From nobody Fri Jul 05 14:32:59 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WFwwn0FYgz5PpZd for ; Fri, 05 Jul 2024 14:33:13 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (pdx.rh.CN85.dnsmgr.net [65.75.216.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WFwwm3qZvz4BQ5 for ; Fri, 5 Jul 2024 14:33:12 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Authentication-Results: mx1.freebsd.org; none Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 465EX2pr029124; Fri, 5 Jul 2024 07:33:02 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 465EWx23029110; Fri, 5 Jul 2024 07:32:59 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202407051432.465EWx23029110@gndrsh.dnsmgr.net> Subject: Re: OpenVPN suddenly working one way only In-Reply-To: To: Andrea Venturoli Date: Fri, 5 Jul 2024 07:32:59 -0700 (PDT) CC: Ronald Klop , freebsd-net@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:10494, ipnet:65.75.216.0/23, country:US] X-Rspamd-Queue-Id: 4WFwwm3qZvz4BQ5 > On 7/5/24 11:31, Ronald Klop wrote: > > > Of course this can be a firewall or routing issue somewhere in between > > the hosts blocking traffic from B to A. > > Hmm... > The two hosts can communicate with any other protocol. > Also the VPN can handshake, so packets are exchanged correctly. > I'm only using ipfw: no packet is logged as blocked, but, in any case, > it blocks after tcpdumps sees them and I don't even see them. > > > > > Or both? Can you run tcpdump on the physical interfaces? What > > traffic do you see on the openvpn port? > > Let's say, after handshake, I ping A -> B: > _ A sees the request going out tun; > _ A sees the UDP packet going out via physical interface; > _ B sees the UDP packet arriving; > _ B sees the request coming in via tun; > _ B sees the answer going out via tun; > _ B sees the UDP packet going out the physical interface; > _ A doesn't see the UDP packet coming in (so obviously nothing on tun also). > > > > > Can you switch to TCP? > > Would be a little work and using OpenVPN/TCP is highly discouraged. > However, I just changed UDP port and it seems to work! > > I'm puzzled... > So maybe some system in between my two hosts was blocking packets, > but... after the handshake!?!?!? > Very strange. > Or host B has some trouble and changing its port helped??? Or host A has a zombie process with a UDP listen on the port? Often when I have problems with tunnels it is some residual thing left over from a prior run, like ppp(8) loves to leave behind named pipes in /var. > In any case, thanks a lot for answering. > bye > av. -- Rod Grimes rgrimes@freebsd.org