openvpn: actually works?

To: pkgsrc-users%netbsd.org@localhost
Subject: openvpn: actually works?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 01 Apr 2025 13:19:29 -0400

A long time ago I set up openvpn servers on a few systems, so I could
use the android client to get non-broken internet (at places that think
blocking random ports like xmpp is useful and courteous to guests).  For
many years this was basically ok.

My setup has been UDP, and tun.  The authentication setup is
unreasonable but I have that part ok.  Everything today is NetBSD 9;
this is part of getting everything in order prepartory to updating to
10.

I have NAT set up from prefix/24 to the global IP address of the machine
(a mix of ipfilter and npf).  I'm only, so far, trying to do v4.

Now I'm trying again after ignoring it for a year, and have found:

  1) Sometimes, it seems like a client gets an address that isn't
  $client_prefix.2, and routing does not work right.  The combination of
  tun being configured as point-to-point and the installed routes seems
  off.  I see

    tun0: flags=0x8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
            inet 10.0.16.1/24 -> 10.0.16.2 flags 0x0
    10.0.16/24       10.0.16.2        UGS         -        -      -  tun0
    10.0.16.1        tun0             UHl         -        -      -  lo0
    10.0.16.2        10.0.16.1        UH          -        -      -  tun0

  and ping to 10.0.16.7 gets no route to host.   It seems tun should be
  in subnet mode, not p2p, separately from ip vs ethernet (tun vs tap),
  or at least a subnet route should be added.  On a different system
  where the routing tables look similar, things are ok.

  I think I traced this down to the subnet route going missing.
  Stopping openvpn, destroying the tun, and restarting:

    10.0.17/24       10.0.17.2        UGS         -        -      -  tun0

  The question remains as to why the subnet route points to .2.  But now
  that machine works ok.


  2) Connections to most places work ok, but I found that on one server,
  https connections to a non-openvpn-related https server, on the vpn
  server, with the same IP address, were failing, and tcpdump on tun0
  showed syn, syn/ack, ack, and then a packet with 1300:1700 ish from
  the client, leading to an ack of the syn.  The first packet is
  missing.  Changing to TCP made this work, it seems.  But TCP in TCP
  isn't really a great thing.


I know I have more debugging to do.  I know I should look at wireguard,
despite that being harder on netbsd9.

I'm really writing to ask "are you using openvpn and is it working or is
it not".

Other questions:

  How often do you find yourself on a network where openvpn 1194 is
  blocked, but other things worked?

  Have you set up proxying over 443, which tends not to be blocked?

Follow-Ups:
- Re: openvpn: actually works?
  - From: Stephen Borrill

Prev by Date: RE: tiger vncserver continues running after exiting desktop
Next by Date: net/wireguard-go: is it useful?
Previous by Thread: tiger vncserver continues running after exiting desktop
Next by Thread: Re: openvpn: actually works?
Indexes:

Home | Main Index | Thread Index | Old Index