[Solved] OpenVPN works over mobile tethering, but not on home router - MTU Problem

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
koolnez
OpenVpn Newbie
Posts: 3
Joined: Tue Jan 26, 2016 1:21 pm

[Solved] OpenVPN works over mobile tethering, but not on home router - MTU Problem

Post by koolnez » Tue Jan 26, 2016 4:51 pm

So this has got me utterly flummoxed. Hope the experts here can help me track this down.

The entire OpenVPN setup between home and office works without problem when I'm tether over mobile network, but doesn't work over the home router.

Mac OS X 10.11.4, Tunnelblick 3.5.5 (build 4270.4461)
Same issue observed with Windows 10, OpenVPN client 2.3.2

OVER HOME ROUTER
------------
(1) OpenVPN client is able to connect to server
(2) tun0 device is created, ip address is allocated
(3) routing table is setup, DNS is updated
(4) nslookup is able to resolve the server, ping is able to ping the server, traceroute is able to trace the route to server
(5) *BUT* when I try to connect to server in the browser, it times out with error. (Note that this is a https:// URL)
(6) curl is able to resolve the server name, connect to it, but finally drops the connection with the following error:

Code: Select all

* SSLRead() return error -9806
* Closing connection 2
curl: (56) SSLRead() return error -9806
OVER MOBILE TETHERING
----------
All the above steps work without problem, browser connects happily to server, curl returns the html page.

So the questions are:

(1) What setting on the router could possibly be affecting the application level functioning AFTER the tunnel is setup?
(2) What information would you need to help debug this?
(3) Is there anything else I can try on the router? I've exhausted all possibilities I could think of on the router.

If it helps, the ISP is Distributel in Montreal, Canada. The router is a SMART/RG SR505n, firmware version 2.5.0.8

koolnez
OpenVpn Newbie
Posts: 3
Joined: Tue Jan 26, 2016 1:21 pm

Re: OpenVPN works over mobile tethering, but not on home rou

Post by koolnez » Tue Jan 26, 2016 7:08 pm

Update:

1) I updated to 3.6Beta and compared the logs. They are exactly identical except for the timestamps, IP address of the gateways, and a few other place where time values were different.

(2) The apparent public IP change is not significant since all traffic is not routed over the VPN. And the same message is displayed in both cases ("Public IP address not changed").

(3) Specific routes are pushed from the server and they get successfully added to the routing table -- verified using netstat -nr

(4) I can reach the Internet without problem with OpenVPN connected on the home router. It's only the office VPN sites that are unreachable.

(5) Thanks for the tip on nslookup, etc. Is there a native tool that could be used on OS X?

(6) I used scutil --dns and got this response:

Code: Select all

resolver #1
  search domain[0] : companyname.com
  nameserver[0] : 10.93.32.2
  nameserver[1] : 10.93.32.3
  nameserver[2] : 10.93.32.4
  if_index : 4 (en0)
  flags    : Scoped, Request A records
Reachable
[\code]
Which seems to be correct.

(7) Running "dig" on the server also returns correct information.

(8) Running dscacheutil -q host -a name servername.com
also returns correct IP address. 

So it seems that DNS issues may be ruled out

koolnez
OpenVpn Newbie
Posts: 3
Joined: Tue Jan 26, 2016 1:21 pm

OpenVPN works over mobile tethering, but not on home router

Post by koolnez » Fri Jan 29, 2016 3:25 pm

Hello,

For posterity, would like to post that the error was on account of incorrect MTU size setting on the TCP packet in the router. The size was set to 1452 bytes instead of 1492 bytes. Because of that the SSL/TLS packet was fragmented and the server ACK was not received. On changing the MTU size, everything works perfectly!

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: OpenVPN works over mobile tethering, but not on home rou

Post by Traffic » Fri Jan 29, 2016 4:30 pm

Thanks for letting us know your solution 8-)

Locked