OpenVPN from Linux to IPFire

I am migrating from Windows to Linux desktop since a while. One of the last things are to complete by setting up OpenVPN tunnels to IPFire. Using them under Windows with OpenVPN 2.4 client worked flawlessly without trouble.

I am using Debian with Cinnamon, making use of the Gnome Networkmanager. After installing OpenVPN by sudo apt install network-manager-openvpn-gnome , I was principally able to setup an OpenVPN tunnel, but I stumbled though.

When setting up my first OpenVPN connection, I got the error message (original German message) “Konfigurationsfehler: Argument 1 für >>mssfix<< ist ungültig. Eine Zahl wird erwartet.”, translation “configuration error: argument 1 for >>mssfix<< is invalid. A number is expected.”

Looking into the related ovpn file generated by IPFire, I do find a number, which is “0”. This is a number! Reading the official OpenVPN documentation, I decided to delete this parameter line from the file. And it seems to work!

A couple of questions…

  • Comparing older configuration files with the one used for testing under Linux, I found that the option mssfix is not available in older configuration files. So why was this parameter added?
  • Why is the mssfix parameter set to 0 by IPFire? Reading the documentation, this does not make sense with me.
  • Should I keep the configuration file without the mssfix parameter?

Thanks, zargano

Hello zargano,
you can find the patch but also an explanation with this settings here → Git - ipfire-2.x.git/commit .

–mssfix can be disabled with the value 0. It seems that the network-manager is unable to handle this even OpenVPN does provide it. If --mssfix and --fragment are disabled, the MTU value from the global settings will be used.



1 Like

Hi ummegge,

I did not get this from the documentation. Thanks also for the link to explain the background. I conclude that I can safely delete this line, as long I do not experience performance issues. Since I am using OpenVPN to primarily manage resources behind IPFire, I do not see any problem at all even if I got stuck with a limited throughput in the order of 100 MBit/s.

Best, zargano