On Thursday 17 June 2010 14:07:09 Linus Lüssing wrote:
Yep, tap mode in openvpn is adding an extra header, it encapsulates not only the ip-packet but also the ethernet frame into udp or tcp. (By the way, tun-mode also adds an extra header, but the packets are smaller - only IP packets encapsulated in UDP or TCP.)
May I ask whether you are bridging tap0 or if you are routing the packets (so having an ip address on tap0 and having according entries in your routing table)? If it's the latter, then you could just decrease the MTU on the tap0 interfaces to a fitting size and let the VPN routers do the PMTU discovery stuff automatically. But of course, then you probably wouldn't need tap-mode in this scenario, as it just adds additional overhead with the unnecessary ethernet frame in between.
I know that tinc has two little, a bit hacky features in case of bridging tap0 with tap-mode (they call it switch-mode) to inform the other machines of the lower MTU in between. But I haven't heard of OpenVPN having similar features.
So I guess the easiest step would be the first suggestion, to do routing in between and lowering the MTU on the tap interfaces for a start before starting to experiment with (experimental) features and/or more complicated setups :).
Cheers, Linus
We tried tinc now, but the problem does still exist. Our Tinc config looks like this:
---------- root@OpenWrt:~# cat /etc/tinc/batvpn/tinc.conf Hostnames=yes Mode=Switch name=floh1111 ConnectTo=batgw #ConnectTo=harlingen -----------
Normal ping over vpn till package size 1453 works. If I increase the package size to 1454 ping fails.
All devices have an mtu of 1530 except bat0 and br-mesh which have an mtu of 1500. Batman is running on the tinc device tap0 and our bridge looks like this:
--------- config 'interface' 'mesh' option 'type' 'bridge' option 'ifname' 'ath0 bat0' option 'proto' 'static' option 'ipaddr' '10.18.1.101' option 'netmask' '255.255.128.0' option 'mtu' '1500' option 'dns' '10.18.0.1 10.18.0.254' --------------
If I decrease the mtu on the client that has no batman advanced to 1481, everything works fine.
Think we need help again^^ Clemens