From nobody Sat Mar 08 18:02:54 2025
X-Original-To: net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z99xd0df5z5pXpG
	for <net@mlmmj.nyi.freebsd.org>; Sat, 08 Mar 2025 18:03:17 +0000 (UTC)
	(envelope-from dan@langille.org)
Received: from fhigh-a3-smtp.messagingengine.com (fhigh-a3-smtp.messagingengine.com [103.168.172.154])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Z99xc4B2Mz3MxX
	for <net@freebsd.org>; Sat, 08 Mar 2025 18:03:16 +0000 (UTC)
	(envelope-from dan@langille.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52])
	by mailfhigh.phl.internal (Postfix) with ESMTP id A601D1140074;
	Sat,  8 Mar 2025 13:03:15 -0500 (EST)
Received: from phl-imap-08 ([10.202.2.84])
  by phl-compute-12.internal (MEProxy); Sat, 08 Mar 2025 13:03:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h=
	cc:content-transfer-encoding:content-type:content-type:date:date
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm1; t=1741456995;
	 x=1741543395; bh=3S2kEXhUTAjqA2IL73W/9uRnt7vSDJscNg+SxIbuP8I=; b=
	X0OL19QAv2pSxKpWkK9bS0IXmQwURpsdRUPRAf5xQw42Y7CdoP1uCha4WiTlvIUp
	ProYmFYRm/7VDkS+WGq+HLDTr6hk87CfnHIsH2BG2DBImAVVA8xPDUIPeeP6E1s6
	USp4P5WgwU1UJXEv6t42CK9dr1TsnPXk8bk+IhhdiIjCBmC1w1SEIjkwWiBraC9b
	OeDrFUuZM3zDjeFj4SrU54D7p0d/bof4lTp9RUNZMAPy90dH+iFlHvjjfSeJNSyC
	lR1laIoVb2pP/2ppBsi9h1Jx9keIHY+tWKy/JAgj3NqoP0qa3m9UrYNAjenutb6l
	GeDiCkPHsm3rNRhabmuw2w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm1; t=1741456995; x=1741543395; bh=3
	S2kEXhUTAjqA2IL73W/9uRnt7vSDJscNg+SxIbuP8I=; b=U4GcrjSNT1bCBph4I
	PGi+gotUfzXmLGm7VWQGeWMdDvnNr/KZAWSSXJRbTI3CK2hp/l3KjP6sdWxkF3f1
	zGe6dp2uQoIPizMYkF898gwfnKjo6JXqQxOv8RgA3kGdlrOXNZ+ljaojzwxtHWLX
	24dCBSb757CpUxQZscgbOgOBGEb2a7Jra15N4qE9Ut4AeuGaN5x6fUC2NUAtYm2C
	6OTJ9kdMkcqKcaOJo6lCtln+dczr3s2a6fUzjirnallnCIZf0sa4E6wGu2SUzseZ
	5+6QAwMLSMBh6wjErfuqRzFLBE+iBohEtGwzP3y9kWc5IIrg9rAuovXTdS/4Hexp
	cUFQg==
X-ME-Sender: <xms:YobMZ6KTy_U3H2aA406LRvf5hePgwgvyplX2YDOwXx3IadBVwUavIw>
    <xme:YobMZyKEn2vtIsXpP8c02kEIr1Grf1QyuTfWn2FOMWIU-F6A3Cz6D-JZlCR7mxCcR
    tAYB7L4JFhc7XgJxA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduudegvddvucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
    pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih
    gvnhhtshculddquddttddmnecujfgurhepofggfffhvffkjghfufgtgfesthhqredtredt
    jeenucfhrhhomhepfdffrghnucfnrghnghhilhhlvgdfuceouggrnheslhgrnhhgihhllh
    gvrdhorhhgqeenucggtffrrghtthgvrhhnpeevvdehtedtueekvefgfefhtdeihfdtieet
    ueetgfevgedvteeikefhveetleevfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
    grmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrghdpnhgspghrtghp
    thhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepnhgvthesfhhrvggvsg
    hsugdrohhrghdprhgtphhtthhopeiirghrhigthhhtrghmsehplhgrnhdqsgdrphifshht
    vgdrvgguuhdrphhl
X-ME-Proxy: <xmx:YobMZ6smWmbR99Bo-1eEeFn2raYfmxxuBh9leUFa-yYJ93WE-zj54g>
    <xmx:YobMZ_aEp8fTvH-4TUU8Yqc27ZiBRt6v0pHYTKWoEAqOChpE_AblFg>
    <xmx:YobMZxZl1KYB3jS1oBOrJbN-ddv0Hs7uYMZWl7e3KbXq33186P44pA>
    <xmx:YobMZ7Bqb6Byf6v_PPKlxtjh2nX2kZzRLGwUXzez1QFYWveCXQxqmw>
    <xmx:Y4bMZ-RoFqN5SB_qiX_EGe6MR20IbaoOlbfwed2GunP-_ZcQAKAkEE8L>
Feedback-ID: ifbf9424e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id A58B718A006E; Sat,  8 Mar 2025 13:03:14 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
Date: Sat, 08 Mar 2025 13:02:54 -0500
From: "Dan Langille" <dan@langille.org>
To: "Marek Zarychta" <zarychtam@plan-b.pwste.edu.pl>, net@freebsd.org
Message-Id: <0496b019-56c9-49f7-bd81-ad5a673bdcfa@app.fastmail.com>
In-Reply-To: <9ea41f25-5a89-47e3-8df2-f973d6f9e41d@plan-b.pwste.edu.pl>
References: <78e829b4-3f53-4b63-ba0a-fe41b5a36203@app.fastmail.com>
 <9ea41f25-5a89-47e3-8df2-f973d6f9e41d@plan-b.pwste.edu.pl>
Subject: Re: Errors over VPN - message authentication code incorrect
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US]
X-Rspamd-Queue-Id: 4Z99xc4B2Mz3MxX
X-Spamd-Bar: ----

On Sat, Mar 8, 2025, at 11:15 AM, Marek Zarychta wrote:
> W dniu 8.03.2025 o=C2=A013:07, Dan Langille pisze:
>> Hello,
>>
>> I am getting errors when transferring data over my VPN.  I'm not sure=
 why. I've recently replace the gateway / firewall device. Previously, t=
his VPN was stable and these types of transfers worked without error.
>>
>> Here is an example.  mydev is behind the firewall. r720-02 is accesse=
d over the VPN
>>
>> [12:04 mydev dvl ~/tmp] % time scp -r dvl@r720-02.vpn.unixathome.org:=
bacula.dump .
>> bacula.dump              0%    0     0.0KB/s   --:-- ETAFssh_ssh_disp=
atch_run_fatal: Connection to 10.10.0.217 port 22: message authenticatio=
n code incorrect
>> scp: Connection closed
>> scp -r dvl@r720-02:bacula.dump .  0.14s user 0.01s system 21% cpu 0.6=
65 total
>>
>> If I try the scp direct, without using the VPN, the copy succeeds.
>>
>> Ideas please?
>
> Hello Dan,
>
> I'm not sure what type of VPN it is, but if it's OpenVPN, you might ne=
ed=20
> to add "tun-mtu 1400" on the server side. Please refer to PR 276838.

Yes, this is OpenVPN 2.6.13 on FreeBSD 14.2

I just tried "tun-mtu 1400" on the server side. I restarted all clients.=
  Problem persists.

I also added "mssfix" to the server, restarted server, restarted all cli=
ents. Problem persists. As I read the PR again, it mentions "As of today=
, kernel openvpn does not seem to support `mssfix` - I'm not sure what "=
kernel openvpn" is.

The server configuration contains 'disable-dco'.

PR 276838 mentions DCO, so given it is disabled, wtf?

I notice that the problem exists on all the OpenVPN client except one. T=
hat client is on FreeBSD 14.2, the failing clients are all on FreeBSD 14=
.1 - hmmm. That is curious.  Perhaps I should update one of the clients =
and try again.

Thank you.

--=20
  Dan Langille
  dan@langille.org