1 |
On 9/18/22 11:08, Michael wrote: |
2 |
> On Sunday, 18 September 2022 08:52:13 BST William Kenworthy wrote: |
3 |
>> On 18/9/22 15:26, n952162 wrote: |
4 |
>>> Hello all, |
5 |
>>> |
6 |
>>> I want to ssh over my openvpn connection, and I can't do it, the |
7 |
>>> connection times out. |
8 |
>>> |
9 |
>>> I saw a reference to gentoo in the openvpn scripts in /etc/openvpn and |
10 |
>>> thought maybe somebody here knows something about this. |
11 |
>>> |
12 |
>>> Earlier my institution recommended openconnect, and I was able to use |
13 |
>>> ssh to login in to a host with no problem. |
14 |
>>> |
15 |
>>> Then, for some reason (licensing?), we were switched to openvpn, which |
16 |
>>> works for xfreerdp but not for ssh. |
17 |
>>> |
18 |
>>> I don't have control over the institution's firewall (but I do have for |
19 |
>>> the host itself) |
20 |
>>> |
21 |
>>> Perhaps when installing the new service, they tightened up the firewall |
22 |
>>> rules. But maybe there's a configuration screw I can turn, or ... maybe |
23 |
>>> a USE flag? |
24 |
>>> |
25 |
>>> - - down-root : Enable the down-root plugin |
26 |
>>> - - examples : Install examples, usually source code |
27 |
>>> - - inotify : Enable inotify filesystem monitoring support |
28 |
>>> - - iproute2 : Enabled iproute2 support instead of net-tools |
29 |
>>> + + lz4 : Enable support for lz4 compression (as implemented in |
30 |
>>> app-arch/lz4) |
31 |
>>> + + lzo : Enable support for lzo compression |
32 |
>>> - - mbedtls : Use mbed TLS as the backend crypto library |
33 |
>>> + + openssl : Use OpenSSL as the backend crypto library |
34 |
>>> + + pam : Add support for PAM (Pluggable Authentication Modules) |
35 |
>>> - DANGEROUS to |
36 |
>>> arbitrarily flip |
37 |
>>> - - pkcs11 : Enable PKCS#11 smartcard support |
38 |
>>> + + plugins : Enable the OpenVPN plugin system |
39 |
>>> - - systemd : Enable use of systemd-specific libraries and features |
40 |
>>> like socket |
41 |
>>> activation or session tracking |
42 |
>>> - - test : Enable dependencies and/or preparations necessary to |
43 |
>>> run tests |
44 |
>>> (usually controlled by FEATURES=test but can be |
45 |
>>> toggled independently) |
46 |
>>> |
47 |
>>> TIA |
48 |
>> ssh and openvpn work well together. However I am doing most of the work |
49 |
>> using my own configs - gentoo tries to be too clever with its vpn |
50 |
>> networking and Ive never been able to get it to work |
51 |
>> reliably/acceptably. On some sites I have to use port 443 (https) to |
52 |
>> get through, and in extreme cases double wrap in ssl (using a mix of |
53 |
>> proxytunnel (windows host), stunnel and sslh) to disguise its a vpn but |
54 |
>> still separate it from regular https traffic on my firewall. You will |
55 |
>> need to figure out where the ssh is getting blocked/stripped out - is |
56 |
>> openvpn your endpoint or theirs? |
57 |
>> |
58 |
>> BillK |
59 |
> Could it also be an issue with MTU being too large? It should be easy to test |
60 |
> with: |
61 |
> |
62 |
> ping -c 1 -v -M do -s 1464 <IP_address> |
63 |
> |
64 |
> and decrease the packet size until gets through. Then configure your client |
65 |
> accordingly: |
66 |
> |
67 |
> https://community.openvpn.net/openvpn/wiki/271-i-can-ping-through-the-tunnel-but-any-real-work-causes-it-to-lock-up-is-this-an-mtu-problem |
68 |
> |
69 |
|
70 |
That was a good idea! Unfortunately, in this case it wasn't the cause: |
71 |
|
72 |
-- ping statistics --- |
73 |
1 packets transmitted, 1 received, 0% packet loss, time 0ms |
74 |
rtt min/avg/max/mdev = 331.754/331.754/331.754/0.000 ms |