Tinc performance on a Dir-300
Guus Sliepen
guus at tinc-vpn.org
Tue Nov 23 11:21:13 CET 2010
On Tue, Nov 23, 2010 at 09:42:56AM +0100, ZioPRoTo (Saverio Proto) wrote:
> >>> this will cause new TCP connections to use segments that fit your interface
> >>> MTU.
> >
> > I have had this problem too! Can you do the same for UDP connections?
>
> Sorry of this VERY late reply. I missed your email until now.
>
> No, you can't do it that simple with UDP.
>
> With TCP you have a three way handshake when setting up the connection
> where you can adjust the MSS with the --clamp-mss-to-pmtu iptables
> magic
>
> In UDP there is no "connection". Every packet is a single packet.
Tinc will figure out the MTU between each node on its own. It will send ICMP
Fragmentation Needed or ICMPv6 Packet too Big packets in response to any IP
packet that is larger than the MTU and which does not have the DF bit set. That
should ensure the sender will reduce the size of the packets it sends, whether
it is TCP, UDP, or another protocol that runs on top of IP.
However, these days there are a lot of firewalls in the way of your VPN traffic
that block almost all ICMP packets. So in some cases, this mechanism will not
work. Tinc itself (from version 1.0.13 onwards) will also clamp the MSS of TCP
packets (both on IPv4 and IPv6). So, the iptables rule should not be necessary.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20101123/5df9774f/attachment.pgp>
More information about the tinc
mailing list