From nobody Sat Jul 06 16:07:47 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WGZzf5kHCz5NvsN for ; Sat, 06 Jul 2024 16:07:58 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WGZzd5SvGz4m7T for ; Sat, 6 Jul 2024 16:07:57 +0000 (UTC) (envelope-from ml@netfence.it) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it Received: from [10.1.2.18] (mailserver.netfence.it [78.134.96.152]) (authenticated bits=0) by soth.netfence.it (8.18.1/8.17.2) with ESMTPSA id 466G7lMp001070 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Sat, 6 Jul 2024 18:07:47 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be [10.1.2.18] Message-ID: Date: Sat, 6 Jul 2024 18:07:47 +0200 List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: OpenVPN suddenly working one way only Content-Language: en-US To: freebsd-net@freebsd.org References: <202407061502.466F28cR033040@gndrsh.dnsmgr.net> From: Andrea Venturoli In-Reply-To: <202407061502.466F28cR033040@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.75 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.960]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ONE(0.00)[1]; RCVD_TLS_ALL(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4WGZzd5SvGz4m7T On 7/6/24 17:02, Rodney W. Grimes wrote: > Are you pinging the inside or outside address of the vpn? > If you cant even ping the outside IP of a VPN you have > basic connectivity problems that must be fixed before even > attempting a VPN. I'll recap: I've got two hosts: A and B, which are in differnt sites, connected to the Internet with different ISPs. Pinging B's public IP from A's public IP, and vice versa, works, as does any other TCP based protocol (http, ssh, etc...); I have no UDP based protocol to test with; if it's needed I'll try and setup some. There's an UDP based OpenVPN tunnel originating from host A to host B: usually it works perfectly, but once in a few months it stops (and will usually start working again after some days/weeks). Other similar VPNs, which are present on both hosts, keep working. When the VPN does not work, packets do flow in one direction inside the tunnel from A to B. From B to A, they do seem to exit the tunnel from host B (according to tcpdump), but they never get to host A. It's not an MTU problem, as I tried ping, which uses very small packets. It's almost surely due to a problem with the UDP packets that implement the VPN: again, according to tcpdump they go out host B, but never reach host A. I tried stopping OpenVPN and starting it again: I got inconsistent results and need to investigate better; in any case it doesn't help. Moving the VPN to a different port on host B allowed it to start working again, but only for a few hours. After this time, the UDP packets from B to A were getting lost again. I can't reboot these hosts freely: it would help to check if any of them is the culprit or if it could be some router in the middle. I have no access to any router between A and B, but I'd be suprised they would drop such packets. Now the VPN is working, again I don't know why, so I can't conduct any more test. I'm sure it will happen again, maybe in a few months. bye & Thanks av.