Re: openvpn: actually works?

To: Stephen Borrill <netbsd%precedence.co.uk@localhost>
Subject: Re: openvpn: actually works?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Wed, 02 Apr 2025 20:39:49 -0400

Stephen Borrill <netbsd%precedence.co.uk@localhost> writes:

First, my mysterious bad connections were due to the rover being, at the
moment, using IPv6 while being behind a v6-in-v4 tunnel, where the gif
was set to 1280 (NetBSD default).  Changing the openvpn tun-mtu fixed
that, and then I set the the tunnel to 1480.

So my only remaining mystery is "the /24 route (for the rover subnet)
seems to randomly go missing on openvpn restart, sometimes".  Plus
various "MTU issues are hard", including "npf doesn't do ressembly".

>>  How often do you find yourself on a network where openvpn 1194 is
>>  blocked, but other things worked?
>
> Quite a lot, I do a lot of work in schools!

Thanks for the data point.   I will keep that in mind.

>>  Have you set up proxying over 443, which tends not to be blocked?
>
> Yes, I have set it up on 22, 443 and 1935 (some Windows media port)
> based on an outbound port scan. 443 is often blocked, but it does
> usually work through a proxy.

I guess that's CONNECT so your e2e is ok.

> However as an OpenVPN instance cannot do both UDP and TCP and
> client-to-client uses routing within the instance, a TCP connection
> doesn't work as well in my scenario as I lose access to the other
> clients.

With just rovers, I'd expect this to be ok, but thanks for the caution.

References:
- openvpn: actually works?
  - From: Greg Troxel
- Re: openvpn: actually works?
  - From: Stephen Borrill

Prev by Date: Re: [NetBSD 10.99.12 amd64] multimedia/phonon-qt5
Next by Date: [x11/qt5-qtdeclarative] missing pkg-config file in $PREFIX
Previous by Thread: Re: openvpn: actually works?
Next by Thread: net/wireguard-go: is it useful?
Indexes:

Home | Main Index | Thread Index | Old Index