin/ip addr add dev tap1 172.31.56.100/16 broadcast 172.31.255.255
OpenVPN
2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 /usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/ tap1 1500 1574 172.31.56.100 255.255.0.0 init
OpenVPN
2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 Initialization Sequence Completed

Troubleshooting VPN connections.
   1. Write down the MTU size used by the ISP (ping -c1 -M do -s 1460 <host>).
   2. Login to the CLI, either from a shell or from Menubar ‣ System ‣ Web Console.
   3. Edit the openvpn template with an editor of choice: nano /etc/openvpn/openvpn.conf.tmpl.
   4. Search for the string mssfix 1450.
   5. Replace 1450 with a lower value, for example 1200.
   6. Restart openvpn by calling: restartopenvpn.

http://docs.endian.com/system.html#mtusize

Nothing else I guess ;D

Yeah, that works for the server but not the client for some reason... oh well. I'll keep trying, in the mean time if anyone works out where its kept, let me know. i'll be eternally grateful.

Cheers.

Its not possible that the client is not setting mtu size. May be you need to try from scratch... :'( Or may be Mr. mrkroket  8) can able to point out what you are doing wrong.