Hello everyone!
Could you help me with UDP truncation problem?
I have three hosts, two on broadband connection, one on 4G (lower MTU).
Judging by tincd logs, MTU discovery works, for example on 4G host:
tincd[4598]: Got MTU probe length 1363
TCP inside the VPN network works fine, but UDP is truncated. By testing
with iperf and dumping traffic I get this:
Between broadband hosts:
20:45:04.259936 IP (tos 0x0, ttl 64, id 52068, offset 0, flags [+],
proto UDP (17), length 1444)
10.2.0.1.5001 > 10.2.0.3.54616: UDP, bad length 1470 > 1416
Between broadband and 4G hosts:
20:48:11.769469 IP (tos 0x0, ttl 64, id 21621, offset 0, flags [+],
proto UDP (17), length 1348)
10.2.0.2.46650 > 10.2.0.1.5001: UDP, bad length 1470 > 1320
ICMP is allowed both inside and outside of tunnels. All hosts are Debian
testing with tinc 1.0.28.
On Fri, May 20, 2016 at 10:09:27PM +0300, Vladimir Kudrya wrote:> Could you help me with UDP truncation problem? > I have three hosts, two on broadband connection, one on 4G (lower MTU). > Judging by tincd logs, MTU discovery works, for example on 4G host: > > tincd[4598]: Got MTU probe length 1363 > > TCP inside the VPN network works fine, but UDP is truncated. By testing with > iperf and dumping traffic I get this: > > Between broadband hosts: > 20:45:04.259936 IP (tos 0x0, ttl 64, id 52068, offset 0, flags [+], > proto UDP (17), length 1444) > 10.2.0.1.5001 > 10.2.0.3.54616: UDP, bad length 1470 > 1416Tinc will fragment UDP packets that are larger than the discovered path MTU and that don't have the DF bit set. Could it be that you have a firewall rule somewhere that is blocking fragments? -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160524/78cb1a44/attachment.sig>
> Tinc will fragment UDP packets that are larger than the discovered path > MTU and that don't have the DF bit set. Could it be that you have a > firewall rule somewhere that is blocking fragments? >You mean inside network? No, nothing is blocked inside, and nothing specifically blocks fragmented on outside routes (unless providers messing with traffic). For now I worked around this by setting tinc's tap device mtu to 1300 on every host. But any other clues would be handy.