Hi everyone, I wrote about this issue in the forum and I was advised to post here as well so I'm following the advice. (Forum discussion: https://forum.openwrt.org/t/ssh-mtu-issues-on-openvpn-on-openwrt-21-02-rc3-linux-kernel-5-4-132/102686).
I upgraded a few devices which were running a custom build based on OpenWRT 21.02 (commit febf6db0d0) to the RC3 (Kernel 5.4.132) today and suddenly I can't SSH into the devices through the management openvpn tunnel anymore. I tried also upgrading to commit https://github.com/openwrt/openwrt/commit/2d5ee43dc6390d84620807c741d2cb0e272b49ce which bumps the kernel to 5.4.137, same issue. Trying "ping -M do -s 1400" on some devices with the old OpenWRT 21.02 build (kernel 5.4.128) works. The same on devices with new build (Kernel 5.4.132) doesn't work. On the new build, the max size that passes through the tunnel is 297: ping -M do -s 297. Anything higher than that doesn't work. I did not change anything in the configuration, only upgraded the firmware. The same happened a while ago while testing in a different installation in which we were also using wireguard so we just switched to wireguard, but now that this has happened twice in a row while upgrading devices I think there's a problem somewhere and I wonder if anybody else is suffering of the same issue? Can anyone shed some light on what is going on here? >From the research I have done, all is pointing to an MTU issue. Server conf: auth SHA1 ca ca.pem cert cert.pem cipher none comp-lzo adaptive dev tun0 dev-type tun dh dh.pem duplicate-cn group nogroup keepalive 10 120 key key.pem log /var/log/openvpn/tun0.log mode server mssfix 1450 mtu-disc no mute 3 mute-replay-warnings persist-key persist-tun port 1194 proto tcp-server reneg-sec 3600 script-security 1 server ******* 255.255.0.0 status /var/log/openvpn/tun0.status status-version 1 tls-auth ta.key 0 tls-server tls-timeout 2 topology p2p user nobody verb 1 Client conf: config openvpn 'tun0' option auth 'SHA1' option auth_nocache '1' option ca '/etc/x509/ca-1-openwisp-vpn-ca.pem' option cert '/etc/x509/client-ecea0196e4644edb9857b684f33e3d4b.pem' option cipher 'none' option comp_lzo 'adaptive' option dev 'tun0' option dev_type 'tun' option enabled '1' option fast_io '0' option float '0' option fragment '0' option group 'nogroup' option keepalive '10 120' option key '/etc/x509/key-ecea0196e4644edb9857b684f33e3d4b.pem' option log '/var/log/tun0.log' option mode 'p2p' option mssfix '1400' option mtu_test '0' option mute '3' option mute_replay_warnings '1' option nobind '1' option persist_key '1' option persist_tun '1' option proto 'tcp-client' option pull '1' option reneg_sec '3600' option resolv_retry 'infinite' option script_security '2' option tls_auth '/etc/x509/ta-management.key 1' option tls_client '1' option tls_timeout '2' option user 'nobody' option verb '1' list remote '********** 1194' OpenVPN version on clients with new firmare: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: mbed TLS 2.16.10 Originally developed by James Yonan Copyright (C) 2002-2021 OpenVPN Inc <sa...@openvpn.net> OpenVPN version on clients with older firmware: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: mbed TLS 2.16.10, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2021 OpenVPN Inc <sa...@openvpn.net> (only LZO 2.10 changes). OpenVPN version on the server: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sa...@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no SSH verbose output: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /root/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to <ip> [<ip>] port 22. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type 0 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 debug1: Remote protocol version 2.0, remote software version dropbear debug1: no match: dropbear debug1: Authenticating to <ip>:22 as 'root' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY Best regards Federico Capoano _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
