Hello, Where do you have the information from that this[1] was true?
Kind regards Noel [1] "In OpenVPN, it supports to fragment large MTU inner tunnel packets and transmit them as normal encrypted packets over internet (but it is terribly insecure, open to MITM attacks)." On 21.07.2018 15:23, Anvar Kuchkartaev wrote: > It is possible MTU issue, usually when you use tunnel with StrongSwan VPN, > your MTU for inner packet is less than 1500. When your client device tries to > send large MTU package, if your server cannot accept icmp > fragmentation-needed messages then that large packet simply discarded. Also > if server that hosts website blocks icmp fragmentation-needed, same thing > happens. In OpenVPN, it supports to fragment large MTU inner tunnel packets > and transmit them as normal encrypted packets over internet (but it is > terribly insecure, open to MITM attacks). > Recommended to use: > iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > > On VPN server. It will help resolving those issues, also I recommend allowing > RELATED,ESTABLISHED state packets both as INPUT and FORWARD chains in your > server firewall, so they allow icmp fragmentation-needed messages. > > Anvar Kuchkartaev > an...@aegissec.net > *From: *Ahammerl > *Sent: *Saturday, 21 July 2018 08:31 > *To: *users@lists.strongswan.org > *Subject: *[strongSwan] Troubles with some websites depending on ISP via > Strongswan VPN > > > Hi, > > Connecting via Strongswan VPN, using XAuth PSK, I have troubles visiting some > websites (which don't seem to be blocking any IP in general). Could there be > an issue with the route containing virtual host hops which are not available > with all ISPs? > > In my test, I connect one time to the VPN with telekom ISP, another time with > a regional ISP. both connect well without problems and can visit most > websites incl. google, whatsmyip.com <http://whatsmyip.com> etc. properly, > which confirms the VPN IP with success. > However, trying to visit e.g. www.ip8.com <http://www.ip8.com/>, the 2nd > connection is failing. > > For comparison, with OpenVPN on the same server, it's working with both ISPs > OK, visiting ip8.com <http://ip8.com> without troubles. With Strongswan VPN > as alternative, it fails to connect with the 2nd. > Next, I compared the route with traceroute and mtr via Strongswan VPN. This > looks OK and it's the same route as I have when trying to connect from the > VPN server itself to the website. > > Is there a known issue or do you have a hint how to resolve this by > configuration changes, if possible..? > > Thank you! >
signature.asc
Description: OpenPGP digital signature