Feature #15585
open
Add OpenVPN Option for manually MTU setting
Added by Jonathan Lee 3 days ago. Updated about 14 hours ago.
0%
Description
Ref:
https://forum.netgate.com/topic/148161/how-to-change-mtu-mssfix-values-for-openvpn-in-pfsense
I started to research this today and learned that many ISP and mobile phones have different MTU requirements, would it be more streamlined to add a GUI option to change MTU settings inside OpenVPN?
Updated by Jonathan Lee 3 days ago
It would be nice to have this as a non custom option a GUI based option for users.
Updated by Christopher Cope 3 days ago
Jonathan Lee wrote in #note-1:
It would be nice to have this as a non custom option a GUI based option for users.
You can set MSS clamping in the GUI at System > Advanced > Firewall & NAT under the VPN Packet Processing.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#mss-clamping
This should overcome the issues you are having without the need to set custom options. If not, please provide the custom options you are using and whether you are using an OpenVPN server or client on pfSense.
Updated by Jonathan Lee 2 days ago
So the Users on the forum didn’t need to set custom settings for OpenVPN configuration export system? The way I understood this was the device running the client software needed an import file that OpenVPN generates and this is what was being customized so that the clients are pre set to that MTU and MSS. This wouldn’t be handled by the firewall software itself but the OpenVPN export config file used to import into the devices dialing into the VPN.
Updated by Christopher Cope 2 days ago
Jonathan Lee wrote in #note-3:
So the Users on the forum didn’t need to set custom settings for OpenVPN configuration export system? The way I understood this was the device running the client software needed an import file that OpenVPN generates and this is what was being customized so that the clients are pre set to that MTU and MSS. This wouldn’t be handled by the firewall software itself but the OpenVPN export config file used to import into the devices dialing into the VPN.
If you are trying to set it explicitly on the client side the custom option is needed. However, most issues should be fixed by the setting on the firewall as it clamps the values across the tunnel and TCP traffic will negotiate based upon that value, which ultimately affects the client connection as well.
Updated by Kris Phillips about 14 hours ago
- Priority changed from Normal to Low
Christopher Cope wrote in #note-4:
Jonathan Lee wrote in #note-3:
So the Users on the forum didn’t need to set custom settings for OpenVPN configuration export system? The way I understood this was the device running the client software needed an import file that OpenVPN generates and this is what was being customized so that the clients are pre set to that MTU and MSS. This wouldn’t be handled by the firewall software itself but the OpenVPN export config file used to import into the devices dialing into the VPN.
If you are trying to set it explicitly on the client side the custom option is needed. However, most issues should be fixed by the setting on the firewall as it clamps the values across the tunnel and TCP traffic will negotiate based upon that value, which ultimately affects the client connection as well.
Which setting it globally for all VPN traffic, there are situations where you only want a single client to have MSS clamping present on their client config. Since this is for the OpenVPN Client Export package, I believe we should consider this regardless.
Moving the priority to Low, however, as you can apply mssfix to the client config when you export it in the advanced options.
Updated by Jonathan Lee about 14 hours ago
Thanks for considering this. I was researching this after I was testing the VPN to home NAS connection across the United states and it seemed to be fragmenting. I started to look into this and found many other users with T-Mobile service also have to set custom options for specific requirements. Again, that took a while to find. I was originally searching in the GUI OpenVPN package and it does not list it. Yes it is achievable with utilization of manual custom options. Still, everyday pfSense users would not know how to use or set the custom options like this. This would simplify the process if it is listed as an option they can change in the GUI. The forum page has different ways to achieve this. Again with pfSense having it coded into the GUI the best method would be utilized as PHP would be the one setting it for users.
I was doing some forum research I have found 2 different methods recommended by users that are being utilized currently.
A.
tun-mtu 1500;
tun-mtu-extra 32;
missfix 1450;
Also
One that skips tun-mtu-extra
tun-mtu 1200;
misfit 1200;
And one that utilizes the fragment keywordfragment 1300;
mssfix 1340;
One is using fragment keyword and the other is using tun-mtu
Yes the numbers would be different however the way this is achieved seems different among users with what keywords are used.