MTU issue when using GRE over tinc

Guus Sliepen guus at
Tue Dec 10 10:38:57 CET 2013

On Tue, Dec 10, 2013 at 10:08:37AM +0100, Loic Dachary wrote:

> In a setup where OpenVSwitch is used with GRE tunels on top of an interface provided by tinc, I'm experiencing MTU problems and I'm not sure how to fix them. The manifestation of the problem is, from the user point of view, communication hang. And using "tcpdump -i there" displays lines such as :
>     18:54:00.345666 IP > GREv0, key=0x5, length 1438: IP > Flags [P.], seq 4917:6293, ack 658, win 71, length 1376
>     18:54:00.345746 IP > ICMP unreachable - need to frag (mtu 1445), length 556
> My actual use case very much ressembles what is described here
> and I tried to change the MTU on hte tinc provided interfaces on the machines that have and bound to them:
>     ip link set mtu 1546 dev there

The problem is that the GRE tunnel sets the DF bit in its headers, meaning that
tinc should not fragment the GRE packets, but instead reply with an ICMP error
message when the packets are too large. This is exactly what tinc does. The
problem is that GRE doesn't handle those ICMP packets at all. To make sure that
the packets sent through the GRE tunnel do not exceed the maximum packet size,
you should lower the MTU of the GRE interface, for example like so:

ip link set mtu 1400 dev gre0

Raising the MTU of the VPN interface does not help in any way, and lowering the
MTU of the VPN interface will make the problem worse.

Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <>

More information about the tinc-devel mailing list