Re: [Openvpn-users] OpenVPN - Lost SSL related traffic

Mon, 25 Mar 2019 09:38:02 -0700 

Hi,

On 25/03/19 17:10, Duarte Rocha wrote:

Hi everyone,
I have stumble upon an issue where on some clients if I enable the VPN all traffic that needs SSL ( https, for instance) is unreachable. Sometimes I can get to it a few times, but most of the time the request just hangs there.
There is no IP conflict issue, other systems connected to the server are able to reach https websites without any issue. 


smells like an MTU issue - try adding
  fragment 1200
to both client and server config and reconnect then retry. If that does work, then you've got an MTU issue. If that also does not work, then there's something else going on... 

HTH,

JJK
I have other clients connected to the server and this is the second time I see this behavior.  It started sometime (a few weeks) after install/setup. 

*Client version*
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018 
library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sa...@openvpn.net <mailto:sa...@openvpn.net>> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enabl e_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=ye s enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=y es enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_s hared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_d ll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no 

*Client config*

dev-type tun
proto udp
port 1194
remote remote.vpn.net <http://remote.vpn.net> 1194
dev tun-vpn
user root
group root
persist-key
persist-tun
verb 3
ca /etc/openvpn/client.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
tls-auth /etc/openvpn/tls.key
redirect-gateway def1
key-direction 1
pull
tls-client
resolv-retry infinite
nobind

*It just hangs here, after connect*
$openssl s_client -connect google.com:443 <http://google.com:443>
CONNECTED(00000003)

the strace reports:
....
close(4)                                = 0
brk(0x1b1b000)                          = 0x1b1b000
getpid()                                = 7490
write(3, "\26\3\1\2\0\1\0\1\374\3\3\304\206\232N\361\276\311\231\223\377\265\332p\16=P\237\365Z\317\340"..., 517) = 517 read(3, 0x1afa4b0, 7)                   = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, NULL, 8) = 0 
poll([{fd=3, events=POLLIN}], 1, 52)    = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, NULL, 8) = 0 poll([{fd=3, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, NULL, 8) = 0 
poll([{fd=3, events=POLLIN}], 1, 1)     = 0 (Timeout)

Can anyone point to how to debug this?
The other system eventually sort itself out and I thought it might be because there was a pkg upgrade available, but I've already tried that and no luck... 

--

Duarte Rocha <duarte.ro...@gmail.com <mailto:duarte.ro...@gmail.com>>





_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to