Pritunl Enterpise tunnel can't route without NAT (AWS with cloud advertisement)

Pritunl Enterprise
v1.32.3504.68 e8377c

When removing NAT, I am unable to route beyond the tunnel adpater (192.168.100.1)

I have followed the documentation here and I can’t make it work without NAT.

  • The virtual network is Cloud Advertised (AWS)
  • The VPC containing the Pritunl Host is peered with the VPC that contains the target
  • Both VPCs have routing tables with the relevant entries
  • The target instance has appropriate security group
  • Unchecked Restrict Routing
  • NAT’d route works fine

I tried to lower the MTU to 1200, but my client system reports that the tunnel interface is still set to 1500. Why isn’t MTU being respected? The MTU setting is not even included in the .ovpn profile. This is the only issue I can think of. What else could be the cause here?

I suspect this issue is due to MTU but setting MTU seems broken. Here is my setting for the tunnel:
mtu
But here is the tunnel setting on the Pritunl host:

root@pritunl2:/home/lai# ip a show tun10
13: tun10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.100.1/24 brd 192.168.100.255 scope global tun10
       valid_lft forever preferred_lft foreve

And on the client:

9411: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 192.168.100.3/24 brd 192.168.100.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::a80c:550:3b41:12f8/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

This is on the Pritunl host with the tunnel up. Note the difference between interfaces et0 and tun10

lai@pritunl2:~$ ping -c1 -M do -s 2000 -I eth0 10.1.2.3
PING 10.1.2.3 (10.1.2.3) from 172.16.1.3 eth0: 2000(2028) bytes of data.
2008 bytes from 10.1.2.3: icmp_seq=1 ttl=64 time=0.950 ms

--- 10.1.2.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms

eth0’s packet is received even when MTU is 2000

lai@pritunl2:~$ ping -c1 -M do -s 2000 -I tun10 10.1.2.3
PING 10.1.2.3 (10.1.2.3) from 192.168.100.1 tun10: 2000(2028) bytes of data.
ping: local error: message too long, mtu=1500

--- 10.1.2.3 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms


lai@pritunl2:~$ ping -c1 -M do -s 1486 -I tun10 10.1.2.3
PING 10.1.2.3 (10.1.2.3) from 192.168.100.1 tun10: 1486(1514) bytes of data.
ping: local error: message too long, mtu=1500

--- 10.1.2.3 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms


lai@pritunl2:~$ ping -c1 -M do -s 1468 -I tun10 10.1.2.3
PING 10.1.2.3 (10.1.2.3) from 192.168.100.1 tun10: 1468(1496) bytes of data.

--- 10.1.2.3 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Server log:

[pritunl2] Wed May  3 19:44:43 2023 /sbin/ip link set dev tun12 up mtu 1500

The tunnel does, indeed, seem to ignore the MTU setting.

Restrict routing should not be disabled, that will not effect support for the configuration. Source/dest checking must be disabled from AWS on the Pritunl instances.

AWS VPC peering will only route the peered VPC networks, the system does not support any external networks. For the configuration to work the VPC peering must be replaced with either AWS Transit Gateway or pritunl-link.

The MTU is only set on the server, the server will provide the MTU to the client.

Hi Zach. Thanks for the reply! It didn’ work with Restrict Routing checked, so I thought I’d “losen” it until I got things working.

AWS VPC peering will only route the peered VPC networks, the system does not support any external networks.

“External” meaning the virtual network (that is cloud advertised) in an ec2/pritunl host? So, for my setup, I either need transit gateway or a link?

Any network that is not a AWS VPC subnet will not get routed over the VPC peering. The setup in that diagram will require some other linking method.

1 Like