Issue: I am connected to a VPN and (some) websites cannot be accessed while a working internet connection is established.
A few weeks ago I attended DevOpsCon 2017 in Berlin. The conference has been quite interesting, but lacked in organisation and preparations. Some WLAN access points have been established where two SSIDs were given – one by the organisation of DevOpsCon and one by the hotel it took place. While the hotel Wifi worked good (however with low downlink and uplink speed), the DevOpsCon Wifi promised a lot better connection. Since I tunneled my traffic through a selfhosted VPN I noticed websites not loading while on the DevOpsCon Wifi – but using the hotel Wifi I was able to access websites. Although there are a few posts on the internet about this issue, this seemed to be a topic too interesting to skip.
Step 1 – Analysing the problem
Without a VPN connection I was able to access the internet and any website on both SSIDs. When enabling the VPN tunnel (I did use OpenVPN) there was no problem on the hotel Wifi. On the DevOpsCon Wifi there was a working internet connection. I was able to send ICMP requests / pings successful. However accessing websites did not work in any browser. Even curl requests failed.
A conclusion to these findings: no issue with the VPN and no issue with the Wifi (without a VPN connection). Only the combination of these two triggers a problem.
Step 2 – MTU to the VPN rescue
The solution is rather easy, where the culprit is called MTU (Maximum Transfer Unit). TCP determines the maximum size of a packet in a transmission using the MTU. The ethernet standard is a MTU of 1500. When a package exceeding 1500 bytes is sent, it has to be split up first.
A larger MTU will result in a higher efficiency, as there is more data contained within a packet. However, if there are problems transmitting a packet, the whole packet has to be re-sent, thus increasing latency. As a VPN connection introduces an overhead to the packets, the default MTU of 1500 is exceeded. Usually this is not an issue, since the packets will be fragmented on transmit. However some networks prohibit fragmention of packets, leading to a restricted internet connection. Therefore websites can be accessed on the first, but not on the second Wifi.
To solve this issue you will have to reduce the MTU on your ethernet adapter. To find the adapter, open a command prompt and enter the following:
netsh interface ipv4 show subinterfaces
This will print your interfaces and their correspondent MTU values. To set the MTU for an interface manually, enter the following command, where Ethernet resembles the name of your interface.
netsh interface ipv4 set subinterface "Ethernet" mtu=1300
Setting an MTU of 1300 will most likely degrade the performance a bit, but the MTU will be low enough to get the internet connection working again. To find the sweet spot, you’re able to test the connection with a ping.
There are a few posts mentioning to append store=persistent to the command and restart your system for it to apply the change. Although this was not necessary for me, keep it in mind if the command won’t solve the issue.