End of my rope with OpenVPN

Got a problem with Viscosity or need help? Ask here!

expressitech

Posts: 1
Joined: Fri Mar 06, 2009 11:09 am

Post by expressitech » Fri Mar 06, 2009 11:18 am
Hi all

I have been using OpenVPN for a few years now, connecting PC's with XP, Vista and various form of Linux (Ubuntu, Gentoo, Slack) and now a few OS X Macintels.

The Macs were using Tunnelblick to connect with, and all was fine. Everyting worked perfectly. We then moved the VPN server to another machine with an identical config file. Now every single Mac that connected to the old REFUSES to pass traffic to the new. Any new OS X machines that come on that have not connected before are absolutely fine. It as if there is some sort of "memory" the OS keeps about packet traffic.

On the 3 machines that will not pass traffic, I downloaded the trial of Viscosity (which I will happily purchase for each one if it works) hoping it was simply the codebase Tunnelblick was drawn from. But alas, the exact same things happen:

1) Everything connects fine, and the static IP's pushed from the server are assigned
2) I look in Netstat and the routes are created. I even tried to manually create them using Viscosity
3) I watch from the server and see each machine connecting just fine. Routes added, no problems.
4) I can ping and telnet into the machines from the server
5) The client machine absolutely refuses to ping, telnet, browse or do anything useful to the gateway or any other machine on the subnet. It is is as if there is absolutely nothing going through.

I watch the traffic in/out while doing a ping, or telnet or something, and it shows traffic moving, but on the server, nothing arrives. The internal subnet all three machines are on is 192.168.0.1 and the subnet for the VPN is 192.168.24.5 so there is no conflict.

Even MORE maddening is if I swicth the connections live IP back to the old server, it works perfectly well!

I am literally at the end of my roper here, troubleshooting an extremely frustrating connection issue for the better part of a full year. Is there ANYTHING someone can think of I can check client/server side to make the connection actually work? I will try just about anything at this point.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Mar 08, 2009 5:53 pm
Hi expressitech,

Is there any difference between the two servers network wise? Different IP addresses? Different network topology? Are you using routing (TUN) or bridging (TAP)?
4) I can ping and telnet into the machines from the server
5) The client machine absolutely refuses to ping, telnet
So you're able to ping the client machines (through the VPN connection) from the server, but not ping the server from the client machines (again through the VPN)? If that's the case, it sounds like you could possibly have a MTU issue on your hands (assuming the routes are correct). However without knowing more about the network structure this is simply one of the first things I would check, rather than an actual solution.

Try having a play with the mtu/fragment values (under the Networking tab), and also add the "mssfix" command on a new line (without quotes) in the Advanced commands section. You'll have to test and see which values work for you. I'd recommend starting at the following values, and lower them slightly each time if standard traffic still doesn't make it through:

Tun MTU: 1500
Fragment: 1200
And add "mssfix" (no quotes) as an advanced command
It as if there is some sort of "memory" the OS keeps about packet traffic.
Well Mac OS X shouldn't retain any information about the network after a reboot.

If you are able to reply back with the client and server config files here (you may like to censor them first) I'll be able to get a better understanding of what is occurring. Alternatively you can email them to [email protected]

Regards,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1