# problems masquerading to openvpn tun0 device [solved]

## helamonster

I recently got openvpn working (after a few troubles), but I am now experiencing a very strange problem. First of all, here is my setup:

On the openvpn server (Gentoo):

real ip (eth0): 10.9.61.1 (local ethernet)

real ip (eth1): w.x.y.z (internet)

real ip (wlan0): 192.168.1.1 (wireless)

vpn ip (tun0): 10.4.0.1 (virtual)

Routing is NOT enabled on wlan0

Routing IS enable on tun0 to/from eth0 and eth1

On the openvpn client (Windows XP):

real ip (wifi dev): 192.168.1.10 (wireless)

vpn ip (TAP dev): 10.4.0.2 (virtual)

The openvpn connection seems to work fine. I can access the local 10.9.61.x lan and the internet... But, when attempting to access certain web sites, the Windows box never gets an HTTP response. I can see from the openvpn server that the HTTP request was received and forwarded to the internet, the reply from the internet was received, but DOES NOT forward it back to tun0. 

The problem always happens with certain servers, and always works on certain other (most) servers.

I sniffed from the gentoo box using ngrep a working HTTP request/response and a non-working request/response.

Here's the traffic breakdown from a working site (www.google.com):

HTTP request from tun0 to internet:

10.4.0.2:3186 -> 64.233.161.99:80 [AP]

( captured by the gateway, masquerading... )

HTTP request from eth1 to internet:

w.x.y.z:3186 -> 64.233.161.99:80

HTTP response from internet to eth1:

64.233.161.99:80 -> w.x.y.z:3186 [AP]

( masquerading... )

HTTP response from internet to Windows box via vpn:

64.233.161.99:80 -> 10.4.0.2:3186 [AP]

The windows box receives the response

---

Here's the traffic breakdown from a NON-WORKING site (www.cinemark.com):

HTTP request from tun0 to internet:

10.4.0.2:3190 -> 64.202.65.15:80 [AP]

( captured by the gateway )

HTTP request from eth1 to internet:

w.x.y.z:3190 -> 64.202.65.15:80 [AP]

HTTP response from internet to gateway (2 packets)

64.202.65.15:80 -> w.x.y.z:3190 [A]

64.202.65.15:80 -> w.x.y.z:3190 [A]

( supposed to be masquerading... )

NO RESPONSE from internet to Windows box via vpn.

However, I do get a TCP packet which ethereal describes with "TCP Previous segment lost"

The client times out and resends HTTP request here, with same results

---

FYI:

I tried using both UDP and TCP openvpn modes, and I encountered the problem in both.

I have a squid HTTP proxy running on the gentoo box. When I connect to it from the Windows box through the VPN, I can access both web sites without any problem.

So it seems to be a problem with the masquerading, not the vpn. But when I disable the vpn alltogether and just enable forwarding on plain old wlan0, everything works fine, which leads me to believe that it is a problem with openvpn. I'm just not sure anymore...

Anybody have any idea what's going on here?Last edited by helamonster on Sat Sep 10, 2005 9:32 pm; edited 1 time in total

----------

## nielchiano

hmm, this looks like an MTU problem in combination with a braindead ISP...

My guess is:

to pass packets to a VPN tunnel, you need to add an additional header to it (not exactly, but the result is the same). This means that the packets you can send can't be as large.

The web servers don't know this, and send a full size packet (for LARGE webpages). Normaly your server will see that the packets are too big to put over the VPN, and reply to the server with an ICMP message telling him to use smaller packets. Some stupid ISP's (maybe not yours, but somewhere in between) had the most genious idea to just drop all ICMP traffic (or maybe you did in your firewall???), and hence the server will not know.

To be sure that it is THIS situation, run tcpdump on the external (internet) interface. use the option -v to make it print a little more. post the result (if you want, with masked IP)

----------

## nobspangle

I had problems with a windows-linux openvpn connection and found it was to do with the mtu size.

The windows version defaults to 1500. You need to set the linux end to be the same.

Try adding

tun-mtu 1500

to your config

----------

## helamonster

nobspangle:

I had already syncronized my tun-mtu values to 1500.

nielchiano:

My firewall was blocking all ICMP traffic, so I decided to accept all ICMP traffic to see if that would help. It did not.

After reading the "troubleshooting" section over on the openvpn site (which I only skimmed over before), I ran the MTU test (by adding mtu-test to my config), and used the "emperically measured" mtu value, 1572, in my mssfix/fragment options, as well as a higher mtu value, 1650, which I roughly determined worked better for me.

This seems to have fixed the problem (I have not been able to reproduce the problem yet). Although I understand the general idea of these options, I need to read more about them to determine the best values for my setup.

Thanks for you help, again. Now I am having another openvpn problem:

https://forums.gentoo.org/viewtopic.php?p=1546694

----------

