Welcome, Guest. Please login or register.
Did you miss your activation email?
Tuesday 19 November 2024, 09:27:16 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  efw 2.5.1 openvpn GW2GW client MTU Issues
0 Members and 4 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: efw 2.5.1 openvpn GW2GW client MTU Issues  (Read 47041 times)
WGE
Jr. Member
*
Offline Offline

Posts: 7


« on: Wednesday 06 June 2012, 11:52:55 pm »

Hi Everyone,

I'm having issues trying to get the client to change its MTU, the VPN is connected and working, but its hideously slow because the ISP here doesn't Like MTU sizes above 1450 and it insists on connecting with an MTU size of 1500

I tried to set the MTU by changing the mssfix value to 1400 and also the tun-mtu value in /etc/openvpn/openvpn.conf.tmpl. to 1400 on both the openvpn server and the client but no dice....

Can anyone help me out? see the logs below...

Cheers!

OpenVPN
2012-06-06 19:16:10
wgevpn[14253]: Wed Jun 6 19:16:10 2012 [127.0.0.1] Peer Connection Initiated with 203.134.183.130:1194
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 TUN/TAP device tap1 opened
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 /sbin/ip link set dev tap1 up mtu 1500
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 /sbin/ip addr add dev tap1 172.31.56.100/16 broadcast 172.31.255.255
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 /usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/ tap1 1500 1574 172.31.56.100 255.255.0.0 init
OpenVPN
2012-06-06 19:16:13
wgevpn[14253]: Wed Jun 6 19:16:13 2012 Initialization Sequence Completed
OpenVPN
2012-06-06 19:08:14
wgevpn[10299]: Wed Jun 6 19:08:14 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
OpenVPN
2012-06-06 19:08:14
wgevpn[10299]: Wed Jun 6 19:08:14 2012 UDPv4 link remote: 203.134.183.130:1194
OpenVPN
2012-06-06 19:08:14
wgevpn[10299]: Wed Jun 6 19:08:14 2012 UDPv4 link local: [undef]
OpenVPN
2012-06-06 20:15:50
wgevpn[14253]: Wed Jun 6 20:15:50 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1474"
OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1432"
OpenVPN
2012-06-06 21:15:53
wgevpn[14253]: Wed Jun 6 21:15:53 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #1 on: Thursday 07 June 2012, 12:57:52 am »

You can set "tun-mtu xx" on client and check whether its working or not, set "verb 5" as well, this will give you more details while connecting. Secondly try to change the proto to tcp (default is udp) and see if there is any improvement in the performance. Kindly upload the code as well.
Logged
WGE
Jr. Member
*
Offline Offline

Posts: 7


« Reply #2 on: Thursday 07 June 2012, 01:29:35 pm »

Hi Kashifmax,

I have tried setting tun-mtu 1400 on the client (efw 2.5.1 client) but i'm not sure i have the right config file. Do you know which config file is the correct one to modify?

I have also tried it as a TCP connection and that made things much worse and slower, it would drop out constantly and the pings weren't consistant as they are with UDP.

The config files that i have (i hope are the right ones) are below.. they are both From the endian FW that is the client by the way, the server config is no different though:

Thanks!

Ewan


/etc/openvpn/openvpn.conf.tmpl
#from endian.core.specialtypes import CIDR
; daemon configuration
daemon
mode server
tls-server
proto ${DS.OPENVPN.SETTINGS.OPENVPN_PROTOCOL}
port ${DS.OPENVPN.SETTINGS.OPENVPN_PORT}
tmp-dir /var/tmp

#if $PORT_SHARE == 'on'
port-share ${GREEN.settings.address} ${DS.HTTPD.SETTINGS.HTTPD_HTTPS_PORT}
#end if

multihome
user openvpn
group openvpn

cd /var/openvpn
; client-config-dir clients

script-security 2 system

; tunnel configuration

dev ${PURPLE_DEVICE}
#if $DS.OPENVPN.SETTINGS.BRIDGED == 'on'
; bridge to $DS.OPENVPN.SETTINGS.BRIDGE_TO
#set bridgenet = $getVar($DS.OPENVPN.SETTINGS.BRIDGE_TO).settings.ips_obj[0]
#set bridgeip = $getVar($DS.OPENVPN.SETTINGS.BRIDGE_TO).settings.address
#set bridgenetmask  = $getVar($DS.OPENVPN.SETTINGS.BRIDGE_TO).settings.netmask
server-bridge ${bridgeip} ${bridgenetmask} #slurp
${bridgenet.firstIp($DS.OPENVPN.SETTINGS.PURPLE_IP_BEGIN, calc=True)} #slurp
${bridgenet.firstIp($DS.OPENVPN.SETTINGS.PURPLE_IP_END, calc=True)}
push "route-gateway ${bridgeip}"
#else
; not bridged
#set server = CIDR($DS.OPENVPN.SETTINGS.PURPLE_NET)
server ${server.netaddress} ${server.netmask}
#end if

#if $DS.OPENVPN.SETTINGS.PUSH_GLOBAL_NETWORKS == 'on'
; push global networks
  #for $nets in $GLOBAL_NETWORKS_ARR
push "route ${nets.netaddress} ${nets.netmask}"
  #end for
#else
; don't push global networks
#end if

passtos
comp-lzo
management 127.0.0.1 5555
keepalive 8 30

tun-mtu 1400
tun-mtu-extra 32
mssfix 1400

persist-key
persist-tun
persist-local-ip
persist-remote-ip


; logging and status

writepid /var/run/openvpn/openvpn.pid
ifconfig-pool-persist openvpn.leases
status /var/log/openvpn/openvpn-status.log
verb 1


client-connect "/usr/local/bin/openvpn-client-connect"
client-disconnect "/usr/local/bin/openvpn-client-disconnect"

up "/usr/local/bin/dir.d-exec /etc/openvpn/ifup.server.d/"
down "/usr/local/bin/dir.d-exec /etc/openvpn/ifdown.server.d/"

; certificates and authentication

dh /var/efw/openvpn/dh1024.pem
pkcs12 /var/efw/openvpn/pkcs12.p12

#if $DS.OPENVPN.SETTINGS.DUPLICATE_CN == 'on'
duplicate-cn
#end if

#if $DS.OPENVPN.SETTINGS.AUTH_TYPE == 'psk'
client-cert-not-required
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
username-as-common-name
#else
ns-cert-type client
  #if $HAS_CRL == 'on'
crl-verify /var/efw/openvpn/crl.pem
  #end if
  #if $DS.OPENVPN.SETTINGS.AUTH_TYPE == 'certpsk'
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file
username-as-common-name
  #end if
#end if

#if $DS.OPENVPN.SETTINGS.CLIENT_TO_CLIENT == 'on'
client-to-client
#end if

#try
#include "/var/efw/openvpn/openvpn.tmpl"
#except
#pass
#end try


/etc/openvpn/openvpn_wgevpn.conf


# Begin Additional configuration:
# (This is to cause the process to restart whenever
#  such a configuration value changes)
# NAT:
# Routetype: bridged
# Block DHCP:
# End Additional configuration

client
pull

comp-lzo yes

nobind
resolv-retry infinite
script-security 2 system
auth-retry nointeract

dev tap1
dev-type tap

ca /var/efw/openvpnclients/wgevpn/ca.pem
auth-user-pass /var/efw/openvpnclients/wgevpn/credentials


proto udp

remote 203.134.183.130 1194 udp


writepid /var/run/openvpn/client_wgevpn.pid

up-delay
up "/usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/"
down-pre
down "/usr/local/bin/dir.d-exec /etc/openvpn/ifdown.client.d/"

Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #3 on: Thursday 07 June 2012, 09:34:25 pm »

Most of the ISP uses 1500 MTU size but mine ISP is using 1492. Try this also in openvpn.conf

Code:
tun-mtu 1450
tun-mtu-extra 32
mssfix 1400

Don't restart the openvpn service via gui otherwise your entries will be vanished.

See these link
http://www.efwsupport.com/index.php?topic=2.0
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/mtu-issues.html
Logged
WGE
Jr. Member
*
Offline Offline

Posts: 7


« Reply #4 on: Friday 08 June 2012, 01:27:06 pm »

Hi there,

running ifconfig i can see that the uplink interface MTU is already set at 1400:

eth1      Link encap:Ethernet  HWaddr 00:0C:29:C9:62:5B
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fec9:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:2001251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1508616 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2148961406 (2.0 GiB)  TX bytes:278600755 (265.6 MiB)


running ifconfig also tells me that the VPN connection is @ 1500:

tap1      Link encap:Ethernet  HWaddr 7A:A6:0B:AE:DE:F3
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:15222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13799 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14164435 (13.5 MiB)  TX bytes:1487290 (1.4 MiB)


do you know how i get the client to connect using 1400mtu?
i have tried adding these to /etc/openvpn/openvpn_wgevpn.conf on the client and it is already in /etc/openvpn/openvpn.conf on the server efw....

Code:

tun-mtu 1400
tun-mtu-extra 32
mssfix 1400


but it doesn't do anything on the client and is working on the server, so its the cause of the mismatch i posted previously. The below log is from the client machine, the exact same thing appears on the serve but reversed.

OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "link-mtu" is used inconsistently, local="link-mtu 1574", remote="link-mtu 1474"
OpenVPN
2012-06-06 20:15:53
wgevpn[14253]: Wed Jun 6 20:15:53 2012 WARNING: "tun-mtu" is used inconsistently, local="tun-mtu 1532", remote="tun-mtu 1432"




there must be another config file its using to pull its connection settings from, do you know what it could be?

Thanks!
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #5 on: Saturday 09 June 2012, 06:49:24 pm »

In my case the client file is "xx.ovpn" and when I was doing some experiments then this file was reflecting /etc/openvpn/openvpn.conf. There is some more information if you have visited the above links ?

Anyways, reset EFW and first try to change some settings only on the client side than move to configuration files.
Code:
tun-mtu 1450
fragment 1300 or 1400
mssfix 1400
verb 5

Start setting from lower mtu size (1300 than 1400) in configurations and check one by one. If the above doesn't help you than use this command (windows) to set mtu.
Code:
netsh interface ipv4 set subinterface "VPNconnectionNAME" mtu=xx store=persistent

1574 is weired Shocked I guess...
Logged
WGE
Jr. Member
*
Offline Offline

Posts: 7


« Reply #6 on: Monday 18 June 2012, 09:55:07 am »

hmmm. Where abouts is this elusive xx.ovpn located on your box?

I did visit the above links, they weren't particularly helpful though unfortunately Sad i can set the MTU on the red network interface quite alright, theres a setting in the endian GUI that allows for that, i did try that indeed, but it doesn't stop the VPN interface from connecting at 1500.... as you can see by the following:

eth1      Link encap:Ethernet  HWaddr 00:0C:29:C9:62:5B
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fec9:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:2001251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1508616 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2148961406 (2.0 GiB)  TX bytes:278600755 (265.6 MiB)



running ifconfig also tells me that the VPN connection is @ 1500 even though the red interface is 1400... stupid thing:

tap1      Link encap:Ethernet  HWaddr 7A:A6:0B:AE:DE:F3
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:15222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13799 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14164435 (13.5 MiB)  TX bytes:1487290 (1.4 MiB)


Windows commands won't help, its 2 endian firewalls one is a server, the other is a client doing the gw2gw thing. server side the MTU is what i set it to in the config, but i can't find the client side config to modify the settings on.... someone must know where this thing is kept or how to change it on the client side....
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #7 on: Thursday 21 June 2012, 05:55:47 pm »

xx.ovpn is a CLIENT/WORKSTATION/PC (xx.ovpn) configuration file and the xx.pem is a certificate (or any other you have) that should be copied under windows location c:\program files\openvpn\config\ before connecting to SERVER (EFW)...

https://endian.zendesk.com/entries/21295696-how-to-configure-windows-openvpn-client-with-certificate-authentication
Logged
WGE
Jr. Member
*
Offline Offline

Posts: 7


« Reply #8 on: Friday 22 June 2012, 09:20:27 am »

ahhhh i see, you're running a windows client! i'm not... its a gw2gw connection with 2 endian firewalls that i'm having this issue with and i can't seem to find the relevant config file on endian client firewall anywhere.


Can anyone else shed some light on this issue?
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #9 on: Saturday 23 June 2012, 11:29:07 pm »

Yes but it also works on linux systems. Hmmmm i think it doesn't matter ? Anyways add gw2gw in the subject if possible...
Logged
WGE
Jr. Member
*
Offline Offline

Posts: 7


« Reply #10 on: Tuesday 26 June 2012, 08:53:06 am »

Added GW2GW in the Subject, i wouldn't have thought it would be that hard to change the MTU on the client side, Where is it getting that first line from dammit!? Tongue

2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 /sbin/ip link set dev tap1 up mtu 1500
OpenVPN
2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 /sbin/ip addr add dev tap1 172.31.56.100/16 broadcast 172.31.255.255
OpenVPN
2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 /usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/ tap1 1500 1574 172.31.56.100 255.255.0.0 init
OpenVPN
2012-06-25 07:38:09
wgevpn[4180]: Mon Jun 25 07:38:09 2012 Initialization Sequence Completed
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #11 on: Wednesday 27 June 2012, 09:39:35 pm »

Troubleshooting VPN connections.
   1. Write down the MTU size used by the ISP (ping -c1 -M do -s 1460 <host>).
   2. Login to the CLI, either from a shell or from Menubar ‣ System ‣ Web Console.
   3. Edit the openvpn template with an editor of choice: nano /etc/openvpn/openvpn.conf.tmpl.
   4. Search for the string mssfix 1450.
   5. Replace 1450 with a lower value, for example 1200.
   6. Restart openvpn by calling: restartopenvpn.

http://docs.endian.com/system.html#mtusize

Nothing else I guess Grin
Logged
WGE
Jr. Member
*
Offline Offline

Posts: 7


« Reply #12 on: Monday 02 July 2012, 03:34:31 pm »

Yeah, that works for the server but not the client for some reason... oh well. I'll keep trying, in the mean time if anyone works out where its kept, let me know. i'll be eternally grateful.

Cheers.
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #13 on: Tuesday 03 July 2012, 07:06:36 pm »

Its not possible that the client is not setting mtu size. May be you need to try from scratch... Cry Or may be Mr. mrkroket  Cool can able to point out what you are doing wrong.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.141 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com