Re: [gentoo-user] openvpn experience, anyone?

[n952162 <n952162@web.de>]

[-- Attachment #1: Type: text/plain, Size: 3319 bytes --]

On 9/18/22 11:08, Michael wrote:
> On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote:
>> On 18/9/22 15:26, n952162 wrote:
>>> Hello all,
>>>
>>> I want to ssh over my openvpn connection, and I can't do it, the
>>> connection times out.
>>>
>>> I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and
>>> thought maybe somebody here  knows something about this.
>>>
>>> Earlier my institution recommended openconnect, and I was able to use
>>> ssh to login in to a host with no problem.
>>>
>>> Then, for some reason (licensing?), we were switched to openvpn, which
>>> works for xfreerdp but not for ssh.
>>>
>>> I don't have control over the institution's firewall (but I do have for
>>> the host itself)
>>>
>>> Perhaps when installing the new service, they tightened up the firewall
>>> rules.  But maybe there's a configuration screw I can turn, or ... maybe
>>> a USE flag?
>>>
>>> - - down-root : Enable the down-root plugin
>>>   - - examples  : Install examples, usually source code
>>>   - - inotify   : Enable inotify filesystem monitoring support
>>>   - - iproute2  : Enabled iproute2 support instead of net-tools
>>>   + + lz4       : Enable support for lz4 compression (as implemented in
>>> app-arch/lz4)
>>>   + + lzo       : Enable support for lzo compression
>>>   - - mbedtls   : Use mbed TLS as the backend crypto library
>>>   + + openssl   : Use OpenSSL as the backend crypto library
>>>   + + pam       : Add support for PAM (Pluggable Authentication Modules)
>>> - DANGEROUS to
>>>                   arbitrarily flip
>>>   - - pkcs11    : Enable PKCS#11 smartcard support
>>>   + + plugins   : Enable the OpenVPN plugin system
>>>   - - systemd   : Enable use of systemd-specific libraries and features
>>> like socket
>>>                   activation or session tracking
>>>   - - test      : Enable dependencies and/or preparations necessary to
>>> run tests
>>>                   (usually controlled by FEATURES=test but can be
>>> toggled independently)
>>>
>>> TIA
>> ssh and openvpn work well together.  However I am doing most of the work
>> using my own configs - gentoo tries to be too clever with its vpn
>> networking and Ive never been able to get it to work
>> reliably/acceptably.  On some sites I have to use port 443 (https) to
>> get through, and in extreme cases double wrap in ssl (using a mix of
>> proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but
>> still separate it from regular https traffic on my firewall.  You will
>> need to figure out where the ssh is getting blocked/stripped out - is
>> openvpn your endpoint or theirs?
>>
>> BillK
> Could it also be an issue with MTU being too large?  It should be easy to test
> with:
>
> ping -c 1 -v -M do -s 1464 <IP_address>
>
> and decrease the packet size until gets through.  Then configure your client
> accordingly:
>
> https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem
>

That was a good idea!  Unfortunately, in this case it wasn't the cause:

    -- ping  statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 331.754/331.754/331.754/0.000 ms


[-- Attachment #2: Type: text/html, Size: 4112 bytes --]