2

I'm running a Dual Stack OpenVPN Server, setup according to this tutorial: https://techblog.synagila.com/2016/02/24/build-a-openvpn-server-on-ubuntu-to-provide-a-ipv6-tunnel-over-ipv4/ .

As shown in the tutorial linked above, my clients are assigned a NAT IPv4 address as well as a native IPv6 address. The client, server and IPTables config that I'm using are listed there as well. I'm connecting to this server in 'Remote Access' mode (L3) and use it as my private 'VPN', i.e. I tunnel my network traffic through this VPN server and use it to connect to the internet.

Internet connectivity works, but when running IPv6 tests, I often get warnings that IPv6 is not setup correctly, specifically 'large packets appear to fail, giving the appearance of a broken website. If a publisher publishes to IPv6, you will believe their web site to be broken. Ask your ISP about MTU issues; possibly with your tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big)' (Source: test-ipv6.com).

I do notice this, because sometimes DNS resolving is slow. I think this also depends on whether or not it's a 'large packet'.

I've run a Wireshark trace and I do indeed see 'Packet too big - ICMPv6' errors as well as several retransmissions and connection reset. Sadly I'm no Wireshark pro so I'm not sure what to think of it.

I've tried altering the MTU size using the mssfixparameter in the client and server config. My max MTU is 1470 so I set the mssfix parameter to 1430, but that did not solve the issue. What more can I do to fix this issue?

I'm not running any firewall, I've only setup one IPtable rule according to the tutorial linked above.

Thank you.

Freek
  • 521
  • 1
  • 4
  • 6
  • I had similar issues, and had to bring mssfix all the way down to 1350. It's stable there. Keep going. – Michael Hampton May 12 '18 at 19:14
  • iptables can also fix it automatically (with the best value) with TCPMSS --clamp-mss-to-pmtu (if there's no compression I guess). It also mentions that mss is usually mtu-60 for IPv6, instead of mtu-40 for IPv4 – A.B May 12 '18 at 23:32
  • @MichaelHampton I've dropped the mssfix value all the way down to 1200 but the issue persists sadly. – Freek May 13 '18 at 13:05
  • @A.B I've disabled compression (comp-lzo is disabled) and tried the IPtable command you suggested. It works a bit better now, but still not flawless. The results are inconsistent. Sometimes the test passes in a matter of seconds with flying colors and sometimes it fails on finding 'IPv6 DNS record' or ' IPv6 Service Provider' – Freek May 13 '18 at 13:05
  • too bad. then just lower the mss using the application. I was also saying that it should have been tried will 1470-60. anyway as Michael suggested, just add some margin and forget about it – A.B May 13 '18 at 13:10
  • @A.B I've tried various values, also 1470-60, but is it true that there is only one mssfix parameter that applies both to IPv4 and IPv6? If so, what is the optimal one to choose? The lowest one? – Freek May 13 '18 at 16:40
  • Why not try Michael's 1350 value? – A.B May 13 '18 at 16:42
  • @A.B Good one, that value should be safe for both IPv4 and IPv6. I'll use it and see how it goes. Thanks. – Freek May 13 '18 at 18:35

0 Answers0