On Wednesday, 31 May 2023, Peter Naulls <pe...@chocky.org> wrote: > > > I'm trying to track down a problem whereby using Windows VPN, some websites > are accessible and some aren't. The problem is 100% OpenWrt, since it works > over > my regular WiFi router. > > Here's what I know (or think I know): > > All the VPN traffic uses UDP port 4500. This is (or should be) a pretty > typical > 22.03 NAT setup. The setup I'm testing against is with privatevpn.com, > although > the actual setup is something else, but the problem is the same. > > Using curl under Windows to try and isolate the problem and tcpdump > under OpenWrt, mostly looking at br-lan. The upstream is a wwan0 AT&T > connection. > > Looking at a fetch to https://www.google.com/ for example I can see there's > traffic in both directions, the NAT seems to be working as expected and all > works. > > However, if I try and fetch certain sites, and one in particular is > https://gov.visuallabsinc.com/ then there's still traffic in both directions, > but whatever is happening, it's not reaching the HTTP layer in curl and > nothing appears there - just a hang. > > Here's some example traffic: > > 17:02:12.192380 IP (tos 0x0, ttl 255, id 43526, offset 0, flags [none], proto > UDP (17), length 144) > 192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: > ESP(spi=0xc4a096e5,seq=0x415), length 116 > 17:02:12.219548 IP (tos 0x0, ttl 255, id 43527, offset 0, flags [none], proto > UDP (17), length 144) > 192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: > ESP(spi=0xc4a096e5,seq=0x416), length 116
I am afraid the above is still single direction traffic. > > > I have tried messing with the usual suspects - MTU, MSS, even put a > forward rule in the firewall for UDP 4500, but I guess I'm missing something. > > Any suggestions on what else to look at or to try? Let me know if you need > further details or better traces, etc. Try wireshark on the windows host itself to collect the traffic before entering the tunnel may help. Verbose curl logging (-vvv) is another source of information Regards, > > > Thanks! > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
