Jump to content
TorGuard
  • 0
Sign in to follow this  
nosuchthing

OpenVPN Warning: tun-mtu and link-mtu used inconsistently

Rate this question

Question

nosuchthing

When I launch my .ovpn configuration with:

 

"sudo openvpn --config TorGuard.TCP.ovpn"

 

I receive three warnings that I am having trouble fixing. Although I do have a connection that seems to work well.  I rather not have any warnings.

 

WARNING:  'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1592'

WARNING:  'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'

 

and

 

WARNING: file 'auth.txt' is group or others accessible

 

Here is my TorGuard.TCP.ovpn file contents.

 

client

dev tun

redirect-gateway def1

 

proto tcp

# The xxxx are replaced with whichever country

remote xxxxx.torguardvpnaccess.com 995

 

resolv-retry infinite

nobind

persist-key

persist-tun

 

ca ca.crt

remote-cert-tls server

cipher AES-256-CBC

 

auth-user-pass auth.txt

comp-lzo

verb 1

reneg-sec 0

auth-nocache

 

;link-mtu 1592

;tun-mtu 1532

 

user nobody

group nobody

 

dhcp-option DNS 10.23.0.1

 

To address the first two warnings, I though to add the link-mtu 1592 and tun-mtu 1532 to match the remote server, but recieved an error that I can't specify both.  So I kept the link-mtu 1592 and took out the tun-mtu 1532.  This configuration seemed to work the best because I no longer have the first two warnings, but a new one:

 

WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1532)

 

How should I configure my link-mtu and tun-mtu with warnings and what would be a good way to secure my auth.txt file to remove the the group accessibility?

 

Thank you for your time.

 

 

 

 

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0
TorGuard

Hello, welcome to the forums!

 

 

It appears that you are not using a TorGuard config, as it's missing some vital parameters. You can either generate a config with the generator tool from the client dashboard, or you can use the Standard configs from the download page.

 

Config Generator: https://torguard.net/tgconf.php?action=vpn-openvpnconfig

Standard Configs: https://torguard.net/downloads.php

Share this post


Link to post
Share on other sites
  • 0
nosuchthing

I followed the instructions at:

 

https://torguard.net/knowledgebase.php?action=displayarticle&id=32

 

I used the TorGuardPro config files linked to from the link above and TCP generated config files.  I changed the .ovpn to .conf and ran it.  I was able to get a connection, but it was no better than the customized connection I did above.

 

I still receive the link-mtu and tun-mtu warnings, but also securities warnings that the ciphers in the config file is 64 bits and vulnerable to attacks.  So right now the configuration I provided above is better than the instructions provided by the link.

Share this post


Link to post
Share on other sites
  • 0
Support

I followed the instructions at:

 

https://torguard.net/knowledgebase.php?action=displayarticle&id=32

 

I used the TorGuardPro config files linked to from the link above and TCP generated config files.  I changed the .ovpn to .conf and ran it.  I was able to get a connection, but it was no better than the customized connection I did above.

 

I still receive the link-mtu and tun-mtu warnings, but also securities warnings that the ciphers in the config file is 64 bits and vulnerable to attacks.  So right now the configuration I provided above is better than the instructions provided by the link.

 

Hi -  it may also be pushed from server side - please test the following IP: 96.47.237.170 using the same cipher and config in your initial post - remove the link-mtu 1592 line you added and use below - let me know if you receive any warnings now.

 

         client

dev tun

redirect-gateway def1

 

proto tcp

# The xxxx are replaced with whichever country

remote 96.47.237.170 995

 

resolv-retry infinite

nobind

persist-key

persist-tun

 

ca ca.crt

remote-cert-tls server

cipher AES-256-CBC

 

auth-user-pass auth.txt

comp-lzo

verb 1

reneg-sec 0

auth-nocache

 

user nobody

group nobody

 

dhcp-option DNS 10.23.0.1

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...