From nobody Fri Jul 05 09:31:40 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WFpF031KKz5Nnyt for ; Fri, 05 Jul 2024 09:31:48 +0000 (UTC) (envelope-from SRS0=Q7dD=OF=klop.ws=ronald-lists@realworks.nl) Received: from smtp-relay-int.realworks.nl (smtp-relay-int.realworks.nl [194.109.157.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WFpF00YqQz4rZ9 for ; Fri, 5 Jul 2024 09:31:48 +0000 (UTC) (envelope-from SRS0=Q7dD=OF=klop.ws=ronald-lists@realworks.nl) Authentication-Results: mx1.freebsd.org; none Date: Fri, 5 Jul 2024 11:31:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=klop.ws; s=rw2; t=1720171900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5mGK6oERmPnyFy5gC3T5PS3L7G4qbGaM0KDQS70wEyE=; b=M9b4gc8CPs7nbAyWyKmi6o343gVnlyPDrI8iQb93kgeilEJgjpOKKaxCh4qQsrSTL9MM1o qemUa/CvWdEau844h+iQzxDdzoUgh4MAIrDSjAMtAzIfzdsbvUDMsh2RNgogB1/jlRZRrm DKkJeZYBr7dhrj10+vO05fgNb4MpJIiId8T7W1V4pOEZu13p/6lgkgUU1R5bP6eXeHTH/l kYbtuMIpqYBz3kTLTpXnlgFWkRugvPL5ONQycsSulZndQBbzdVo3OVbXdJgLeExpyiGyZr 7tTPzDy+ywnfAFo9HQhv5tkn+lFSWcq/bDjplvHm0DOM2+GjDnv1ykUqGNGwWQ== From: Ronald Klop To: Andrea Venturoli Cc: freebsd-net@freebsd.org Message-ID: <1689009862.4204.1720171900147@localhost> In-Reply-To: <55aa094a-bdf3-40de-8dd8-097bf734dfb6@netfence.it> References: <55aa094a-bdf3-40de-8dd8-097bf734dfb6@netfence.it> Subject: Re: OpenVPN suddenly working one way only List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4203_999132422.1720171899979" X-Mailer: Realworks (709.1) Importance: Normal X-Priority: 3 (Normal) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3265, ipnet:194.109.0.0/16, country:NL] X-Rspamd-Queue-Id: 4WFpF00YqQz4rZ9 ------=_Part_4203_999132422.1720171899979 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Van: Andrea Venturoli Datum: vrijdag, 5 juli 2024 11:18 Aan: freebsd-net@freebsd.org Onderwerp: OpenVPN suddenly working one way only > > Hello. > > Not sure this is a question for FreeBSD or for OpenVPN directly... I'll try here first. > > I'm using OpenVPN quite heavily, as I have around 10 server-server tunnels, and several server-clients installations. > They are all working properly except one, which will periodically start misbehaving. > Both ends are FreeBSD 13.3, the protocol is UDP and I'm using tun interfaces. > > Simply put: handshake is gine, packets from host A to B get through, but packets from B to A do not. > I can run tcpdump on both tun interfaces: > _ if I ping A -> B, A sees packets going out, but none coming in, although B sees both; > _ if I ping B -> A, B sees packets going out, but A sees nothing. > > Restarting openvpn on both ends does not help: handskake happens again, but the situation does not change. Looks more like a kernel/tun problem... > Possibly rebooting (A or B?) would solve, but I can't do that easily. > Also, I'm sure in some days (possibly weeks) it'll start working fine again by itself (!!!). > > Notice that both ends have other OpenVPN tunnels to different systems and they keep working while this one is not. > > Has anyone else seen something similar? > Anything to try/check now that I'm getting the problem and I have no urge to solve? > > bye & Thanks > av. > > > > Of course this can be a firewall or routing issue somewhere in between the hosts blocking traffic from B to A. Don't you see unencrypted traffic going in and out of tun? Or don't you see encrypted (but expected) traffic going through the "physical" network? Or both? Can you run tcpdump on the physical interfaces? What traffic do you see on the openvpn port? Can you switch to TCP? As that will give more errors when something is wrong in the connection instead of just silently dropped packages as UDP can do. Regards, Ronald. ------=_Part_4203_999132422.1720171899979 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

Van: Andrea Venturoli <ml@netfence.it>
Datum: vrijdag, 5 juli 2024 11:18
Aan: freebsd-net@freebsd.org
Onderwerp: OpenVPN suddenly working one way only

Hello.

Not sure this is a question for FreeBSD or for OpenVPN directly... I'll try here first.

I'm using OpenVPN quite heavily, as I have around 10 server-server tunnels, and several server-clients installations.
They are all working properly except one, which will periodically start misbehaving.
Both ends are FreeBSD 13.3, the protocol is UDP and I'm using tun interfaces.

Simply put: handshake is gine, packets from host A to B get through, but packets from B to A do not.
I can run tcpdump on both tun interfaces:
_ if I ping A -> B, A sees packets going out, but none coming in, although B sees both;
_ if I ping B -> A, B sees packets going out, but A sees nothing.

Restarting openvpn on both ends does not help: handskake happens again, but the situation does not change. Looks more like a kernel/tun problem...
Possibly rebooting (A or B?) would solve, but I can't do that easily.
Also, I'm sure in some days (possibly weeks) it'll start working fine again by itself (!!!).

Notice that both ends have other OpenVPN tunnels to different systems and they keep working while this one is not.

Has anyone else seen something similar?
Anything to try/check now that I'm getting the problem and I have no urge to solve?

  bye & Thanks
    av.
 



Of course this can be a firewall or routing issue somewhere in between the hosts blocking traffic from B to A.

Don't you see unencrypted traffic going in and out of tun? Or don't you see encrypted (but expected) traffic going through the "physical" network? Or both? Can you run tcpdump on the physical interfaces? What traffic do you see on the openvpn port?

Can you switch to TCP? As that will give more errors when something is wrong in the connection instead of just silently dropped packages as UDP can do.

Regards,
Ronald.
  ------=_Part_4203_999132422.1720171899979--