This _might_ happen because of mtu issues. tcp has advanced level of
negotiation, which udp does not have: mss
It would be nice if you would have compared packet sizes in both cases (and
have a deep look to mss)
udp is preffered, you should not use tcp without strong reason.
4 сент. 2017 г. 20:57 пользователь "Stuart Dallas" <stu...@stut.net>
написал:
> We’ve just tried TCP and the issue has gone away.
>
> Can anyone tell me why this happens? Also, what’s the reason for UDP being
> preferred over TCP?
>
> Thanks.
>
> -Stuart
>
> On 4 Sep 2017, 15:46 +0100, Илья Шипицин <chipits...@gmail.com>, wrote:
>
> Also, we observed very rare situations when switching to tcp instead of
> udp resolved similar issues (did not have a chance to dig deeper)
>
> Can you try to switch to tcp?
>
> 4 сент. 2017 г. 19:40 пользователь "Stuart Dallas" <stu...@stut.net>
> написал:
>
>> Happy to provide the configs, but as noted the configuration works
>> perfectly when the server is on another internet connection.
>>
>> Server:
>>
>> local 0.0.0.0
>> port [redacted_port]
>> proto udp
>> dev cloudvpn
>> dev-type tun
>> ca cloud-ca.crt
>> cert cloud-server.crt
>> key cloud-server.key
>> dh cloud-dh2048.pem
>> topology subnet
>> server 10.10.1.0 255.255.255.0
>> ifconfig-pool-persist cloud-ipp.txt
>> client-config-dir cloud-ccd
>> keepalive 10 120
>> tls-auth cloud-ta.key 0
>> cipher AES-256-CBC
>> user nobody
>> group nobody
>> persist-key
>> persist-tun
>> status cloud-openvpn-status.log
>> status-version 3
>> verb 3
>> mute 20
>>
>> Client:
>>
>> client
>> dev tun
>> proto udp
>> remote [redacted_ip] [redacted_port]
>> resolv-retry infinite
>> nobind
>> user nobody
>> group nobody
>> persist-key
>> persist-tun
>> ca cloud-ca.crt
>> cert cloud-client.crt
>> key cloud-client.key
>> remote-cert-tls server
>> tls-auth cloud-ta.key 1
>> cipher AES-256-CBC
>> mute 20
>>
>> Thanks.
>>
>> -Stuart
>>
>> On 4 Sep 2017, 15:34 +0100, Илья Шипицин <chipits...@gmail.com>, wrote:
>>
>> Please, provide both server and client config.
>>
>> (We saw similar situation, when server was "comp-lzo yes" and client
>> "comp-lzo no")
>>
>> 4 сент. 2017 г. 19:25 пользователь "Stuart Dallas" <stu...@stut.net>
>> написал:
>>
>>> We’ve got a very odd issue happening at a new customer’s site.
>>>
>>>
>>> The VPN is established quite happily at their site and unencrypted
>>> traffic through that VPN works perfectly (HTTP requests).
>>>
>>>
>>> However, encrypted traffic does not (HTTPS and SSH). SSH connections get
>>> this far before appearing to hang:
>>>
>>>
>>> <snip>
>>>
>>> debug1: Enabling compatibility mode for protocol 2.0
>>>
>>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
>>>
>>> debug1: Remote protocol version 2.0, remote software version
>>> OpenSSH_6.6.1
>>>
>>> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
>>>
>>> debug2: fd 3 setting O_NONBLOCK
>>>
>>> debug3: put_host_port: [10.10.1.1]:26513
>>>
>>> debug1: SSH2_MSG_KEXINIT sent
>>>
>>>
>>> Thie eventually times out.
>>>
>>>
>>> We moved the server to a standard broadband connection and everything
>>> works, including HTTPS and SSH connections.
>>>
>>>
>>> Is it possible there’s something on the path from their connection
>>> that’s causing this? As far as I’m aware all traffic through the VPN will
>>> appear as random bytes to anything it passes through, so I’m at a loss to
>>> explain this.
>>>
>>>
>>> Any help would be greatly appreciated.
>>>
>>>
>>> Thanks.
>>>
>>>
>>> -Stuart
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Openvpn-users mailing list
>>> Openvpn-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>>
>>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
