2.2 and 2.3 clients connect to the server and are completely happy.
2.4 clients connecting to the server get connected and... well. They have varying and intermittent issues. pings work pretty much universally the whole time, but ssh or web things will work/break/work/break and be frustratingly unreliable. Sometimes they will timeout in under a few minutes. Sometimes they will linger on without dying but be unusable. Almost all connections will become unusable within 30 minutes. Detuning to 2.3 and using the same config on the same client box removes all issues.
My question is, what is different about a 2.4 client that would have it behave this differently from a 2.3 client, with an identical config?
Things I've looked into:
- I'm aware of comp-lzo being deprecated, but it's still valid (and handled in my future 2.4 server)
- I turned the verbosity to 6, traffic appears to be passing whether an ssh command is working or failing.
- With verbosity at 6, the client parameters have some differences when I run it as 2.3 or 2.4, but nothing jumps out at me.
- There's no client firewall in play, and no drops/blocks observed on the server's iptables.
script-security 2
up /etc/openvpn/udp/openvpn-up
down /etc/openvpn/udp/openvpn-down
port 1194
proto udp
dev tun0
ca /etc/openvpn/udp/keys/ca.crt
cert /etc/openvpn/udp/keys/server.crt
key /etc/openvpn/udp/keys/server.key
dh /etc/openvpn/udp/keys/dh.pem
crl-verify /etc/openvpn/udp/keys/crl.pem
server 10.8.248.0 255.255.252.0
client-connect /etc/openvpn/udp/plugins/client-connect
learn-address /usr/lib/openvpn/plugins/netfilter_openvpn.sh
push "dhcp-option DNS 10.8.72.15"
push "dhcp-option DOMAIN company.com"
keepalive 10 120
duplicate-cn
tls-auth /etc/openvpn/udp/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
max-clients 255
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn/udp-status.log
log-append /var/log/openvpn/udp-openvpn.log
verb 4
mute 20
plugin /usr/lib/openvpn/plugins/duo_openvpn.so /usr/lib/openvpn/plugins/duo_openvpn.py
script-security 3
management /var/run/openvpn-udp.socket unix
management-client-user root
remote vpn.company.com 1194 udp
auth-user-pass
persist-key
tls-client
tls-auth private/ta.key 1
pull
ca private/ca.crt
dev tun
persist-tun
cert private/cert.crt
comp-lzo no
nobind
key private/key.key
cipher AES-256-CBC
resolv-retry infinite
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2