Date: Tue, 23 Apr 2019 17:36:33 -0700 From: Doug Hardie <bc979@lafn.org> To: John Johnstone <jjohnstone.nospamfreebsd@tridentusa.com> Cc: freebsd-questions@freebsd.org Subject: Re: openvpn Message-ID: <9DABDBEC-B532-46F6-B09E-A65ED4EF5A1A@mail.sermon-archive.info> In-Reply-To: <b7487e60-7ffd-1bd8-4078-9eef315ce87b@tridentusa.com> References: <0A8436BD-EFB8-4A54-B920-329096B89C5B@mail.sermon-archive.info> <b7487e60-7ffd-1bd8-4078-9eef315ce87b@tridentusa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 23 April 2019, at 16:40, John Johnstone = <jjohnstone.nospamfreebsd@tridentusa.com> wrote: >=20 > On 4/22/2019 8:53 PM, Doug Hardie wrote: >> I am trying to setup an openvpn server on my home network. Home = machines are all running FBSD 12.0 Release. openvpn was installed as a = package. The results are quite confusing. Ping from an external device = works correctly to all the home machines. I can use tcpdump to see the = request packets arriving at the openvpn server, being sent to the = recipient machine, the response packets being sent from the recipient = machine to the openvpn server, and then sent to the external device. The = external device shows that the response was received with a reasonable = response time given that it is a cell phone. >> However, when I try to access a web page on any of the servers, I see = the same set of packets via tcpdump. In addition if I run ktrace on the = openvpn server, I see the encrypted packets from the client being = received. The decrypted packets sent to the home server. The = unencrypted response from the home server, and the encrypted response = sent to the phone. However, the phone says that the server dropped the = connection, or it shows a blank page. >> My first thought was that there was an encryption issue, but if that = were the case, ping would not work. Checking the ping packets shows = that they are encrypted between the phone and the openvpn server. = Likewise a routing issue in the home network does not seem to be the = problem for the same reason. All the info I have found on the web about = vpn indicates that a ping test should be sufficient. But, in this case = it is not. >> Any ideas on how to track down the problem, or fix it? Thanks, >> -- Doug >=20 > My experience with OpenVPN is with pfSense which has always worked so = I don't have any good suggestions. You could try looking for the 3-way = TCP handshake syn - syn-ack - ack with tcpdump for an incoming = connection on the web server. Does the web server log show anything = interesting? Anything in the OpenVPN server logging? Nothing unexpected. >=20 > Might be difficult to arrange but testing from some hardware besides a = phone would help; being able to run tcpdump on the external device side. = This would allow verifying the 3-way TCP handshake at the client side. As I indicated, tcpdump has been use on all connections. The = connections are established and data is sent. The client just ignores = it. Or, that's what it appears. >=20 > It's not likely but an Ethernet duplex mismatch (full - half) can give = strange results where a few ping packets work fine but anything faster = than that produces trouble because of the high rate of collisions. The connections work just fine. They are in use with other traffic. >=20 > Perhaps review your OpenVPN server configuration compared to the = OpenVPN client to be sure that everything is compatible between them. I see nothing obvious between them. >=20 > - > John J. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9DABDBEC-B532-46F6-B09E-A65ED4EF5A1A>