From nobody Sat Mar 8 20:35:10 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z9FKL0fN8z5pxvL for ; Sat, 08 Mar 2025 20:35:34 +0000 (UTC) (envelope-from dan@langille.org) Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Z9FKJ6zWmz3Npk for ; Sat, 08 Mar 2025 20:35:32 +0000 (UTC) (envelope-from dan@langille.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm1 header.b=EciuFpXi; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=cOKofjKa; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 103.168.172.145 as permitted sender) smtp.mailfrom=dan@langille.org Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id B639F138147B; Sat, 8 Mar 2025 15:35:31 -0500 (EST) Received: from phl-imap-08 ([10.202.2.84]) by phl-compute-12.internal (MEProxy); Sat, 08 Mar 2025 15:35:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1741466131; x=1741552531; bh=OAICLs+HbzExCkavN8d5GILi/WwbehZPo01Q2L+zD/Y=; b= EciuFpXiLfLdwzbKu/L37xG0vj1argVVmDVelm/dLUb1ypkdbsU70zF+l0NgdksD X2v+7wGco5965M0/oqQW/YFkf2RWVHnWP680RzaLHhBRPUfKomSEkEZk5U/RjZBg Oa2PLKCEfsiLWxMuHu68joe31fauL+6NVcvSJEnKk+xG9J7cPrgoDFblpnJS4N2+ G+1XI4m5Uf2TaZEVPQoQGlKkvHccfO2AY5syxtABpQBkrBMjVoSlPF9e91iwHdKp WbM1cNssl8v4VoxgZIGTKOXrbbz0tvi1Rb2FsoNByywTYV3kLeoB/C0zDqvIwc0N X2SsWwX0i+wsnuQeqbeVJA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1741466131; x=1741552531; bh=O AICLs+HbzExCkavN8d5GILi/WwbehZPo01Q2L+zD/Y=; b=cOKofjKaLJHKxAMEs 7tg3zU6L4Nf1rSaCoENKs92lQ8o5pHhNlyi8QCRVjK/FkMHk0Na2mH5KCHizObgL CjKZTjHK/aZlYJvQ/e5YHbnXUoD3mRFAbdaszInTVRfpCUb3W5NABV6eIbGCkT+u w2j4TJJKEijUrA0OoIRDntealHx+tqO9fDoGpPQnGDkOO9KaGWp7blD81UjEX2El dL9EuaeQ7xi77wf82mEYMUM6ou5+EKBY9R5B9KrnPx3qySs53W4/xY99QMnp/r/0 3Rt8A/b847/fKvv55H648UAM0l0BIeEr7I7UM8IOg3G3wM1Og8Qfo3dXK8Spq+5+ 9uxow== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduudeghedvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvffkjghfufgtgfesthhqredtredt jeenucfhrhhomhepfdffrghnucfnrghnghhilhhlvgdfuceouggrnheslhgrnhhgihhllh gvrdhorhhgqeenucggtffrrghtthgvrhhnpeevvdehtedtueekvefgfefhtdeihfdtieet ueetgfevgedvteeikefhveetleevfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrghdpnhgspghrtghp thhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepnhgvthesfhhrvggvsg hsugdrohhrghdprhgtphhtthhopeiirghrhigthhhtrghmsehplhgrnhdqsgdrphifshht vgdrvgguuhdrphhl X-ME-Proxy: Feedback-ID: ifbf9424e:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id BF49E18A006B; Sat, 8 Mar 2025 15:35:30 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Date: Sat, 08 Mar 2025 15:35:10 -0500 From: "Dan Langille" To: "Marek Zarychta" , net@freebsd.org Message-Id: In-Reply-To: <0496b019-56c9-49f7-bd81-ad5a673bdcfa@app.fastmail.com> References: <78e829b4-3f53-4b63-ba0a-fe41b5a36203@app.fastmail.com> <9ea41f25-5a89-47e3-8df2-f973d6f9e41d@plan-b.pwste.edu.pl> <0496b019-56c9-49f7-bd81-ad5a673bdcfa@app.fastmail.com> Subject: Re: Errors over VPN - message authentication code incorrect Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-3.97 / 15.00]; RBL_SENDERSCORE_REPUT_9(-1.00)[103.168.172.145:from]; NEURAL_HAM_LONG(-0.99)[-0.990]; NEURAL_HAM_SHORT(-0.60)[-0.601]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; NEURAL_HAM_MEDIUM(-0.29)[-0.287]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm1,messagingengine.com:s=fm1]; R_SPF_ALLOW(-0.20)[+ip4:103.168.172.128/27]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[103.168.172.145:from]; XM_UA_NO_VERSION(0.01)[]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim]; ASN(0.00)[asn:151847, ipnet:103.168.172.0/24, country:AU]; FREEFALL_USER(0.00)[dan]; MIME_TRACE(0.00)[0:+]; MLMMJ_DEST(0.00)[net@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+] X-Rspamd-Queue-Id: 4Z9FKJ6zWmz3Npk X-Spamd-Bar: --- On Sat, Mar 8, 2025, at 1:02 PM, Dan Langille wrote: > On Sat, Mar 8, 2025, at 11:15 AM, Marek Zarychta wrote: >> W dniu 8.03.2025 o=C2=A013:07, Dan Langille pisze: >>> Hello, >>> >>> I am getting errors when transferring data over my VPN. I'm not sur= e why. I've recently replace the gateway / firewall device. Previously, = this VPN was stable and these types of transfers worked without error. >>> >>> Here is an example. mydev is behind the firewall. r720-02 is access= ed over the VPN >>> >>> [12:04 mydev dvl ~/tmp] % time scp -r dvl@r720-02.vpn.unixathome.org= :bacula.dump . >>> bacula.dump 0% 0 0.0KB/s --:-- ETAFssh_ssh_dis= patch_run_fatal: Connection to 10.10.0.217 port 22: message authenticati= on code incorrect >>> scp: Connection closed >>> scp -r dvl@r720-02:bacula.dump . 0.14s user 0.01s system 21% cpu 0.= 665 total >>> >>> If I try the scp direct, without using the VPN, the copy succeeds. >>> >>> Ideas please? >> >> Hello Dan, >> >> I'm not sure what type of VPN it is, but if it's OpenVPN, you might n= eed=20 >> to add "tun-mtu 1400" on the server side. Please refer to PR 276838. > > Yes, this is OpenVPN 2.6.13 on FreeBSD 14.2 > > I just tried "tun-mtu 1400" on the server side. I restarted all=20 > clients. Problem persists. > > I also added "mssfix" to the server, restarted server, restarted all=20 > clients. Problem persists. As I read the PR again, it mentions "As of=20 > today, kernel openvpn does not seem to support `mssfix` - I'm not sure=20 > what "kernel openvpn" is. > > The server configuration contains 'disable-dco'. > > PR 276838 mentions DCO, so given it is disabled, wtf? > > I notice that the problem exists on all the OpenVPN client except one.=20 > That client is on FreeBSD 14.2, the failing clients are all on FreeBSD=20 > 14.1 - hmmm. That is curious. Perhaps I should update one of the=20 > clients and try again. I updated one host (tallboy) from FreeBSD 14.1 to FreeBSD 14.2 - initial= tests are good. Not seeing the problem on an scp which previously failed. Now = doing=20 the real test: Bacula backup over OpenVPN - about 8-9GB. I should know more by about 2145 UTC today - that's about how long that = backup should take, based on the February full backup. --=20 Dan Langille dan@langille.org