Netgear DG834G and OpenVPN

Posted on 2005-04-05
Last Modified: 2008-01-09
Got a problem with this.

I have OpenVPN working internally between machines and I now need to get this working between an external and internal machine.   OpenVPN uses port 1194 by default so it should be a simple matter of adding a port routing on the router to send all UDP 1194 packets to the VPN server internally (outgoing packets are now restricted).

When trying from the outside, the router is getting the client packets and apparently passing them on to the server (from the router log), but the server is either not getting them or ignoring them.

I noticed that the OpenVPN standard MTU is 1500 but the router for some reason is set to 1458.
Both the client and server configuration use the default 1500.

I presume if the MTU is smaller on the router, then the server may not be getting the full 1500 packet sent.
Any idea why the router may have a smaller 1458 size?

What's the downside of the reduding the OpenVPN MTU to match the router?

Question by:countytechnologies
    LVL 13

    Expert Comment

    the reason for the MTU being less is to allow for extras added by the packet headers.

    I would suggest changing your MTU on OpenVPN. It is trying to use the 1500 MTU that is standard for ethernet.


    Author Comment

    The OpenVPN documents suggest leaving the standard 1500 MTU but using something called fragment size?

    So in the config file:
     dev tun
     tun-mtu 1500
     fragment 1400

    However, I would guess that if the router is set to 1458, then somethings going to get lost?
    Any comments?
    LVL 13

    Accepted Solution

    This was a discussion that I had with lrmoore previously on the same topinc:

    You shouldn't have this problem though, as your OpenVPN client should be able to fragment the packets before it encrypts them. I would try setting the tun-mtu to the MTU of your router and then  the fragment setting a bit lower than that.

    The only consequence of this if it works is that you mave have slightly less thoughput than you might with higher MTU's as more packets will be framented, resulting in more overhead.

    Author Comment

    Thanks for all the info.   Its been an interesting trip getting this to work.
    In the end, I discovered I could increase the MTU on the router to 1500, so all standard now and working.

    I have to say that the MTU settings do seem a little restrictive when creating VPNs over the internet. Presumably at some stage I'm going to be attached to an internet connection where some router, somewhere is going to have an MTU less than 1500!   Is this a problem in reality?

    Many thanks

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now