OpenVPN server not working for Windows7 Client

[kuyur]

Hello.

I met some troubles when configuring OpenVPN on my VDS.
I have tried CentOS6/CentOS5/Ubuntu13.04, but problem is still.

The configurations ran well in my old server. I just copy it to new server.

Client on Windows XP is working well, and no problem for network accessing.

But Client on Windows 7 seems very strange.
Connection to server is OK, however network seems to be blocked.
I have used SmartSniff to check the network conversation.
DNS lookup and Ping are OK. But big tcp packet seems to be dropped.
For example, when I open a web page, no response returns.

Here is my config of OpenVPN server:

server.conf (Server version: 2.2.2)

local xx.xxx.xxx.xx
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
#push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher BF-CBC
auth none
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 4

IP config for client:
/etc/openvpn/ccd/client1

ifconfig-push 10.8.0.2 255.255.255.0

I have added these rules into firewall by iptables (physical ethernet is eth0):

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

And ofcourse ip forwarding is enabled.

net.ipv4.ip_forward = 1

Here is my config for client:
tun.ovpn (Client version: 2.2.2)

client
dev tun
proto udp
remote xx.xxx.xxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
redirect-gateway
keepalive 10 120
cipher BF-CBC
auth none
verb 4
mute 20
route-method exe
route-delay 2
script-security 2

If I change protocol from udp to tcp, Client on Windows7 also works.
But I hope to use udp. Anyone can help me?

local xx.xxx.xxx.xx
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
topology subnet
client-config-dir /etc/openvpn/ccd
#push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher BF-CBC
auth none
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 4

[Edge100x]

Is the network adapter on the Windows 7 machine broken by having an invalid (too-small or too-large) MTU, or is a networking device inside your home network causing IP fragmentation? We block UDP fragments, so it's important to not send any of them.

[kuyur]

Is the network adapter on the Windows 7 machine broken by having an invalid (too-small or too-large) MTU

MTU of Both Windows XP and Windows 7 is 1500.

or is a networking device inside your home network causing IP fragmentation? We block UDP fragments, so it's important to not send any of them.

It's not only my client on Windows7 not working.
But I will check for them.

[kuyur]

It seems that "--fragment 1400 --mssfix" makes sense for me.