# How do I change the MTU on an iPad for openvpn?

## Moriah

I use openvpn to connect my home office to the internet.  Don't ask why; its complicated, but the net result is that I need to run with my MTU set a bit short to allow for the VPN envelope.  All my Gentoo boxes use ifconfig ethx xxx.xxx.xxx.xxx mtu 1400, and my windoze laptops use MTU 1400 in the registry setings.

We got a couple of iPads a couple of months ago, and they work great on a typical wifi with an mtu of 1500, and they also work great on the AT&T 3G network, but they hang up and time out on some connections on the home net because the MTU is too long, 1500, when it needs to be 1400 for the vpn.    :Sad: 

Does anybody know how to change the mtu on a stoopid ipad?  I can't find any information about this anywhere.    :Crying or Very sad: 

Sorry that this might be slightly off topic, but the network is using gentoo, iptables, and openvpn, so its on topic in that respect.  Besides, I could not find anything anywhere else, and the guys that read and post to these forums are some of the brightest people on the internet.    :Very Happy: 

----------

## gerdesj

Your OpenVPN router should be sending back "fragmentation required" to your iPad when it tries to use too big a packet and it should scale back automatically.  

So are you allowing ICMP to work properly on your internal LAN.

I doubt very much that end users are allowed to tweak the perfect settings on an iPad's IP stack.

If you can run ping from the iPad with various different sizes, you could run Wireshark on your router and look to see if things are failing there.  A filter like "icmp && host <ipad's IP>" will keep the noise down.

If the box with OVPN has no GUI then use tcpdump and write the packets to a file to load into Wireshark remotely.

Cheers

Jon

----------

## Moriah

The problem, of course, is that the ipad is a "sealed unit" with "no user servicable parts inside".   :Sad: 

I do not even have a command prompt from which to launch a ping, much less accessability to the tuning of the ip stack.  I was hoping that maybe there was one of those fabulous little "aps" out there that would let me do this.

The ipad does not talk directly to the openvpn, as there are 2 natting firewalls in between them.  All my other boxes need to have the mtu set manually; I just don't know how to do it from the ipad.  Surely there must be a way...

Perhaps what I need to do is check the iptables firewall that directly faces the ipad and see if it is sending any freq-req'd responses.

Here is the NIC setup on that firewall:

```

eth0      Link encap:Ethernet  HWaddr 00:13:20:58:4c:2d  

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1

          RX packets:1321940454 errors:0 dropped:111 overruns:0 frame:0

          TX packets:2507280442 errors:61754 dropped:0 overruns:0 carrier:61754

          collisions:594098012 txqueuelen:100 

          RX bytes:1699280907 (1.5 GiB)  TX bytes:4107016685 (3.8 GiB)

eth1      Link encap:Ethernet  HWaddr 00:40:f4:ea:aa:a1  

          inet addr:192.168.2.2  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1

          RX packets:2479687632 errors:52451 dropped:3332 overruns:8632 frame:10

          TX packets:1298032887 errors:4096 dropped:0 overruns:4 carrier:8192

          collisions:641615934 txqueuelen:1000 

          RX bytes:2122288781 (1.9 GiB)  TX bytes:3950369114 (3.6 GiB)

          Interrupt:7 Base address:0xa800 

```

As you cabn see, both NICs have mtu=1400, so this firewall ought to be the one to send frag-reqd before openvpn ever sees the packet.

----------

## gerdesj

Sounds quite a setup ...

I personally allow all ICMP internally and many bits of it externally as well.  It makes diagnosing faults easier.

Although you can't do anything directly on the iPad, you need to get a packet capture somewhere in the stream between the iPad and the router - two NAT's before the iPad gets to your router - that's quite extreme!

I'm going to need a great deal more info though to go beyond this.  If the iPad can't be changed then the root cause of the fault needs fixing, and that sounds like your network!

Cheers

Jon

----------

## Moriah

I would love to delve more into this right now, but I am in the midst of preparing for an IRS audit tomorrow and Tuesday.  The IRS is the Federal tax collection agency here in the US, so I have been humming that great Beatles song, "Taxman" all afternoon.   :Wink: 

Maybe sometime later this week I will be able to plant a sniffer on the zone of the network closest to the wifi access point that the ipads connect to, and we will be able to see what's happening.

Here is a drawing, somewhat out of date, of the network here:  http://www.elilabs.com/elilabs_network.html

Thanks for you help!    :Very Happy: 

----------

