I am trying to setup OpenVPN but am currently stuck.
I am connecting from laptop using mobile network, so completely separate from my home network.
I can connect to the server.
I can ping resources inside my network.
I can ping resources outside my network, both 8.8.8.8 and google.com, so it’s not DNS issue.
Looking into packet capture it looks like the devices are talking to each other. Server is responding to client hello and sending application data.
Looking at the Wireshark capture, the packet sizes for the TLS data are smaller than the usual Ethernet MTU, so it looks like there is a smaller MTU specified on the VPN or on the interface the VPN is running on. Shouldn’t be a problem, but the hosts remote to the server side of the VPN need to know the real TCP MSS.
The ICMP fragmentation needed response looks to be in response to one of the earlier outbound TCP frames, but the timestamps between packets 21 and 23 look too short for 10.28.30.1 to be the VPN IP of the VPN server - strange.
Do these work while connected on the VPN?
ping -4 -s 1200 cloudflare.com
ping -4 -s 1440 cloudflare.com
If 1 does and 2 returns fragmentation needed, try OpenVPN options on the client: mssfix 1200.
If that works, then you can try increasing the value for more performance (lower per-packet overhead), but I suspect at some point arround 1330 it will break.
What’s the largest packet size you can ping google.com with? What if you try pinging cloudflare with a smaller size? It sounds like PMTUD is broken which points at some sort of ICMP filtering. Do you admin the firewalls on the local and remote network to check the ICMP rules?
Yeah, you are right, but it is affecting not only VPN. I checked and on my LAN, the highest I can go is 500 packet size.
Fixing that, will probably fix vpn as well. If I find what is it is I will report back.
Thanks for help with troubleshooting this, it gave me something to investigate and focus on.
