Hi, On Thu, May 14, 2026 at 09:53:42PM +0200, Piotr Dobrogost wrote: > > This (and also on the local LAN interface to see if they are actually > > getting out). > > [miner@hostx ~]$ sudo tcpdump -i enp5s0 icmp
Well, on the ethernet, you won't see ICMPs, as the ping is encapsulated
and "the world" only sees UDP packets - so the filter could be something
like "icmp or udp port 1194".
This said...
> dropped privs to tcpdump
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on enp5s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
> 21:35:04.694647 IP hostx > xyz.sfx.pl: ICMP hostx udp port 46099
> unreachable, length 141
... this looks interesting. This *might* be a response to an UDP packet
coming from xyz.sfx.pl towards your local UDP port 46099, which could
be the UDP source port OpenVPN uses.
If "something in the local firewall setup" does not believe that this
should be permitted, refusing inbound UDP packet with "ICMP unreach"
would also explain what you see "no packets coming in via OpenVPN".
Can you please retry that dump, to see if I'm guessing correctly?
[..]
> > Might there be some new firewalling stuff involved that does not know
> > how to deal with ovpn interfaces?
>
> I have the firewall disabled:
>
> [miner@hostx ~]$ systemctl status firewalld
> ??? firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
> disabled; preset: enabled)
Mmmh. What does "nft list ruleset" say about this topic?
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
