拨上VPN后部分网站内容显示不全或打不开原因分析

  • A+
所属分类:Linux

拨上vpn(如pptp,openvpn等)后,会出现部分网站内容显示不全或打不开的现象。出现这种现象的原因分析如下:

首先来抓取数据包进行分析,如下图片所示:

注意红色框的地方。首先来看几个名字注释:

mtu:Maxitum Transmission Unit 最大传输单元。

mss:Maxitum Segment Size 最大分段大小。

mtu? mss(应用层数据)+tcp包头+IP包头

mss大小是通讯双方在建立TCP连接时根据双方提供的 MSS值的最小值确定为这次连接的最大MSS值。

tcp数据包包头大小20Byte。

ip数据包包头大小20Byte。

如果超过mtu的大小就需要对ip报文进行分片。

如果ip报文中有DF(Donot Fragment)标记就表示不可分片。

如果报文超过MTU值又不能分片,就会丢弃报文,返回一个错误信息unreachable-need to frag(不可到达,需要分片)。 如图所示。

出现这种现象的解决办法如下:

修改数据报文的mss大小。

iptables -A FORWARD -p tcp --syn -s 192.168.100.0/24 -j TCPMSS --set-mss 1356

凡是来自192.168.100.0/24网段的tcp包,mss设置为1356.

转载请注明出处:http://www.bhlaab.com/html/887.html

微信公众号
扫一扫关注运维生存时间公众号,获取最新技术文章~

发表评论


目前评论:5   其中:访客  4   博主  0   引用   1

    • 默北 6

      iptables -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

      • 默北 6

        Most offices and many coffee shops will block the default port 1194 (UDP). It is also a very popular port for naughty people trying to see what you have on your network. If you’re not running a web server, set it to port 80 or 443 (TCP) as these ports are normally accessible. If these don’t work, try other ones like 21 (TCP) which is normally used for a FTP server. You will likely see better throughput on some ports than on others due to ‘traffic shaping’, aka giving network priority to certain applications.
        Comcast blocks ports 21,80,443 for UDP and but not for TCP
        The network packets that are sent through the vpn tunnel can become fragmented, split into two or more packets to make them fit into the vpn network packet. Let’s increase the size of the vpn network packet to reduce the network packet fragmentation
        tun-mtu 1500
        mssfix 1400
        Compression. This is a little more subjective than you would think. If most of your activity is based on data streams (e.g. watching video, listening to music), then the compression may cause delays (think extra buffering / stuttering). My advice is to try with it on and try with it off.. which seems to be more responsive to you?

        • 呵呵 9

          就是出现这个情况只是报文超过MTU值,时时彩计划软件公式:没有分片,而丢包咯?改一下就可以啦?

        • 来自外部的引用: 1

          • TP-LINK 路由器PPTP VPN配置方案