Tunnelblick SSL VPN to SophosXG > MTU is max 290bytes

[buzz...@gmail.com]

Hi

We are suffering from an issue with SSL VPN to SophosXG firewall using MacOSX High Sierra.

After connecting, it appears that only traffic with an MTU smaller than 298bytes.

Anything below that works okay.

This happens on 4 Macs. A reinstall is not helping.

Regards,

Bas

[Tunnelblick developer]

This has to do with OpenVPN, not Tunnelblick, and I suspect it is some kind of problem or misconfiguration in the SophosXG firewall, although it could be some kind of low-level networking change in High Sierra.

You didn't include the diagnostic info from Before You Post, so it's hard to say much more. All I can really suggest is that you try running OpenVPN's maximum MTU size test (maybe that's what you've already done and got the 298 bytes from it?). You can specify that on the "While Connected" tab of Tunnelblick's 'Advanced' settings window. Be sure to select the configuration you want to change in the "VPN Details" window before making a change to Tunnelblick's settings.

Otherwise, try Sophos tech support or try consulting some OpenVPN references:

• OpenVPN FAQ

• OpenVPN HOWTO

• OpenVPN 2.3 Man Page

• OpenVPN Documentation

• OpenVPN Users Forum

• OpenVPN Users Mailing List
  

[buzz...@gmail.com]

Hi,

Thanks for your prompt reply. I came to the 298 bytes from doing a ping test with decreasing the packetsize until i started receiving a reply.
We have 16 windows machines who don't seem to have an issue with the same configuration on the XG. Only on the macs we have the issue.

I can confirm the issue is not directly in Tunnelblick. We have also seen the issue with Elastix a few minutes ago so this confirms that the problem is with OpenVPN.

I will try to see if i can ask the question there ;-)

Regards,

Bas

[richard...@gmail.com]

Bas did you get a solution to this?

I have a very similar issue - windows Sophos VPN is fine, the Tunnelblick with same config file has reduced bandwidth where file views and copies don't work well.

[Tunnelblick developer]

Richard, thanks for reminding me of this.

MTU size problems can have a major impact on a VPN's bandwidth. Although Tunnelblick doesn't have anything to do with the actual VPN connection or the MTU that is used (OpenVPN does all that), Tunnelblick does have a checkbox to let you use OpenVPN's built-in test for the maximum MTU size that works for a connection. To run it:

1. Select a configuration to test in the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window.
   
2. Click the "Advanced" button. A new window will appear.
   
3. Click on the "While Connected" tab in the new window.
   
4. Put a check to the left of "Run MTU maximum size test after connecting ".
   
5. Connect to the VPN. Wait a couple of minutes for the test to complete, then examine the Tunnelblick Log to see the results.
   

Remember to un-check "Run MTU maximum size test after connecting" after the test.

Also, keep in mind that MTU is complicated and depends on every device (router) between you and the Internet; thus it is dynamic as routing changes in response to loads (for example).

My comments to Bas also apply to your situation, Richard. And note that Sophos should be doing this support -- they're the ones you've paid, not OpenVPN or Tunnelblick.

[buzz...@gmail.com]

Hi Richard,

In fact i did!

Select 2.3.18 OpenSSL v1.0.2.o as the openVPN version and it will work like a charm again.

I honestly don't think this is a Sophos issue that much.. seems to be more like a Mac Issue.

Op maandag 16 april 2018 15:25:14 UTC+2 schreef Richard Penney:

[Tunnelblick developer]

Bas - you didn't include the diagnostic info from Before You Post, so it's hard to say what the cause is.

It's likely that the Sophos device supports only obsolete, insecure encryption that modern versions of OpenSSL and LibreSSL do not allow. In my view, that would a Sophos issue.