Re: OpenVPN suddenly working one way only

From: Andrea Venturoli <ml_at_netfence.it>
Date: Sat, 06 Jul 2024 16:07:47 UTC
On 7/6/24 17:02, Rodney W. Grimes wrote:

> Are you pinging the inside or outside address of the vpn?
> If you cant even ping the outside IP of a VPN you have
> basic connectivity problems that must be fixed before even
> attempting a VPN.

I'll recap:

I've got two hosts: A and B, which are in differnt sites, connected to 
the Internet with different ISPs.

Pinging B's public IP from A's public IP, and vice versa, works, as does 
any other TCP based protocol (http, ssh, etc...); I have no UDP based 
protocol to test with; if it's needed I'll try and setup some.

There's an UDP based OpenVPN tunnel originating from host A to host B: 
usually it works perfectly, but once in a few months it stops (and will 
usually start working again after some days/weeks).

Other similar VPNs, which are present on both hosts, keep working.

When the VPN does not work, packets do flow in one direction inside the 
tunnel from A to B. From B to A, they do seem to exit the tunnel from 
host B (according to tcpdump), but they never get to host A.

It's not an MTU problem, as I tried ping, which uses very small packets.

It's almost surely due to a problem with the UDP packets that implement 
the VPN: again, according to tcpdump they go out host B, but never reach 
host A.

I tried stopping OpenVPN and starting it again: I got inconsistent 
results and need to investigate better; in any case it doesn't help.

Moving the VPN to a different port on host B allowed it to start working 
again, but only for a few hours. After this time, the UDP packets from B 
to A were getting lost again.

I can't reboot these hosts freely: it would help to check if any of them 
is the culprit or if it could be some router in the middle.

I have no access to any router between A and B, but I'd be suprised they 
would drop such packets.

Now the VPN is working, again I don't know why, so I can't conduct any 
more test.
I'm sure it will happen again, maybe in a few months.


  bye & Thanks
	av.