Background:
I have a cellular ISP and therefore cannot configure the CGNAT. After burning through some dumb ideas (free reverse proxy, docker) I realized I could just use my paid VPN.
My setup is as follows: on the VPN server create a tunnel to AirVPN and start the openvpn daemon. This creates tun0 and tun1 with their own 10.x.x.x/24 subnets. The home network has 192.168.12.0/24.
It's possible to troubleshoot the MTU with ping -M do -s xxxx y.y.y.y to the VPN public address and test TCP/UDP sockets with nc -l -u -p 1194 .
I'm not sure if the MTU is variable across servers, but for the server I am on now ping -M do -s 1432 x.x.x.x is the biggest I can get a response from. 1432+20+8=1460 bytes.
Regardless, connecting to the home VPN through the AirVPN link still causes breakage. Discord seems to be what isn't working, mostly. Everything else has 200 ms latency as expected and not everything pings correctly. Rarely it will tell me the MTU has to be adjusted, sometimes tells me "message too long" and mostly just ignores my ping.
Can someone give me a recommendation for what MTU to be setting in my local OpenVPN server? Should I use mssfix or tun-mtu? Should I lower the MTU of the AirVPN connection? What else can I do?
Diagram:
Home -> AirVPN <- (1460 MTU) -> OpenVPN Client & server -> (1300 MTU) -> Home -> Outside World
client configuration
dev tun
proto udp
remote A.B.C.D 34183
tun-mtu 1300
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
data-ciphers AES-256-CBC
verb 3
server configuration
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
tun-mtu 1300
server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.12.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-server
tls-auth /etc/openvpn/server/ta.key 0
auth-nocache
user nobody
group nogroup
cipher AES-256-CBC
data-ciphers AES-256-CBC
status /var/log/openvpn/openvpn-status.log
persist-tun
persist-key
verb 3
client-to-client
explicit-exit-notify 1
AirVPN client configuration
dev tun
remote [spoiler].vpn.airdns.org 443
resolv-retry infinite
nobind
tun-mtu 1460
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512
In the process of doing this I somehow shut my house's WiFi down...
I’ve had the misfortune of posting on Craigslist Forums and then having at least 1-2 people shit on me or call me a moron