From nobody Fri Jul 05 09:18:31 2024
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WFnxw3wxhz5NmHv
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Fri, 05 Jul 2024 09:18:44 +0000 (UTC)
	(envelope-from ml@netfence.it)
Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mailserver.netfence.it", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WFnxv42sLz4pxL
	for <freebsd-net@freebsd.org>; Fri,  5 Jul 2024 09:18:43 +0000 (UTC)
	(envelope-from ml@netfence.it)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=pass (policy=none) header.from=netfence.it;
	spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it
Received: from [10.1.2.18] (mailserver.netfence.it [78.134.96.152])
	(authenticated bits=0)
	by soth.netfence.it (8.18.1/8.17.2) with ESMTPSA id 4659IVD9059086
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO)
	for <freebsd-net@freebsd.org>; Fri, 5 Jul 2024 11:18:31 +0200 (CEST)
	(envelope-from ml@netfence.it)
X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be [10.1.2.18]
Message-ID: <55aa094a-bdf3-40de-8dd8-097bf734dfb6@netfence.it>
Date: Fri, 5 Jul 2024 11:18:31 +0200
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Andrea Venturoli <ml@netfence.it>
Subject: OpenVPN suddenly working one way only
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.86
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.58 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.79)[-0.785];
	DMARC_POLICY_ALLOW(-0.50)[netfence.it,none];
	R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT];
	RCPT_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	RCVD_COUNT_ONE(0.00)[1];
	RCVD_TLS_ALL(0.00)[];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	FROM_HAS_DN(0.00)[];
	HAS_XAW(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
	ARC_NA(0.00)[]
X-Rspamd-Queue-Id: 4WFnxv42sLz4pxL

Hello.

Not sure this is a question for FreeBSD or for OpenVPN directly... I'll 
try here first.

I'm using OpenVPN quite heavily, as I have around 10 server-server 
tunnels, and several server-clients installations.
They are all working properly except one, which will periodically start 
misbehaving.
Both ends are FreeBSD 13.3, the protocol is UDP and I'm using tun 
interfaces.

Simply put: handshake is gine, packets from host A to B get through, but 
packets from B to A do not.
I can run tcpdump on both tun interfaces:
_ if I ping A -> B, A sees packets going out, but none coming in, 
although B sees both;
_ if I ping B -> A, B sees packets going out, but A sees nothing.

Restarting openvpn on both ends does not help: handskake happens again, 
but the situation does not change. Looks more like a kernel/tun problem...
Possibly rebooting (A or B?) would solve, but I can't do that easily.
Also, I'm sure in some days (possibly weeks) it'll start working fine 
again by itself (!!!).

Notice that both ends have other OpenVPN tunnels to different systems 
and they keep working while this one is not.

Has anyone else seen something similar?
Anything to try/check now that I'm getting the problem and I have no 
urge to solve?

  bye & Thanks
	av.