On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: > On 18/9/22 15:26, n952162 wrote: > > Hello all, > > > > I want to ssh over my openvpn connection, and I can't do it, the > > connection times out. > > > > I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and > > thought maybe somebody here knows something about this. > > > > Earlier my institution recommended openconnect, and I was able to use > > ssh to login in to a host with no problem. > > > > Then, for some reason (licensing?), we were switched to openvpn, which > > works for xfreerdp but not for ssh. > > > > I don't have control over the institution's firewall (but I do have for > > the host itself) > > > > Perhaps when installing the new service, they tightened up the firewall > > rules. But maybe there's a configuration screw I can turn, or ... maybe > > a USE flag? > > > > - - down-root : Enable the down-root plugin > > - - examples : Install examples, usually source code > > - - inotify : Enable inotify filesystem monitoring support > > - - iproute2 : Enabled iproute2 support instead of net-tools > > + + lz4 : Enable support for lz4 compression (as implemented in > > app-arch/lz4) > > + + lzo : Enable support for lzo compression > > - - mbedtls : Use mbed TLS as the backend crypto library > > + + openssl : Use OpenSSL as the backend crypto library > > + + pam : Add support for PAM (Pluggable Authentication Modules) > > - DANGEROUS to > > arbitrarily flip > > - - pkcs11 : Enable PKCS#11 smartcard support > > + + plugins : Enable the OpenVPN plugin system > > - - systemd : Enable use of systemd-specific libraries and features > > like socket > > activation or session tracking > > - - test : Enable dependencies and/or preparations necessary to > > run tests > > (usually controlled by FEATURES=test but can be > > toggled independently) > > > > TIA > > ssh and openvpn work well together. However I am doing most of the work > using my own configs - gentoo tries to be too clever with its vpn > networking and Ive never been able to get it to work > reliably/acceptably. On some sites I have to use port 443 (https) to > get through, and in extreme cases double wrap in ssl (using a mix of > proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but > still separate it from regular https traffic on my firewall. You will > need to figure out where the ssh is getting blocked/stripped out - is > openvpn your endpoint or theirs? > > BillK Could it also be an issue with MTU being too large? It should be easy to test with: ping -c 1 -v -M do -s 1464 and decrease the packet size until gets through. Then configure your client accordingly: https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem