そのような場合は、mssfixディレクティブで最大UDPパケットサイズを小さめに設定することで問題を回避できます。なお、この設定はOpenVPNをUDP上で使用している場合のみ有効になります。 もしOpenVPNの通信が不安定でお困りのようでしたら一度お試しください。

OpenVPN - ArchWiki OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients. With the release of v2.4, server configurations are stored in /etc/openvpn/server and client configurations are stored in /etc/openvpn/client and each mode has its own respective systemd unit, namely, openvpn-client@.service and openvpn-server@.service. 6. OpenVPN : Home Apparently -- mssfix only applies to TCP session applications sitting on top of the OpenVPN tunnel. “In practice, -- fragment and -- mssfix can be ideally used together, where -- mssfix will try to keep TCP from needing packet fragmentation in the first place, and if big packets come from protocols other than TCP, -- fragment will internally Gigabit_Networks_Linux – OpenVPN Community Oct 03, 2018 Tutorial for OpenVPN TAP Bridge Mode - Antoine Aflalo

My guess is more that "mssfix 1450" is causing UDP packet fragmentation, as the resulting OpenVPN packets will be bigger than 1500 bytes - and *that* will hurt a lot. Not sure exactly how "mssfix 0" packets look like on the wire if you feed it with a full TCP packet, though - should fragment as well

OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

Many pfSense users use mssfix 1400 After normal ip overhead and openvpn overhead, if memory serves me well that would allow a tcp packet of I believe 1412 or something. That means an mss clamped to 1400 should never go above that threshold. The reason you can ping 1460 is because of compression.

Oct 28, 2019