openvpn: "Authenticate/Decrypt packet error: bad packet ID", link-mtu=1472 consequences

[avemilia <avemilia protonmail com>]

Hello list,

openSUSE Tumbleweed (KDE Plasma)
NetworkManager-1.16.0-1.1.x86_64
NetworkManager-openvpn-1.8.10-1.1.x86_64

with this openvpn configuration:

> [vpn]
> auth=<redacted>
> ca=<redacted>
> cipher=<redacted>
> comp-lzo=adaptive
> connection-type=password
> float=no
> mssfix=no
> password-flags=1
> port=<redacted>
> proto-tcp=no
> remote=<redacted>
> remote-random=no
> tun-ipv6=no
> username=<redacted>
> service-type=org.freedesktop.NetworkManager.openvpn

I get many

> Authenticate/Decrypt packet error: bad packet ID ...

messages in the journal.

I am not a networking expert, so I googled around
(<https://hamy.io/post/0003/optimizing-openvpn-throughput/>) and added

> link-mtu=1472

to the above, and the "bad packet ID" messages were gone (all is tested via
connecting to twitch.tv in a browser).

However, now the journal contains

> ((src/devices/nm-device.c:11965)): assertion '<dropped>' failed
> ((src/devices/nm-device.c:1478)): assertion '<dropped>' failed
> ((src/devices/nm-device.c:11965)): assertion '<dropped>' failed
> ((src/devices/nm-device.c:1478)): assertion '<dropped>' failed

and the nm kde applet shows a greyed out icon with a red cross.

I feel like the assertions should not fail. I also feel like the applet should
correctly show that the connection is established.

That was one thing (or more like two things). Whether it's a reportable bug(s)
or not is not known to me. Now, about how to fix things right now.

> From what I see in the nm GUI configurator if I press 'Advanced' on the openvpn
connection, it has no support for link-mtu. It has support for tun-mtu. It also
doesn't have support for mssfix other than 'yes' or 'no', while the openvpn(8)
says the user can set mssfix to a value.

Maybe I can try some combination of tun-mtu, fragment, boolean-only mssfix and
other things that the GUI configurator can chew, and show me a 'nice' icon?