On Mon, Feb 9, 2015 at 1:22 PM, Gert Doering <g...@greenie.muc.de> wrote:
> This is unlikely to be the issue. It's most likely "some program
> received a packet on the eth0 address, responded to it, and the return
> route points to the VPN session" - in which case the packet is sourced
> from the eth0 address (always reply from the address you've been
> contacted on)...
Ah. I can try whittling down which program might be doing that. I
figured that this was related to some way that OpenVPN was handling
its traffic, but it makes sense that some program is just not behaving
correctly and doing what you suggested.
>> The client is inside a VM running on a laptop. When the client
>> connects, the address OpenVPN sees is the address of the host, which
>> makes sense given that the VM is using a NATed connection:
>
> My bet is on the NAT. If NAT state is lost, and the next packet ends
> up on a different external IP address or port, the server won't recognize
> you anymore ("no idea who that client is, drop packet").
Makes sense, although I'm not sure what the issue would be. I've
checked to see if it's the DHCP address given by the VM software
refreshing, and it isn't.
> You should be able to observe that using tcpdump on the server side
> - look for packets towards port 443 (where your daemon listens on)
> and observe if the source address/source port changes when things
> get "stuck".
I'll give that a try.
> If it's NAT state, and you can't fix the NAT, OpenVPN 2.3.7 on the
> client side and "git master" on the server side will bring a solution
> (TLS floating using peer-id). But 2.3.7 is not released yet and we're
> ironing out the last wrinkles on the server side.
Any chance "float" on the server side would help? I have it on the
client side and the documentation made me think it's a
client-side-only option but maybe it isn't?
Regardless, I could potentially try out TLS floating as suggested --
can you point towards any documentation about it (or perhaps the man
page in git master is already up-to-date)?
Thanks,
Jeff
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
