Jump to content
TorGuard
  • 0
Sign in to follow this  
nosuchthing

OpenVPN Warning: tun-mtu and link-mtu used inconsistently

Rate this question

Question

nosuchthing

When I launch my .ovpn configuration with:

 

"sudo openvpn --config TorGuard.TCP.ovpn"

 

I receive three warnings that I am having trouble fixing. Although I do have a connection that seems to work well.  I rather not have any warnings.

 

WARNING:  'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1592'

WARNING:  'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'

 

and

 

WARNING: file 'auth.txt' is group or others accessible

 

Here is my TorGuard.TCP.ovpn file contents.

 

client

dev tun

redirect-gateway def1

 

proto tcp

# The xxxx are replaced with whichever country

remote xxxxx.torguardvpnaccess.com 995

 

resolv-retry infinite

nobind

persist-key

persist-tun

 

ca ca.crt

remote-cert-tls server

cipher AES-256-CBC

 

auth-user-pass auth.txt

comp-lzo

verb 1

reneg-sec 0

auth-nocache

 

;link-mtu 1592

;tun-mtu 1532

 

user nobody

group nobody

 

dhcp-option DNS 10.23.0.1

 

To address the first two warnings, I though to add the link-mtu 1592 and tun-mtu 1532 to match the remote server, but recieved an error that I can't specify both.  So I kept the link-mtu 1592 and took out the tun-mtu 1532.  This configuration seemed to work the best because I no longer have the first two warnings, but a new one:

 

WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1532)

 

How should I configure my link-mtu and tun-mtu with warnings and what would be a good way to secure my auth.txt file to remove the the group accessibility?

 

Thank you for your time.

 

 

 

 

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0
TorGuard

Hello, welcome to the forums!

 

 

It appears that you are not using a TorGuard config, as it's missing some vital parameters. You can either generate a config with the generator tool from the client dashboard, or you can use the Standard configs from the download page.

 

Config Generator: https://torguard.net/tgconf.php?action=vpn-openvpnconfig

Standard Configs: https://torguard.net/downloads.php

Share this post


Link to post
Share on other sites
  • 0
nosuchthing

I followed the instructions at:

 

https://torguard.net/knowledgebase.php?action=displayarticle&id=32

 

I used the TorGuardPro config files linked to from the link above and TCP generated config files.  I changed the .ovpn to .conf and ran it.  I was able to get a connection, but it was no better than the customized connection I did above.

 

I still receive the link-mtu and tun-mtu warnings, but also securities warnings that the ciphers in the config file is 64 bits and vulnerable to attacks.  So right now the configuration I provided above is better than the instructions provided by the link.

Share this post


Link to post
Share on other sites
  • 0
Support

I followed the instructions at:

 

https://torguard.net/knowledgebase.php?action=displayarticle&id=32

 

I used the TorGuardPro config files linked to from the link above and TCP generated config files.  I changed the .ovpn to .conf and ran it.  I was able to get a connection, but it was no better than the customized connection I did above.

 

I still receive the link-mtu and tun-mtu warnings, but also securities warnings that the ciphers in the config file is 64 bits and vulnerable to attacks.  So right now the configuration I provided above is better than the instructions provided by the link.

 

Hi -  it may also be pushed from server side - please test the following IP: 96.47.237.170 using the same cipher and config in your initial post - remove the link-mtu 1592 line you added and use below - let me know if you receive any warnings now.

 

         client

dev tun

redirect-gateway def1

 

proto tcp

# The xxxx are replaced with whichever country

remote 96.47.237.170 995

 

resolv-retry infinite

nobind

persist-key

persist-tun

 

ca ca.crt

remote-cert-tls server

cipher AES-256-CBC

 

auth-user-pass auth.txt

comp-lzo

verb 1

reneg-sec 0

auth-nocache

 

user nobody

group nobody

 

dhcp-option DNS 10.23.0.1

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×