Re: OpenVPN suddenly working one way only
- In reply to: Andrea Venturoli : "Re: OpenVPN suddenly working one way only"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jul 2024 12:21:18 UTC
<div><div><div>Hello!</div><div>At first, try to monitor ICMP route from B to A using traceroute when you have and don't have problem.</div><div>Maybe in case of problem traffic goes throught some router which blocks packets due to doss protections\overloading.</div><div> </div><div>Also, you can send UDP ping from B to A using</div><div>nping --udp -g [source_port] -p [dest_port] -c 1 --data-string "test" server_A (which ports to use you can see in tcpdump)</div><div>try to UDP ping and catch packets when everything is OK and not </div><div> </div><div>In addition to ICMP you can try to use record route in IP options (although IP list is limited) </div><div>nping --udp -g [source_port] -p [dest_port] -c 1 --data-string "test" --ip-options R server_A</div><div>and compare results</div><div> </div><div>Good luck.</div></div></div><div> </div><div>06.07.2024, 19:08, "Andrea Venturoli" <ml@netfence.it>:</div><blockquote><p>On 7/6/24 17:02, Rodney W. Grimes wrote:<br /> </p><blockquote> Are you pinging the inside or outside address of the vpn?<br /> If you cant even ping the outside IP of a VPN you have<br /> basic connectivity problems that must be fixed before even<br /> attempting a VPN.</blockquote><p><br />I'll recap:<br /><br />I've got two hosts: A and B, which are in differnt sites, connected to<br />the Internet with different ISPs.<br /><br />Pinging B's public IP from A's public IP, and vice versa, works, as does<br />any other TCP based protocol (http, ssh, etc...); I have no UDP based<br />protocol to test with; if it's needed I'll try and setup some.<br /><br />There's an UDP based OpenVPN tunnel originating from host A to host B:<br />usually it works perfectly, but once in a few months it stops (and will<br />usually start working again after some days/weeks).<br /><br />Other similar VPNs, which are present on both hosts, keep working.<br /><br />When the VPN does not work, packets do flow in one direction inside the<br />tunnel from A to B. From B to A, they do seem to exit the tunnel from<br />host B (according to tcpdump), but they never get to host A.<br /><br />It's not an MTU problem, as I tried ping, which uses very small packets.<br /><br />It's almost surely due to a problem with the UDP packets that implement<br />the VPN: again, according to tcpdump they go out host B, but never reach<br />host A.<br /><br />I tried stopping OpenVPN and starting it again: I got inconsistent<br />results and need to investigate better; in any case it doesn't help.<br /><br />Moving the VPN to a different port on host B allowed it to start working<br />again, but only for a few hours. After this time, the UDP packets from B<br />to A were getting lost again.<br /><br />I can't reboot these hosts freely: it would help to check if any of them<br />is the culprit or if it could be some router in the middle.<br /><br />I have no access to any router between A and B, but I'd be suprised they<br />would drop such packets.<br /><br />Now the VPN is working, again I don't know why, so I can't conduct any<br />more test.<br />I'm sure it will happen again, maybe in a few months.<br /><br /><br /> bye & Thanks<br /> av.<br /> </p></blockquote><div> </div><div> </div><div>-- </div><div>С Уважением,</div><div> </div><div> </div>