pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
openvpn: actually works?
A long time ago I set up openvpn servers on a few systems, so I could
use the android client to get non-broken internet (at places that think
blocking random ports like xmpp is useful and courteous to guests). For
many years this was basically ok.
My setup has been UDP, and tun. The authentication setup is
unreasonable but I have that part ok. Everything today is NetBSD 9;
this is part of getting everything in order prepartory to updating to
10.
I have NAT set up from prefix/24 to the global IP address of the machine
(a mix of ipfilter and npf). I'm only, so far, trying to do v4.
Now I'm trying again after ignoring it for a year, and have found:
1) Sometimes, it seems like a client gets an address that isn't
$client_prefix.2, and routing does not work right. The combination of
tun being configured as point-to-point and the installed routes seems
off. I see
tun0: flags=0x8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.16.1/24 -> 10.0.16.2 flags 0x0
10.0.16/24 10.0.16.2 UGS - - - tun0
10.0.16.1 tun0 UHl - - - lo0
10.0.16.2 10.0.16.1 UH - - - tun0
and ping to 10.0.16.7 gets no route to host. It seems tun should be
in subnet mode, not p2p, separately from ip vs ethernet (tun vs tap),
or at least a subnet route should be added. On a different system
where the routing tables look similar, things are ok.
I think I traced this down to the subnet route going missing.
Stopping openvpn, destroying the tun, and restarting:
10.0.17/24 10.0.17.2 UGS - - - tun0
The question remains as to why the subnet route points to .2. But now
that machine works ok.
2) Connections to most places work ok, but I found that on one server,
https connections to a non-openvpn-related https server, on the vpn
server, with the same IP address, were failing, and tcpdump on tun0
showed syn, syn/ack, ack, and then a packet with 1300:1700 ish from
the client, leading to an ack of the syn. The first packet is
missing. Changing to TCP made this work, it seems. But TCP in TCP
isn't really a great thing.
I know I have more debugging to do. I know I should look at wireguard,
despite that being harder on netbsd9.
I'm really writing to ask "are you using openvpn and is it working or is
it not".
Other questions:
How often do you find yourself on a network where openvpn 1194 is
blocked, but other things worked?
Have you set up proxying over 443, which tends not to be blocked?
Home |
Main Index |
Thread Index |
Old Index