Odd OpenVPN/PF issue

Wed, 03 Jan 2007 11:20:37 -0800 

I am having a issue that I am having some issues tracking down, and could
use a good shove in the right direction.

On OBSD 3.9 with PF and OpenVPN 2.0.5 I am getting some odd traffic.

OpenVPN runs over a tun interface, tcpdump is showing me:

11:33:41.980730 10.255.253.37.49664 > 10.10.80.116.135: S
4140027697:4140027697(0) win 8192 <mss 1368,nop,wscale 8,nop,nop,sackOK>
(DF)
11:33:41.981055 10.10.80.116.135 > 10.255.253.37.49664: S
3483761931:3483761931(0) ack 4140027698 win 16384 <mss 1460,nop,wscale
0,nop,nop,sackOK>
11:33:42.042679 10.255.253.37.49664 > 10.10.80.116.135: . ack 1 win 64 (DF)
11:33:42.044939 10.255.253.37.49664 > 10.10.80.116.135: P 1:117(116) ack 1
win 64 (DF)
11:33:43.013161 10.255.253.37.49664 > 10.10.80.116.135: P 1:117(116) ack 1
win 64 (DF)
11:33:43.013348 10.10.80.116.135 > 10.255.253.37.49664: . ack 117 win 65419
(DF)
11:34:31.698092 10.255.253.37.49664 > 10.10.80.116.135: R 117:117(0) ack 1
win 0 (DF)

On the lan interface I am getting
11:33:41.980861 10.255.253.37.49664 > 10.10.80.116.135: S
4140027697:4140027697(0) win 8192 <mss 1368,nop,wscale 8,nop,nop,sackOK>
(DF)
11:33:41.980960 10.10.80.116.135 > 10.255.253.37.49664: S
3483761931:3483761931(0) ack 4140027698 win 16384 <mss 1460,nop,wscale
0,nop,nop,sackOK>
11:33:42.042730 10.255.253.37.49664 > 10.10.80.116.135: . ack 1 win 64 (DF)
11:33:42.044971 10.255.253.37.49664 > 10.10.80.116.135: P 1:117(116) ack 1
win 64 (DF)
11:33:42.045104 10.10.80.116.135 > 10.255.253.37.49664: P 1:85(84) ack 117
win 65419 (DF)
11:33:43.013210 10.255.253.37.49664 > 10.10.80.116.135: P 1:117(116) ack 1
win 64 (DF)
11:33:43.013310 10.10.80.116.135 > 10.255.253.37.49664: . ack 117 win 65419
(DF)
11:33:44.935524 10.10.80.116.135 > 10.255.253.37.49664: P 1:85(84) ack 117
win 65419 (DF)
11:33:50.951203 10.10.80.116.135 > 10.255.253.37.49664: P 1:85(84) ack 117
win 65419 (DF)
11:34:02.982517 10.10.80.116.135 > 10.255.253.37.49664: P 1:85(84) ack 117
win 65419 (DF)
11:34:26.935788 10.10.80.116.135 > 10.255.253.37.49664: P 1:85(84) ack 117
win 65419 (DF)
11:34:31.698176 10.255.253.37.49664 > 10.10.80.116.135: R 117:117(0) ack 1
win 0 (DF)

On this, it appears to me that 10.10.80.116 can send an ack for 117 as long
as the packet has no other data is included along with the packet. when
10.10.80.116 tries to push up data to 10.255.253.37, the packet never goes
across the tun interface.

This pattern repeats on a regular basis.

As for the relevant pf rules:

pass quick on tun2 from 10.255.253.0/24 to any flags S/SA keep state label
"UserVPNAdmin"
pass quick on fxp0 from 10.10.80.0/24 to 10.255.253.0/24 flags S/SA keep
state label "UserVPNAdmin"

Is at the top of the filter rules.

I have googled around for this and tweaked a few settings here and there but
can't get any change in this behaviour.

Anyone have any suggestions on where I should spend time looking for a fix?

Thanks
Jim

Reply via email to