From owner-freebsd-questions@freebsd.org Tue Apr 23 23:47:08 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B736015860E6 for ; Tue, 23 Apr 2019 23:47:08 +0000 (UTC) (envelope-from jjohnstone.nospamfreebsd@tridentusa.com) Received: from mail.tridentusa.com (mail.tridentusa.com [96.225.19.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A6590684F1 for ; Tue, 23 Apr 2019 23:47:07 +0000 (UTC) (envelope-from jjohnstone.nospamfreebsd@tridentusa.com) Received: (qmail 87073 invoked from network); 23 Apr 2019 23:40:25 -0000 Received: from mail.tridentusa.com (172.16.0.32) de/crypted with TLSv1: DHE-RSA-AES256-SHA [256/256] DN=none by smtprelay.tridentusa.com with ESMTPS; 23 Apr 2019 23:40:25 -0000 Received: (qmail 65736 invoked from network); 23 Apr 2019 19:40:25 -0400 Received: from john-j.tridentusa.com (HELO ?172.16.0.90?) (jjohnstone@tridentusa.com@172.16.0.90) by mail.tridentusa.com with AES128-SHA encrypted SMTP; 23 Apr 2019 19:40:25 -0400 Subject: Re: openvpn To: freebsd-questions@freebsd.org References: <0A8436BD-EFB8-4A54-B920-329096B89C5B@mail.sermon-archive.info> From: John Johnstone Message-ID: Date: Tue, 23 Apr 2019 19:40:15 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <0A8436BD-EFB8-4A54-B920-329096B89C5B@mail.sermon-archive.info> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: A6590684F1 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of jjohnstone.nospamfreebsd@tridentusa.com designates 96.225.19.3 as permitted sender) smtp.mailfrom=jjohnstone.nospamfreebsd@tridentusa.com X-Spamd-Result: default: False [0.31 / 15.00]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[tridentusa.com]; NEURAL_SPAM_MEDIUM(0.13)[0.129,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[mail1.tridentusa.com,mail.tridentusa.com]; NEURAL_SPAM_LONG(0.35)[0.355,0]; NEURAL_HAM_SHORT(-0.18)[-0.183,0]; IP_SCORE(0.32)[asn: 701(1.66), country: US(-0.06)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:701, ipnet:96.225.0.0/17, country:US]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Apr 2019 23:47:09 -0000 On 4/22/2019 8:53 PM, Doug Hardie wrote: > I am trying to setup an openvpn server on my home network. Home machines are all running FBSD 12.0 Release. openvpn was installed as a package. The results are quite confusing. Ping from an external device works correctly to all the home machines. I can use tcpdump to see the request packets arriving at the openvpn server, being sent to the recipient machine, the response packets being sent from the recipient machine to the openvpn server, and then sent to the external device. The external device shows that the response was received with a reasonable response time given that it is a cell phone. > > However, when I try to access a web page on any of the servers, I see the same set of packets via tcpdump. In addition if I run ktrace on the openvpn server, I see the encrypted packets from the client being received. The decrypted packets sent to the home server. The unencrypted response from the home server, and the encrypted response sent to the phone. However, the phone says that the server dropped the connection, or it shows a blank page. > > My first thought was that there was an encryption issue, but if that were the case, ping would not work. Checking the ping packets shows that they are encrypted between the phone and the openvpn server. Likewise a routing issue in the home network does not seem to be the problem for the same reason. All the info I have found on the web about vpn indicates that a ping test should be sufficient. But, in this case it is not. > > Any ideas on how to track down the problem, or fix it? Thanks, > > -- Doug My experience with OpenVPN is with pfSense which has always worked so I don't have any good suggestions. You could try looking for the 3-way TCP handshake syn - syn-ack - ack with tcpdump for an incoming connection on the web server. Does the web server log show anything interesting? Anything in the OpenVPN server logging? Might be difficult to arrange but testing from some hardware besides a phone would help; being able to run tcpdump on the external device side. This would allow verifying the 3-way TCP handshake at the client side. It's not likely but an Ethernet duplex mismatch (full - half) can give strange results where a few ping packets work fine but anything faster than that produces trouble because of the high rate of collisions. Perhaps review your OpenVPN server configuration compared to the OpenVPN client to be sure that everything is compatible between them. - John J.