Re: [gentoo-user] openvpn experience, anyone?
On 9/18/22 1:26 AM, n952162 wrote: I want to ssh over my openvpn connection, and I can't do it, the connection times out. IMHO the first, second, and third thing to try when OpenSSH clients fail for some reason is `-v`, `-v -v`, and `-v -v -v` in your ssh command(s). That will almost always give you some sort of indication of the next place to start looking. That being said, -- assuming routing is good -- I would also question an MTU issue. The symptoms of this are OpenSSH establishes the TCP connection that carries the data and starts negotiating the SSH protocol but fails part way through and starts timing out when big packets are sent but never make it to the other end. As Michael alluded to, trying to SSH from the local gateway to the remote gateway can be a little tricky to configure as there can be a couple of source IPs (local inside & local outside) as well as a couple of destination IPs (remote outside & remote inside). Tunnels usually cover local inside communicating with remote inside but fail to account for any outside addresses. -- N.B. this can usually be addressed with a judicious route statement that specifies which source address to use. -- Grant. . . . unix || die
Re: [gentoo-user] openvpn experience, anyone?
On Sun, 2022-09-18 at 09:26 +0200, n952162 wrote: > > Then, for some reason (licensing?), we were switched to openvpn, which > works for xfreerdp but not for ssh. > > I don't have control over the institution's firewall (but I do have for > the host itself) > Is the machine that you're trying to SSH into also on the VPN? If so, it may have a firewall rule like "allow SSH from the LAN" but be missing a rule that says "allow SSH from the VPN interface."
Re: [gentoo-user] openvpn experience, anyone?
On 9/18/22 11:08, Michael wrote: On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: On 18/9/22 15:26, n952162 wrote: Hello all, I want to ssh over my openvpn connection, and I can't do it, the connection times out. I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and thought maybe somebody here knows something about this. Earlier my institution recommended openconnect, and I was able to use ssh to login in to a host with no problem. Then, for some reason (licensing?), we were switched to openvpn, which works for xfreerdp but not for ssh. I don't have control over the institution's firewall (but I do have for the host itself) Perhaps when installing the new service, they tightened up the firewall rules. But maybe there's a configuration screw I can turn, or ... maybe a USE flag? - - down-root : Enable the down-root plugin - - examples : Install examples, usually source code - - inotify : Enable inotify filesystem monitoring support - - iproute2 : Enabled iproute2 support instead of net-tools + + lz4 : Enable support for lz4 compression (as implemented in app-arch/lz4) + + lzo : Enable support for lzo compression - - mbedtls : Use mbed TLS as the backend crypto library + + openssl : Use OpenSSL as the backend crypto library + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip - - pkcs11: Enable PKCS#11 smartcard support + + plugins : Enable the OpenVPN plugin system - - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) TIA ssh and openvpn work well together. However I am doing most of the work using my own configs - gentoo tries to be too clever with its vpn networking and Ive never been able to get it to work reliably/acceptably. On some sites I have to use port 443 (https) to get through, and in extreme cases double wrap in ssl (using a mix of proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but still separate it from regular https traffic on my firewall. You will need to figure out where the ssh is getting blocked/stripped out - is openvpn your endpoint or theirs? BillK Could it also be an issue with MTU being too large? It should be easy to test with: ping -c 1 -v -M do -s 1464 and decrease the packet size until gets through. Then configure your client accordingly: https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem That was a good idea! Unfortunately, in this case it wasn't the cause: -- ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 331.754/331.754/331.754/0.000 ms
[gentoo-user] realloc() failure in motion
Hi, I am setting up some cameras (esp32cam) and intended to use motion for them but it crashes on startup with a realloc() error. The system is an up to date arm64 (odroid N2+), mostly stable. Has anyone seen this before? BillK ha /etc/motion # /usr/bin/motion -c /etc/motion/motion.conf -k 9 -d 9 [0:motion] [NTC] [ALL] conf_load: Processing thread 0 - config file /etc/motion/motion.conf [0:motion] [NTC] [ALL] config_camera: Processing camera config file /etc/motion/camera0.conf [0:motion] [NTC] [ALL] read_camera_dir: Processing config file /etc/motion/motion.conf [0:motion] [NTC] [ALL] config_camera: Processing camera config file /etc/motion/motion.conf realloc(): invalid old size Aborted
Re: [gentoo-user] openvpn experience, anyone?
On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: > On 18/9/22 15:26, n952162 wrote: > > Hello all, > > > > I want to ssh over my openvpn connection, and I can't do it, the > > connection times out. > > > > I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and > > thought maybe somebody here knows something about this. > > > > Earlier my institution recommended openconnect, and I was able to use > > ssh to login in to a host with no problem. > > > > Then, for some reason (licensing?), we were switched to openvpn, which > > works for xfreerdp but not for ssh. > > > > I don't have control over the institution's firewall (but I do have for > > the host itself) > > > > Perhaps when installing the new service, they tightened up the firewall > > rules. But maybe there's a configuration screw I can turn, or ... maybe > > a USE flag? > > > > - - down-root : Enable the down-root plugin > > - - examples : Install examples, usually source code > > - - inotify : Enable inotify filesystem monitoring support > > - - iproute2 : Enabled iproute2 support instead of net-tools > > + + lz4 : Enable support for lz4 compression (as implemented in > > app-arch/lz4) > > + + lzo : Enable support for lzo compression > > - - mbedtls : Use mbed TLS as the backend crypto library > > + + openssl : Use OpenSSL as the backend crypto library > > + + pam : Add support for PAM (Pluggable Authentication Modules) > > - DANGEROUS to > > arbitrarily flip > > - - pkcs11: Enable PKCS#11 smartcard support > > + + plugins : Enable the OpenVPN plugin system > > - - systemd : Enable use of systemd-specific libraries and features > > like socket > > activation or session tracking > > - - test : Enable dependencies and/or preparations necessary to > > run tests > > (usually controlled by FEATURES=test but can be > > toggled independently) > > > > TIA > > ssh and openvpn work well together. However I am doing most of the work > using my own configs - gentoo tries to be too clever with its vpn > networking and Ive never been able to get it to work > reliably/acceptably. On some sites I have to use port 443 (https) to > get through, and in extreme cases double wrap in ssl (using a mix of > proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but > still separate it from regular https traffic on my firewall. You will > need to figure out where the ssh is getting blocked/stripped out - is > openvpn your endpoint or theirs? > > BillK Could it also be an issue with MTU being too large? It should be easy to test with: ping -c 1 -v -M do -s 1464 and decrease the packet size until gets through. Then configure your client accordingly: https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] openvpn experience, anyone?
On 18/9/22 15:26, n952162 wrote: Hello all, I want to ssh over my openvpn connection, and I can't do it, the connection times out. I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and thought maybe somebody here knows something about this. Earlier my institution recommended openconnect, and I was able to use ssh to login in to a host with no problem. Then, for some reason (licensing?), we were switched to openvpn, which works for xfreerdp but not for ssh. I don't have control over the institution's firewall (but I do have for the host itself) Perhaps when installing the new service, they tightened up the firewall rules. But maybe there's a configuration screw I can turn, or ... maybe a USE flag? - - down-root : Enable the down-root plugin - - examples : Install examples, usually source code - - inotify : Enable inotify filesystem monitoring support - - iproute2 : Enabled iproute2 support instead of net-tools + + lz4 : Enable support for lz4 compression (as implemented in app-arch/lz4) + + lzo : Enable support for lzo compression - - mbedtls : Use mbed TLS as the backend crypto library + + openssl : Use OpenSSL as the backend crypto library + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip - - pkcs11 : Enable PKCS#11 smartcard support + + plugins : Enable the OpenVPN plugin system - - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) TIA ssh and openvpn work well together. However I am doing most of the work using my own configs - gentoo tries to be too clever with its vpn networking and Ive never been able to get it to work reliably/acceptably. On some sites I have to use port 443 (https) to get through, and in extreme cases double wrap in ssl (using a mix of proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but still separate it from regular https traffic on my firewall. You will need to figure out where the ssh is getting blocked/stripped out - is openvpn your endpoint or theirs? BillK
[gentoo-user] openvpn experience, anyone?
Hello all, I want to ssh over my openvpn connection, and I can't do it, the connection times out. I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and thought maybe somebody here knows something about this. Earlier my institution recommended openconnect, and I was able to use ssh to login in to a host with no problem. Then, for some reason (licensing?), we were switched to openvpn, which works for xfreerdp but not for ssh. I don't have control over the institution's firewall (but I do have for the host itself) Perhaps when installing the new service, they tightened up the firewall rules. But maybe there's a configuration screw I can turn, or ... maybe a USE flag? - - down-root : Enable the down-root plugin - - examples : Install examples, usually source code - - inotify : Enable inotify filesystem monitoring support - - iproute2 : Enabled iproute2 support instead of net-tools + + lz4 : Enable support for lz4 compression (as implemented in app-arch/lz4) + + lzo : Enable support for lzo compression - - mbedtls : Use mbed TLS as the backend crypto library + + openssl : Use OpenSSL as the backend crypto library + + pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip - - pkcs11 : Enable PKCS#11 smartcard support + + plugins : Enable the OpenVPN plugin system - - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking - - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) TIA