On 7/6/24 17:02, Rodney W. Grimes wrote:
Are you pinging the inside or outside address of the vpn?
If you cant even ping the outside IP of a VPN you have
basic connectivity problems that must be fixed before even
attempting a VPN.
I'll recap:
I've got two hosts: A and B, which are in differnt sites, connected to
the Internet with different ISPs.
Pinging B's public IP from A's public IP, and vice versa, works, as does
any other TCP based protocol (http, ssh, etc...); I have no UDP based
protocol to test with; if it's needed I'll try and setup some.
There's an UDP based OpenVPN tunnel originating from host A to host B:
usually it works perfectly, but once in a few months it stops (and will
usually start working again after some days/weeks).
Other similar VPNs, which are present on both hosts, keep working.
When the VPN does not work, packets do flow in one direction inside the
tunnel from A to B. From B to A, they do seem to exit the tunnel from
host B (according to tcpdump), but they never get to host A.
It's not an MTU problem, as I tried ping, which uses very small packets.
It's almost surely due to a problem with the UDP packets that implement
the VPN: again, according to tcpdump they go out host B, but never reach
host A.
I tried stopping OpenVPN and starting it again: I got inconsistent
results and need to investigate better; in any case it doesn't help.
Moving the VPN to a different port on host B allowed it to start working
again, but only for a few hours. After this time, the UDP packets from B
to A were getting lost again.
I can't reboot these hosts freely: it would help to check if any of them
is the culprit or if it could be some router in the middle.
I have no access to any router between A and B, but I'd be suprised they
would drop such packets.
Now the VPN is working, again I don't know why, so I can't conduct any
more test.
I'm sure it will happen again, maybe in a few months.
bye & Thanks
av.
Hello!
At first, try to monitor ICMP route from B to A using traceroute when you have and don't have problem.
Maybe in case of problem traffic goes throught some router which blocks packets due to doss protections\overloading.
Also, you can send UDP ping from B to A using
nping --udp -g [source_port] -p [dest_port] -c 1 --data-string "test" server_A (which ports to use you can see in tcpdump)
try to UDP ping and catch packets when everything is OK and not
In addition to ICMP you can try to use record route in IP options (although IP list is limited)
nping --udp -g [source_port] -p [dest_port] -c 1 --data-string "test" --ip-options R server_A
and compare results
Good luck.
06.07.2024, 19:08, "Andrea Venturoli" <m...@netfence.it>:
--
С Уважением,
- Re: OpenVPN suddenly working one way only Rodney W. Grimes
- Re: OpenVPN suddenly working one way only Andrea Venturoli
- Re: OpenVPN suddenly working one way only Rodney W. Grimes
- Re: OpenVPN suddenly working one way only Andrea Venturoli
- Re: OpenVPN suddenly working one way on... Rodney W. Grimes
- Re: OpenVPN suddenly working one way on... Andrea Venturoli
- Re: OpenVPN suddenly working one way on... Patrick M. Hausen
- Re: OpenVPN suddenly working one way on... Michael Tuexen
- Re: OpenVPN suddenly working one way on... Andrea Venturoli
- Re: OpenVPN suddenly working one way on... Andrea Venturoli
- Re: OpenVPN suddenly working one way on... Frank Cowperwood
