ocserv: website and mtu problems

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Sep 30 04:50:58 EDT 2013

On 09/30/2013 03:29 AM, Yin Guanhao wrote:
> On 09/30/13 02:00, Nikos Mavrogiannopoulos wrote:
>>> 2. MTU of the tun device seems to be 9 bytes larger than it should be.
>>> I was not able to browse some https sites, and tcpdump said there are
>>> truncated ip packets. After manually setting the MTU 9 bytes smaller,
>>> everything worked.
>> There have been quite some fixes regarding to MTU handling. Do you use
>> the latest version (0.1.6)?
> I might not have made it clear that it is the MTU of the client side tun
> device that is 9 bytes larger.

Thanks. That could be the issue. Could you try this patch?
I'm not sure about the 9 bytes larger though. Could it be 8 bytes
instead? I cannot think what this extra byte is for.


-------------- next part --------------
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index abd8a5e..081d579 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -971,8 +971,9 @@ socklen_t sl;
 			oclog(ws, LOG_INFO, "reducing DTLS MTU to peer's DTLS MTU (%u)", req->dtls_mtu);
-		overhead = tls_get_overhead(GNUTLS_DTLS0_9, ws->req.gnutls_cipher, ws->req.gnutls_mac);
+		overhead = CSTP_DTLS_OVERHEAD + tls_get_overhead(GNUTLS_DTLS0_9, ws->req.gnutls_cipher, ws->req.gnutls_mac);
 		tls_printf(ws->session, "X-DTLS-MTU: %u\r\n", ws->conn_mtu-overhead);
+		oclog(ws, LOG_INFO, "suggesting DTLS MTU %u", ws->conn_mtu-overhead);
 	if (ws->buffer_size <= ws->conn_mtu+mtu_overhead) {
@@ -983,11 +984,12 @@ socklen_t sl;
 			goto exit;
-	overhead = tls_get_overhead(gnutls_protocol_get_version(ws->session), gnutls_cipher_get(ws->session), gnutls_mac_get(ws->session));
+	overhead = CSTP_OVERHEAD + tls_get_overhead(gnutls_protocol_get_version(ws->session), gnutls_cipher_get(ws->session), gnutls_mac_get(ws->session));
 	ret = tls_printf(ws->session, "X-CSTP-MTU: %u\r\n", ws->conn_mtu-overhead);
+	oclog(ws, LOG_INFO, "suggesting CSTP MTU %u", ws->conn_mtu-overhead);
-	oclog(ws, LOG_INFO, "selected MTU is %u", ws->conn_mtu);
+	oclog(ws, LOG_INFO, "plaintext MTU is %u", ws->conn_mtu);
 	send_tun_mtu(ws, ws->conn_mtu);
 	if (ws->config->banner) {

More information about the openconnect-devel mailing list