Yeah, I think that was the reason for the hanging. The only thing that was pingable was tun0 on the server from the server. Nothing from the client could be pinged.
At this point it looks to me like the issue is related to MTU and fragmentation. I moved the container to another server and made sure that the Sonicwall rules disallowed fragmented packets. MTU is set to 1500 on servers and the network and I set it like this on the server and client: fragment 1460 mssfix 1420 This time it worked and both sides of the tunnel could ping until I tried to pass a lot of traffic through the browser. Then the TUN interface completely froze and I had to reboot the container to fix it. I wonder if I'm actually going to have to tweak the MTU on the tun interface. John Baker Director Of Information Technology Marlboro College Phone: 451-7551 Cell: 490-0066 On Mon, Nov 28, 2016 at 3:02 AM, Gert Doering <[email protected]> wrote: > Hi, > > On Sun, Nov 27, 2016 at 07:54:42PM -0500, John Baker wrote: > [..] > > I did > > make sure that the firewall was allowing fragmented packets on the access > > rules and checked that the MTU was ok. Server side the tun ip at 10.8.0.1 > > is pingable but nothing else in the tunnel. Client side nothing is > pingable > > This is a bit unclear "what works, when pinging from where". > > What you should test: > > - from the server, ping the client side tun interface > - from the client, ping the server side tun interface > - if routing networks toward client: from the server, ping the client net > - from the client, ping "something in the server's network" - and if > that does not work, check with traceroute and netstat -rn that routing > is right on the client side, and *forwarding* is enabled on the server > side. > > > and the Mac gets hung trying to read it's routing table. > > This might actually hint at DNS problems. Does "netstat -rn" succeed > quickly? Default for "netstat -r" or "route show" is to resolve names, > and if DNS is funky, that can hang forever. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > [email protected] > fax: +49-89-35655025 [email protected] > muenchen.de >
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
