| 1 |
On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: |
| 2 |
> On 18/9/22 15:26, n952162 wrote: |
| 3 |
> > Hello all, |
| 4 |
> > |
| 5 |
> > I want to ssh over my openvpn connection, and I can't do it, the |
| 6 |
> > connection times out. |
| 7 |
> > |
| 8 |
> > I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and |
| 9 |
> > thought maybe somebody here knows something about this. |
| 10 |
> > |
| 11 |
> > Earlier my institution recommended openconnect, and I was able to use |
| 12 |
> > ssh to login in to a host with no problem. |
| 13 |
> > |
| 14 |
> > Then, for some reason (licensing?), we were switched to openvpn, which |
| 15 |
> > works for xfreerdp but not for ssh. |
| 16 |
> > |
| 17 |
> > I don't have control over the institution's firewall (but I do have for |
| 18 |
> > the host itself) |
| 19 |
> > |
| 20 |
> > Perhaps when installing the new service, they tightened up the firewall |
| 21 |
> > rules. But maybe there's a configuration screw I can turn, or ... maybe |
| 22 |
> > a USE flag? |
| 23 |
> > |
| 24 |
> > - - down-root : Enable the down-root plugin |
| 25 |
> > - - examples : Install examples, usually source code |
| 26 |
> > - - inotify : Enable inotify filesystem monitoring support |
| 27 |
> > - - iproute2 : Enabled iproute2 support instead of net-tools |
| 28 |
> > + + lz4 : Enable support for lz4 compression (as implemented in |
| 29 |
> > app-arch/lz4) |
| 30 |
> > + + lzo : Enable support for lzo compression |
| 31 |
> > - - mbedtls : Use mbed TLS as the backend crypto library |
| 32 |
> > + + openssl : Use OpenSSL as the backend crypto library |
| 33 |
> > + + pam : Add support for PAM (Pluggable Authentication Modules) |
| 34 |
> > - DANGEROUS to |
| 35 |
> > arbitrarily flip |
| 36 |
> > - - pkcs11 : Enable PKCS#11 smartcard support |
| 37 |
> > + + plugins : Enable the OpenVPN plugin system |
| 38 |
> > - - systemd : Enable use of systemd-specific libraries and features |
| 39 |
> > like socket |
| 40 |
> > activation or session tracking |
| 41 |
> > - - test : Enable dependencies and/or preparations necessary to |
| 42 |
> > run tests |
| 43 |
> > (usually controlled by FEATURES=test but can be |
| 44 |
> > toggled independently) |
| 45 |
> > |
| 46 |
> > TIA |
| 47 |
> |
| 48 |
> ssh and openvpn work well together. However I am doing most of the work |
| 49 |
> using my own configs - gentoo tries to be too clever with its vpn |
| 50 |
> networking and Ive never been able to get it to work |
| 51 |
> reliably/acceptably. On some sites I have to use port 443 (https) to |
| 52 |
> get through, and in extreme cases double wrap in ssl (using a mix of |
| 53 |
> proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but |
| 54 |
> still separate it from regular https traffic on my firewall. You will |
| 55 |
> need to figure out where the ssh is getting blocked/stripped out - is |
| 56 |
> openvpn your endpoint or theirs? |
| 57 |
> |
| 58 |
> BillK |
| 59 |
|
| 60 |
Could it also be an issue with MTU being too large? It should be easy to test |
| 61 |
with: |
| 62 |
|
| 63 |
ping -c 1 -v -M do -s 1464 <IP_address> |
| 64 |
|
| 65 |
and decrease the packet size until gets through. Then configure your client |
| 66 |
accordingly: |
| 67 |
|
| 68 |
https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem |
Archives