Re: [Openvpn-users] OpenVPN - Lost SSL related traffic

Mon, 25 Mar 2019 11:26:02 -0700 

Jan you're awesome!!!

Thats exactly the issue. Solved it by setting the mssfix to 1300 on the
client side.

On Mon, Mar 25, 2019 at 4:33 PM Jan Just Keijser <janj...@nikhef.nl> wrote:

> Hi,
>
> On 25/03/19 17:10, Duarte Rocha wrote:
>
> Hi everyone,
>
> I have stumble upon an issue where on some clients if I enable the VPN all
> traffic that needs SSL ( https, for instance) is unreachable. Sometimes I
> can get to it a few times, but most of the time the request just hangs
> there.
>
> There is no IP conflict issue, other systems connected to the server are
> able to reach https websites without any issue.
>
> smells like an MTU issue - try adding
>   fragment 1200
> to both client and server config and reconnect then retry. If that does
> work, then you've got an MTU issue. If that also does not work, then
> there's something else going on...
>
> HTH,
>
> JJK
>
> I have other clients connected to the server and this is the second time I
> see this behavior.  It started sometime (a few weeks) after install/setup.
>
> *Client version*
>
> OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4]
> [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018
> library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.08
> Originally developed by James Yonan
> Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sa...@openvpn.net>
> Compile time defines: enable_async_push=no enable_comp_stub=no
> enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes
> enable_def_auth=yes enable_dependency_tracking=no enabl
> e_dlopen=unknown enable_dlopen_self=unknown
> enable_dlopen_self_static=unknown enable_fast_install=yes
> enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes
> enable_lz4=ye
> s enable_lzo=yes enable_maintainer_mode=no enable_management=yes
> enable_multi=yes enable_multihome=yes enable_pam_dlopen=no
> enable_password_save=yes enable_pedantic=no enable_pf=y
> es enable_pkcs11=yes enable_plugin_auth_pam=yes
> enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes
> enable_selinux=no enable_server=yes enable_shared=yes enable_s
> hared_with_static_runtimes=no enable_silent_rules=no enable_small=no
> enable_static=yes enable_strict=no enable_strict_options=no
> enable_systemd=yes enable_werror=no enable_win32_d
> ll=yes enable_x509_alt_username=yes with_crypto_library=openssl
> with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn'
> with_sysroot=no
>
> *Client config*
>
> dev-type tun
> proto udp
> port 1194
> remote remote.vpn.net 1194
> dev tun-vpn
> user root
> group root
> persist-key
> persist-tun
> verb 3
> ca /etc/openvpn/client.crt
> cert /etc/openvpn/client.crt
> key /etc/openvpn/client.key
> tls-auth /etc/openvpn/tls.key
> redirect-gateway def1
> key-direction 1
> pull
> tls-client
> resolv-retry infinite
> nobind
>
> *It just hangs here, after connect*
> $ openssl s_client -connect google.com:443
> CONNECTED(00000003)
>
> the strace reports:
> ....
> close(4)                                = 0
> brk(0x1b1b000)                          = 0x1b1b000
> getpid()                                = 7490
> write(3,
> "\26\3\1\2\0\1\0\1\374\3\3\304\206\232N\361\276\311\231\223\377\265\332p\16=P\237\365Z\317\340"...,
> 517) = 517
> read(3, 0x1afa4b0, 7)                   = -1 EAGAIN (Resource temporarily
> unavailable)
> rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE],
> sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, NULL, 8) = 0
> poll([{fd=3, events=POLLIN}], 1, 52)    = 0 (Timeout)
> rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[PIPE],
> sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, 8) = 0
> rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE],
> sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, NULL, 8) = 0
> poll([{fd=3, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0
> (Timeout)
> rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE],
> sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x76cee6b0}, NULL, 8) = 0
> poll([{fd=3, events=POLLIN}], 1, 1)     = 0 (Timeout)
>
> Can anyone point to how to debug this?
>
> The other system eventually sort itself out and I thought it might be
> because there was a pkg upgrade available, but I've already tried that and
> no luck...
>
> --
>
> Duarte Rocha <duarte.ro...@gmail.com>
>
>
>
>
>
> _______________________________________________
> Openvpn-users mailing 
> listOpenvpn-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
>

-- 
Com os melhores cumprimentos

--

Duarte Rocha <duarte.ro...@gmail.com>
_______________________________________
Programming today is a race between software
engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to
produce bigger and better idiots.
So far, the Universe is winning.

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to