Tweet
OpenVPN Connect for MAC ignores tun-mtu setting and always computes MTU for the tunnel from physical link MTU. If the physical link is ethernet with MTU 1500, tun-mtu is reduced to 1440.
We're explicitly setting tun-mtu=1500 to allow full packets via tunnel and expect OpenVPN Connect to perform fragmentation if needed.
However, OpenVPN Connect ignores this parameter and does not allow packets larger than 1440 bytes:
$ ping -s 1472 1.1.1.1
36 bytes from x.x.x.x: frag needed and DF set (MTU 1440)
Yet worse, when we configure mssfix=1400 to ensure no fragmentation solely for TCP connections, OpenVPN Connect reduces tun-mtu to 1376 and makes UDP protocols like QUIC completely unusable:
$ ping -s 1472 1.1.1.1
36 bytes from x.x.x.x: frag needed and DF set (MTU 1376)
Other OpenVPN clients correctly pass such packets through the tunnel and use fragmentation to deliver them over physical connection with MTU 1500.
We also tried to explicitly configure fragment=1460, but OpenVPN Connect rejects it with:
Connection Failed - option error: sorry, 'fragment' directive is not supported, nor is connecting to a server that uses 'fragment' directive
This is serious violation of OpenVPN protocol and it means that OpenVPN Connect for MAC is not usable in environments requiring full 1500 byte packets via tunnel.
We're explicitly setting tun-mtu=1500 to allow full packets via tunnel and expect OpenVPN Connect to perform fragmentation if needed.
However, OpenVPN Connect ignores this parameter and does not allow packets larger than 1440 bytes:
$ ping -s 1472 1.1.1.1
36 bytes from x.x.x.x: frag needed and DF set (MTU 1440)
Yet worse, when we configure mssfix=1400 to ensure no fragmentation solely for TCP connections, OpenVPN Connect reduces tun-mtu to 1376 and makes UDP protocols like QUIC completely unusable:
$ ping -s 1472 1.1.1.1
36 bytes from x.x.x.x: frag needed and DF set (MTU 1376)
Other OpenVPN clients correctly pass such packets through the tunnel and use fragmentation to deliver them over physical connection with MTU 1500.
We also tried to explicitly configure fragment=1460, but OpenVPN Connect rejects it with:
Connection Failed - option error: sorry, 'fragment' directive is not supported, nor is connecting to a server that uses 'fragment' directive
This is serious violation of OpenVPN protocol and it means that OpenVPN Connect for MAC is not usable in environments requiring full 1500 byte packets via tunnel.