Sometimes issues with OpenVPN udp via OpenVPN udp
-
Hello.
I have a very strange problem and am at my wits' end.
I am running a pfsense 2.4.5 with two internet lines:
wan1 - DHCP - cable (250/50) - primary
wan2 - PPPoE - vdsl (100/40) - backupIn addition to that I have a VPS which I use to get some fixed IPs. The VM and pfsense (as client) are connected via OpenVPN (udp).
Also there is an OpenVPN server (also udp) on the pfsense which uses one of the tunneled IPs (therefor OpenVPN udp via OpenVPN udp).
This VPN is used by about 20 clients, mostly Linux, some Windows.
This worked fine.Now comes the problem.
The wan1 connection has problems at the moment, mainly some higher latency (~20ms) and some package loss (~1%).
Now I discovered, that with some Linux clients I have sometimes problems transfering data through the VPN.
Ping works
HTTP works
HTTPS works not
SSH works not
SMB works notIf I switch the tunnel to the VPS from wan1 to wan2, everything works.
wan2 always works.So my first idea was, that the package loss of wan1 somehow causes this problem.
BUT, why are there never problems with the windows clients, and some of the linux clients?
I never have problems with all of them at once, only some clients are affected at one time.Then I thought: MTU problem.
But in both cases (wan1 active/wan2 active) I can ping endpoints through the VPN with a size of 1472.Now the interesting part.
If I restart (or stop, wait a few minutes, start) the OpenVPN connection on an affected client or reboot the entire client system, nothing changes.
If I stop the connection, add 'link-mtu 1200' to the client config and then start the connection again, I get mtu miss match messages, BUT it works.
If I then stop the connection again, revert the config change, start the connection again, IT WORKS AS WELL. Why?I have no more ideas... :/
Is this a strange result of the package loss and the double udp tunnels?
Is this a problem with stale udp connections with some routers along the way? (--nobind on the client did not help)Maybe some one has a new idea or some explanation...
Thank you! :)