UDP port issue

sunilmh · Post by **sunilmh** » Mon Jun 06, 2011 1:38 pm

Hi,
OPenvpn is running on udp. I use putty to connect to remote machine using ssh.
Some times my putty session gets hanged and will have to start new session.
In some other case my client gets restarted, disconnects and connects again.

I suspect it could be udp issue, not sure on this.
Any input on the issue would help me a lot.

following are the config details,

server.conf
==========
;local a.b.c.d
ccd-exclusive
management localhost 7505
resolv-retry infinite

port 1194

;proto tcp
proto udp

;dev tap
dev tun

;dev-node MyTap

ca /usr/local/src/openvpn-2.1.4/easy-rsa/2.0/keys/ca.crt
cert /usr/local/src/openvpn-2.1.4/easy-rsa/2.0/keys/server.crt
key /usr/local/src/openvpn-2.1.4/easy-rsa/2.0/keys/server.key

dh /usr/local/src/openvpn-2.1.4/easy-rsa/2.0/keys/dh1024.pem

server 10.7.0.0 255.255.0.0

;ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge

push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

client-config-dir /usr/local/src/openvpn-2.1.4/test/ccd/

;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

;client-to-client
;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC

comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log

log /var/log/openvpn.log
;log-append openvpn.log

verb 6

;mute 20

client.conf
=======
client
float
;auth-user-pass
auth-nocache
dev tun
proto udp
remote 10.30.10.112 1194
nobind
ca ca.crt
cert /root/racs/jon.crt
key /root/racs/jon.key
remote-cert-tls server
comp-lzo
verb 1
ping 100
route remote_host default net_gateway

Thanks,
Sunil

Post by **janjust** » Mon Jun 06, 2011 2:51 pm

are you connecting via SSH over the OpenVPN tunnel, that is, to the VPN IP of the server?
if you suspect UDP is the issue, can you try using

Code: Select all

proto tcp

on both ends ?

sunilmh · Post by **sunilmh** » Tue Jun 07, 2011 5:51 am

Yes wil try with tcp.

My vpn clinet gives log,
=======================================================================

Tue Jun 7 10:40:40 2011 [TEST] Inactivity timeout (--ping-restart), restarting
Tue Jun 7 10:40:40 2011 TCP/UDP: Closing socket
Tue Jun 7 10:40:40 2011 Closing TUN/TAP interface
Tue Jun 7 10:40:40 2011 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jun 7 10:40:42 2011 WARNING: file '/root/test_app/jon.key' is group or others accessible
Tue Jun 7 10:40:42 2011 LZO compression initialized
=======================================================================

every 5-10 minutes it inititates the connection again with the server with above log.
Please let me know what does this log indicates.

Thanks,
Sunil

Post by **janjust** » Tue Jun 07, 2011 8:22 am

the message

Tue Jun 7 10:40:40 2011 [TEST] Inactivity timeout (--ping-restart), restarting

means that the client did not detect any activity on the VPN link and decided to restart; this is caused by the 'keepalive 10 120' option on the server, which is also pushed out to the client. This option is useful, and the fact that it continually restarts means there is something odd going on with your connection. Does this message occur only in udp mode? it may mean that udp traffic is intermittently lost between client and server, OR there is a firewall which is dropping udp packets (after a while).

sunilmh · Post by **sunilmh** » Tue Jun 07, 2011 1:38 pm

Thanks for your input JJK.

After running openvpn on tcp it has better performance than udp.
Still ssh disconnections are happening on tcp also but not as frequent as it was on udp.

I've couple of questions, any input on this helps me a lot.

1. What could be the other reasons of ssh disconnectivity with tcp port on openvpn ?
2. Is it recommended to use

proto tcp

for ssh access over openvpn always ?

- Sunil

Post by **janjust** » Tue Jun 07, 2011 3:09 pm

1. What could be the other reasons of ssh disconnectivity with tcp port on openvpn ?

usually problems like this are caused by a bad ISP or a bad router between the client and the server. Some wireless routers are also notoriously bad in keeping connections open

2. Is it recommended to use
proto tcp
for ssh access over openvpn always ?

normally people recommend against using tcp-over-tcp but in some cases it's unavoidable. If you cannot find the root cause of why udp traffic is getting lost then I'd simply stick with what more or less works

sunilmh · Post by **sunilmh** » Tue Jun 07, 2011 3:23 pm

Thanks a lot JJK

most of my queries are getting clarified by your valuable inputs

sunilmh · Post by **sunilmh** » Wed Jun 08, 2011 10:59 am

With the TCP connection also I'm getting ssh disconnection issues.
There are some packets dropped on tun0.

Is it the reason for disconnection issue ?

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx Mask:255.255.255.0
inet6 addr: XXXX::XXXX:XXXX:XXXX:XXXX/XX Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:186047442 errors:0 dropped:0 overruns:0 frame:0
TX packets:148900628 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:106972729942 (99.6 GiB) TX bytes:91942706627 (85.6 GiB)
Interrupt:28 Memory:92000000-92012800

eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:xx.xx.xx.xxx Bcast:xx.xx.xxx.xxx Mask:255.255.0.0
inet6 addr: XXXX::XXXX:XXXX:XXXX:XXXX/XX Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29353078 errors:22 dropped:0 overruns:0 frame:22
TX packets:951384 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2236061462 (2.0 GiB) TX bytes:155767513 (148.5 MiB)
Interrupt:40 Memory:94000000-94012800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:19078 errors:0 dropped:0 overruns:0 frame:0
TX packets:19078 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13536165 (12.9 MiB) TX bytes:13536165 (12.9 MiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:xx.x.x.x P-t-P:xx.x.x.x Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3943366 errors:0 dropped:0 overruns:0 frame:0
TX packets:5503401 errors:0 dropped:2857 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:532071344 (507.4 MiB) TX bytes:4429899559 (4.1 GiB)

Post by **janjust** » Wed Jun 08, 2011 12:26 pm

I'm also seeing packets dropped on eth1 ; you could try increasing the txqueuelen using

Code: Select all

txqueuelen 1000

but it's a long shot...

Post by **maikcat** » Wed Jun 08, 2011 12:55 pm

hi there,

txqueuelen is already 1000...

just curious

what ips your eth0 and eth1 has?

can you also post the output of ethtool eth1?

Michael.

sunilmh · Post by **sunilmh** » Thu Jun 09, 2011 7:06 am

Hi maikcat,

please find teh below details.

eth0 (public ip): 11x.xxx.xxx.xxx
eth1 (private ip): 10.xx.xx.xx

ethtool eth1
Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Link detected: yes

- Sunil

OpenVPN Support Forum

UDP port issue

UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue

Re: UDP port issue