• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot SSH over OpenVPN anymore

Scheduled Pinned Locked Moved OpenVPN
1 Posts 1 Posters 690 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sotirone
    last edited by sotirone Jun 14, 2022, 1:05 PM Jun 14, 2022, 12:03 PM

    Hello, I just found an issue that I haven't encountered before and I can't find anything related in the logs.

    I have two pfSense firewalls connected through OpenVPN site to site. One was running 2.5.2, the other one is running 2.6.0.

    At some unknown point, ssh stopped working from the 2.5.2 LAN to the 2.6.0 LAN and vice versa. I have tried 3 Arch Linux machines on the 2.5.2 side and 1 Arch and 1 Ubuntu machine on the 2.6.0 side and all failed. SSH from the 2.5.2 machine itself to the 2.6.0 machine itself fails but works the other way around. I also tried ssh with JuiceSSH on my Android smartphone but that goes through successfully for some reason!

    The 2.5.2 machine is running suricata. I tried disabling suricata and clearing the blocked hosts but it did not help.

    The only way I can ssh through the tunnel is by adding the

    -c aes256-ctr
    

    option which I randomly found online here: http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/

    I also tried updating the 2.5.2 box to 2.6.0 but that changed nothing as well.

    If I try without the option above, ssh just fails with: "Connection closed by 10.0.0.10 port 22" . I am posting the -vvv output of the failed command below.

    $ ssh root@10.0.0.10 -vvv
    OpenSSH_9.0p1, OpenSSL 1.1.1o  3 May 2022
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug2: resolve_canonicalize: hostname 10.0.0.10 is address
    debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/.ssh/known_hosts'
    debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/.ssh/known_hosts2'
    debug3: ssh_connect_direct: entering
    debug1: Connecting to 10.0.0.10 [10.0.0.10] port 22.
    debug3: set_sock_tos: set socket 3 IP_TOS 0x48
    debug1: Connection established.
    debug1: identity file /home/.ssh/id_rsa type 0
    debug1: identity file /home/.ssh/id_rsa-cert type -1
    debug1: identity file /home/.ssh/id_ecdsa type -1
    debug1: identity file /home/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/.ssh/id_ecdsa_sk type -1
    debug1: identity file /home/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /home/.ssh/id_ed25519 type 3
    debug1: identity file /home/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/.ssh/id_ed25519_sk type -1
    debug1: identity file /home/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /home/.ssh/id_xmss type -1
    debug1: identity file /home/.ssh/id_xmss-cert type -1
    debug1: identity file /home/.ssh/id_dsa type -1
    debug1: identity file /home/.ssh/id_dsa-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_9.0
    debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0
    debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to 10.0.0.10:22 as 'root'
    debug3: record_hostkey: found key type ED25519 in file /home/.ssh/known_hosts:129
    debug3: load_hostkeys_file: loaded 1 keys from 10.0.0.10
    debug1: load_hostkeys: fopen /home/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
    debug3: send packet: type 20
    debug1: SSH2_MSG_KEXINIT sent
    debug3: receive packet: type 20
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
    debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none,zlib@openssh.com,zlib
    debug2: compression stoc: none,zlib@openssh.com,zlib
    debug2: languages ctos: 
    debug2: languages stoc: 
    debug2: first_kex_follows 0 
    debug2: reserved 0 
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none,zlib@openssh.com
    debug2: compression stoc: none,zlib@openssh.com
    debug2: languages ctos: 
    debug2: languages stoc: 
    debug2: first_kex_follows 0 
    debug2: reserved 0 
    debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
    debug1: kex: host key algorithm: ssh-ed25519
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug3: send packet: type 30
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    Connection closed by 10.0.0.10 port 22
    
    

    Maybe related to: https://forum.netgate.com/topic/170784/unable-to-ssh-ftp-to-the-server ?

    Edit: I can confirm this started today at somepoint probably in the morning. I have a ZFS automated backup service that runs at 03:00am and that was successful. I tried running the service now manually and it failed with Connection closed.

    Edit2: OK, I seem to have solved it. I have set tun-mtu 1500; to the client (the previous 2.5.2 box) and now it is working. I think the server was setting mtu at 1558. I don't know what changed today, maybe some ISP setting but ssh is working now. I also don't know if I have to set any other settings, please tell me if you think I need to.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received