From b70e335a55af2777c13a040a6a0872c3b4d11749 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 27 Jun 2018 17:23:27 +0300 Subject: [PATCH] Move max_mss to config.cfg --- config.cfg | 10 ++++++++++ roles/vpn/templates/rules.v4.j2 | 8 -------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/config.cfg b/config.cfg index 731c71de..a8fa915a 100644 --- a/config.cfg +++ b/config.cfg @@ -18,6 +18,16 @@ vpn_network_ipv6: 'fd9d:bc11:4020::/48' wireguard_enabled: true wireguard_port: 51820 +# MSS is the TCP Max Segment Size +# Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation +# This appears to be necessary on (at least) Google Cloud, +# however, some routers also require a change to this parameter +# See also: +# - https://github.com/trailofbits/algo/issues/216 +# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu +# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan +#max_mss: 1316 + server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 index fe2878d6..dbcc368f 100644 --- a/roles/vpn/templates/rules.v4.j2 +++ b/roles/vpn/templates/rules.v4.j2 @@ -11,14 +11,6 @@ :POSTROUTING ACCEPT [0:0] {% if max_mss is defined %} -# MSS is the TCP Max Segment Size -# Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation -# This appears to be necessary on (at least) Google Cloud, -# however, some routers also require a change to this parameter -# See also: -# - https://github.com/trailofbits/algo/issues/216 -# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu -# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan -A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} {% endif %}