I'm getting ssh timeouts from a client after ~55 seconds due to OpenVPN on one of my links. I do not think it's MTU because it happens even with no traffic going across the link, just sitting at a shell prompt after login.
FreeBSD client---EdgeRouter 1 (OpenVPN version 2.4.0)---FreeBSD server #1 (OpenVPN version 2.4.8) Fails
FreeBSD client------------------------------------------FreeBSD server #1 (via public IP) Works
FreeBSD client---Edgerouter 2 (Openvpn version 2.3.2)---FreeBSD server #2 (Openvpn version 2.4.4) Works
In all of the above the client is the same.
I've tried mssfix and fragment with no improvement. Adding ServerAliveInterval and/or TCPKeepAlive to ssh config does not help.
port 1194
dev tun
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
verb 3
explicit-exit-notify 1
local <SERVER PUBLIC IP ADDRESS>
proto udp4
mode server
tls-server
ca ca.crt
cert r4-server.crt
key r4-server.key
dh dh.pem
tls-auth r4-ta.key 0
topology subnet
server 172.16.6.0 255.255.255.0
push "route <Subnet on server> 255.255.255.224"
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
client-config-dir /usr/local/etc/openvpn/ccd
verb 3
route <CLIENT NET> 255.255.255.128 172.16.6.3
client-to-client
push "route <CLIENT NET> 255.255.255.128"
mtu-test # Added for testing
remote-cert-tls client
Client config
client
proto udp
remote <SERVER PUBLIC IP ADDRESS>
# udp port
port 1194
dev tun
nobind
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
remote-cert-tls server
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
Re: ssh timeouts (does not appear to be MTU)
Posted: Tue May 19, 2020 8:54 pm
by TinCanTech
Your server log file at --verb 4
Which means put the words "verb 4" into your configuration file and restart your server
Please use BBCODE [code]
Your client log file at --verb 4
Which means put the words "verb 4" into your configuration file and restart your client
Please use BBCODE [code]
Wed May 27 13:39:10 2020 MULTI: new connection by client 'scu1-r4-client' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Re: ssh timeouts (does not appear to be MTU)
Posted: Wed May 27, 2020 6:58 pm
by wayne_ovpn
There is only one connection using that config. If OpenVPN sees a new connection it should drop the old one.
Note that the OpenVPN connection stay up just fine. pings continue to function.
ssh (only across the OpenVPN connection) times out after ~55 seconds
New ssh connections function just fine, for ~55 seconds.
Re: ssh timeouts (does not appear to be MTU)
Posted: Wed May 27, 2020 7:58 pm
by TinCanTech
Had you posted your complete logs then we would be able to see what came before this:
May 27 13:39:04 scu1 openvpn[4819]: SIGUSR1[soft,tls-error] received, process restarting
But you chose to omit those details .. so your guess is as good as mine ..
Re: ssh timeouts (does not appear to be MTU)
Posted: Wed May 27, 2020 8:10 pm
by wayne_ovpn
That is when I restarted OpenVPN on the client. Here is everything from the previous restart. There is nothing in the logs that indicates that the connection has issues.
There is nothing in the [OpenVPN] logs that indicates that the connection has issues
Because openvpn is behaving exactly as it should. Something on your network is not.
You understand that ssh does not need to be wrapped by a VPN at all ?
Re: ssh timeouts (does not appear to be MTU)
Posted: Thu May 28, 2020 5:50 pm
by wayne_ovpn
OpenVPN is doing something odd. Note the original post; the same client talking to the same server has no issues when ssh is used to the public IP address, yet always times out after about a minute when using the OpenVPN connection.
While it might not be OpenVPN, I'd appreciate suggestions as to where else to look?