Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN 2.5.1 MSS problem, RDP freezes

    OpenVPN
    2
    4
    186
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zabi last edited by

      Hi,
      I encountered problem on two different installations so I decided to create this topic - mayby someone is facing similar problem.

      Issue occurred after migrating from 2.4.5p1 to 2.5.1. In both environment I had to rollback to 2.4.5p1.
      On 2.5.1 OpenVPN is established correctly, RDP is connected smoothly and all looks ok... for few (up to 10) seconds. After this time RDP freezes and reconnect, after reconnection and few second of normal working it again hangs. OpenVPN connection itself is stable.
      Based on this I started digging around MTU, MSS and fragmentation. I tested in many combination "mssfix", "fragment", "tun-mtu", "link-mtu" and other similar OpenVPN statements. Nothing helped.

      Then I look closer to MSS and found these topics and bugs 1 2 3 4
      After setting MSS on the OpenVPN interface to 1420 issue with RDP vanished.

      I compare /tmp/rules.debug from 2.4.5p1 and 2.5.1 both look similar, but in my opinion in 2.5.1 it's not working correctly and it need addition manual configuration on VPN interface.

      I'll appreciate feedback from someone more familiar with iptables and how '/tmp/rules.debug' is interpreted.
      @viktor_g Mayby you will be able to look at it could be connceted with: IPv6 PPPoE MSS incorrect

      From my point of view below statements aren't working in 2.5.1 for OpenVPN, but I cannot prove that. :)

      scrub from any to <vpn_networks> max-mss 1398
      scrub from <vpn_networks> to any max-mss 1398
      

      Regards.

      2.4.5p1

      [2.4.5-RELEASE][admin@01]/root: grep scrub /tmp/rules.debug
      scrub from any to <vpn_networks> max-mss 1398
      scrub from <vpn_networks> to any max-mss 1398
      scrub on $WAN all    fragment reassemble
      scrub on $LAN all    fragment reassemble
      scrub on $V100_10_0_100_0 all    fragment reassemble
      scrub on $V102_10_0_102_0 all    fragment reassemble
      scrub on $V104_10_0_104_0 all    fragment reassemble
      scrub on $VPN_OpenVPN all    fragment reassemble
      [2.4.5-RELEASE][admin@01]/root: grep vpn_networks /tmp/rules.debug
      table <vpn_networks> { 10.0.16.0/24 10.0.16.0/24 10.150.40.10/32 10.202.91.0/24 10.245.254.0/24 }
      scrub from any to <vpn_networks> max-mss 1398
      scrub from <vpn_networks> to any max-mss 1398
      [2.4.5-RELEASE][admin@01]/root:
      

      2.5.1

      [2.5.1-RELEASE][admin@02]/root: grep scrub /tmp/rules.debug
      scrub from any to <vpn_networks> max-mss 1398
      scrub from <vpn_networks> to any max-mss 1398
      scrub on $WAN inet all    fragment reassemble
      scrub on $WAN inet6 all    fragment reassemble
      scrub on $LAN inet all    fragment reassemble
      scrub on $LAN inet6 all    fragment reassemble
      scrub on $V100_10_0_100_0 inet all    fragment reassemble
      scrub on $V100_10_0_100_0 inet6 all    fragment reassemble
      scrub on $V102_10_0_102_0 inet all    fragment reassemble
      scrub on $V102_10_0_102_0 inet6 all    fragment reassemble
      scrub on $V104_10_0_104_0 inet all    fragment reassemble
      scrub on $V104_10_0_104_0 inet6 all    fragment reassemble
      scrub on $VPN_1 inet all    fragment reassemble
      scrub on $VPN_1 inet6 all    fragment reassemble
      scrub on $VPN_OpenVPN inet all   max-mss 1380 fragment reassemble
      scrub on $VPN_OpenVPN inet6 all   max-mss 1360 fragment reassemble
      [2.5.1-RELEASE][admin@02]/root: grep vpn_networks /tmp/rules.debug
      table <vpn_networks> { 10.0.16.0/24 10.0.16.0/24 10.150.40.10/32 10.202.91.0/24 10.245.254.0/24 }
      scrub from any to <vpn_networks> max-mss 1398
      scrub from <vpn_networks> to any max-mss 1398
      [2.5.1-RELEASE][admin@02]/root:
      
      I 1 Reply Last reply Reply Quote 0
      • I
        iampowerslave @zabi last edited by

        @zabi I'm having a similar issue:
        https://forum.netgate.com/topic/163851/single-wan-openvpn-issue-can-connect-intermittent-access-to-network-2-5-1?_=1621430224292

        Which I believe is related to yours, and yesterday morning the OpenVPN client reconnected many times in a minute or so. I guess that while you use RDP as an example and fixed the issue for it, whatever the service is on the other side it is the same issue with all protocols.

        I must rollback to 2.4.5 but I have to be on-site to do it just in case, and then figure out if it gets stable again.

        Z 1 Reply Last reply Reply Quote 0
        • Z
          zabi @iampowerslave last edited by

          @iampowerslave If you still did not made a rollback, maybe try my workaround, to set up MSS on OpenVPN interface if you're have it configured this way. For me it was helpful and reassured me that the problems is somewhere around MTU and MSS. In one environment it's working two weeks in second one, with 100+ users, I'm still afraid to perform an upgrade. :)

          d31a7624-a02a-45f3-b806-d2502d0d39df-obraz.png

          I 1 Reply Last reply Reply Quote 0
          • I
            iampowerslave @zabi last edited by

            @zabi Hi!

            Thanks for that, but I'm not at the site and won't get crazy changing stuff. And when I get a chance to be at the site I'm going to just replace the VM HDD with a 2.4.5 version.

            Weird thing, today it behave as expected.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post