3

I have a VPN tunnel to an OpenVPN server. The VPN is a Sophos VPN which uses OpenVPN under the hood. I do not know the server configuration nor can I change the server config. My tunnel endpoint is tun on Win 10 (OpenVPN 2.4.8) and its config looks looks like:

ip-win32 dynamic client dev tun proto tcp verify-x509-name "[...]" route remote_host 255.255.255.255 net_gateway resolv-retry infinite nobind persist-key persist-tun dev-node "OpenVPN" pull-filter ignore redirect-gateway route 192.168.20.0 255.255.255.0 vpn_gateway 3 <ca> [...] </ca> <cert> [...] </cert> <key> [...] </key> auth-user-pass cipher AES-128-CBC auth SHA256 comp-lzo no route-delay 4 verb 3 reneg-sec 0 remote [...] 8443

Now I have the issue that an SSH connection through the tunnel hangs at debug1: SSH2_MSG_KEXINIT sent (this is WSL ssh):

$ ssh -vvvv 192.168.20.147 OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "192.168.20.147" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.20.147 [192.168.20.147] port 22. debug1: Connection established. [...] debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK [...] debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent

I capture the session with wireshark and see that I get "TCP Previous segment lost":

No. Time Source Destination Protocol Info 4 2.933875 10.81.234.15 192.168.20.147 TCP 54013 > ssh [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=8 5 3.305435 192.168.20.147 10.81.234.15 TCP ssh > 54013 [SYN, ACK] Seq=0 Ack=1 Win=64480 Len=0 MSS=1240 WS=9 6 3.305511 10.81.234.15 192.168.20.147 TCP 54013 > ssh [ACK] Seq=1 Ack=1 Win=65536 Len=0 7 3.317162 10.81.234.15 192.168.20.147 SSHv2 Client Protocol: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r 8 3.335238 192.168.20.147 10.81.234.15 SSHv2 Server Protocol: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\r 9 3.339937 10.81.234.15 192.168.20.147 TCP [TCP segment of a reassembled PDU] 10 3.339948 10.81.234.15 192.168.20.147 SSHv2 Client: Key Exchange Init 11 3.635978 192.168.20.147 10.81.234.15 TCP ssh > 54013 [ACK] Seq=42 Ack=42 Win=64512 Len=0 12 3.947955 192.168.20.147 10.81.234.15 TCP [TCP Previous segment lost] ssh > 54013 [ACK] Seq=1122 Ack=1402 Win=64512 Len=0

I think this could be related to MTU so I played around setting the MTU on the SSH server and the OpenVPN client endpoint (various values from the default 1500 down to <1000). No changes.

I also tried using ping -f -l PKTSIZE 192.168.20.147 and the interesting part is that ping succeeds until PKTSIZE=71 and for PKTSIZE > 71 I get "Request timed out".

Note: On a different computer with the Sophos VPN Endpoint client but otherwise the same network, everything works as expected.

Improve this question

1 Answer 1

Reset to default
5

A long debug session fixed the issue. This is quite an intricate one.

It turns out that the client also reported Bad compression stub decompression header byte: 102 here and there.

My client is OpenVPN 2.4.8 but the server is OpenVPN 2.3.8. Seems there is a bug with compression. The client config has comp-lzo no (as can be seen above) but need to be changed to comp-lzo yes.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.