拨上vpn(如pptp,openvpn等)后,会出现部分网站内容显示不全或打不开的现象。出现这种现象的原因分析如下:
首先来抓取数据包进行分析,如下图片所示:文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
注意红色框的地方。首先来看几个名字注释:文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
mtu:Maxitum Transmission Unit 最大传输单元。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
mss:Maxitum Segment Size 最大分段大小。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
mtu mss(应用层数据)+tcp包头+IP包头文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
mss大小是通讯双方在建立TCP连接时根据双方提供的 MSS值的最小值确定为这次连接的最大MSS值。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
tcp数据包包头大小20Byte。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
ip数据包包头大小20Byte。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
如果超过mtu的大小就需要对ip报文进行分片。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
如果ip报文中有DF(Donot Fragment)标记就表示不可分片。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
如果报文超过MTU值又不能分片,就会丢弃报文,返回一个错误信息unreachable-need to frag(不可到达,需要分片)。 如图所示。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
出现这种现象的解决办法如下:文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
修改数据报文的mss大小。文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
iptables -A FORWARD -p tcp --syn -s 192.168.100.0/24 -j TCPMSS --set-mss 1356文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
凡是来自192.168.100.0/24网段的tcp包,mss设置为1356.文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
转载请注明出处:https://www.ttlsa.com/html/887.html文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
文章源自运维生存时间-https://www.ttlsa.com/linux/can-not-view-site-on-vpn/
3F
iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
2F
Most offices and many coffee shops will block the default port 1194 (UDP). It is also a very popular port for naughty people trying to see what you have on your network. If you’re not running a web server, set it to port 80 or 443 (TCP) as these ports are normally accessible. If these don’t work, try other ones like 21 (TCP) which is normally used for a FTP server. You will likely see better throughput on some ports than on others due to ‘traffic shaping’, aka giving network priority to certain applications.
Comcast blocks ports 21,80,443 for UDP and but not for TCP
The network packets that are sent through the vpn tunnel can become fragmented, split into two or more packets to make them fit into the vpn network packet. Let’s increase the size of the vpn network packet to reduce the network packet fragmentation
tun-mtu 1500
mssfix 1400
Compression. This is a little more subjective than you would think. If most of your activity is based on data streams (e.g. watching video, listening to music), then the compression may cause delays (think extra buffering / stuttering). My advice is to try with it on and try with it off.. which seems to be more responsive to you?
1F
就是出现这个情况只是报文超过MTU值,没有分片,而丢包咯?改一下就可以啦?
B1
@ 呵呵 是的
来自外部的引用