My working configuration …(which is not perfect, but it is working so far and was changed after one Mac users complained …)
- server config:
option comp_lzo 'yes' v2.4.6 (i use it for backward compatibility with my older vpn clients (but i will change it to compress later on once i have all clients on 2.4 or higher version)
- win client:
comp-lzo adaptive v2.3alpha2
- android client:
compress lzo this is generated by Turris/Foris/Openvpn plugin, v2.4.6
- mac client:
compress lzo (i do not know the version, but i believe it is v2.4.x)
MTU can be changed when there is mismatch of some directives.
compress, mssfix, fragment, cipher
compress is adding 1 byte per packet (which can increase MTU if not set properly) , aside
mssfix should deal with MTU in general and if bigger packet is passing using
fragment should internally fragment that packet. And also
cipher if used own list of ciphers can cause that link goes down as client and server can not do hanshake properly or link became over set mtu level (and breaks eventually after some time).
I had a lot of issues when i was playing with openvpn (before Foris easy-openvpn-plugin). And when MTU is changed on any side, link became unstable or break instantly. Sometimes you have to explicitly specify something so ‘default’ is not used or vice versa.
ad_deprecated: comp_lzo is deprecated in 2.4 and compress in 2.5 … so maybe it is better to not use it at all (removing, resp setting it to ‘no’, it from server and client’s configs --> but that will need Turris guys to alter openvpn-foris plugin to generate config without that directive).
check compress : https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
there are some notes around compress/comp-lzo … i think you can remove compress (resp. set it to “no” and change all clients to not use compression at all or set “adaptive” on client and change compression based on each client/version using related directive/option. There is also “push” variant.
ad_dns/ping: if you want your openvpn clients to reach each other (and lan clients as well) use
option topology 'subnet' in server config.