| View previous topic :: View next topic |
| Author |
Message |
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10789
Location: Somewhere over Atlanta, Georgia
|
 Posted: Wed Apr 30, 2025 8:06 pm Post subject: VPN Ignorance |
 |
|
I'm setting up a net-vpn/openvpn based VPN server to allow my lab servers to be accessible to me while I'm on the road. It's a UDP/tun server setup roughly based on the OpenVPN Wiki article. I have a fairly robust initial setup (PKI-based bidirectional TLS authentication, certificate key usage verification, encrypted control channel) and have the routes in place such that my first on-the-road machine (a laptop) can ping (and receive responses from) select servers in my lab. Some services work (for example, my laptop can get DNS service from my lab DNS server) but other do not, including SSH, NFS, and HTTP/HTTPS.
As just one initial example, trying to SSH into a lab machine from "outside" begins the handshake, exchanges some information in both directions but hangs (from the client perspective) at | Code: | | debug1: expecting SSH2_MSG_KEX_ECDH_REPLY |
Full handshake log is here.
So I guess my initial question is, best practices aside, with the proper routes in place (defined as, "those sufficient for ping"), is the VPN tunnel supposed to Just Work™ or do I not yet know something important? I did find the sshd_config "PermitTunnel yes" parameter (server side) and the ssh_config "Tunnel yes" parameter (client side) and set them.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23532
|
| Posted: Wed Apr 30, 2025 8:35 pm Post subject: |
|
|
As to whether the tunnel should work, maybe. Routes are necessary, as are appropriate firewall rules. However, per your ssh log, you established a TCP connection to the sshd and managed to exchange cipher preferences. That tells us that both the route and the firewall are fine. You would not have gotten that far with ssh if either of those were wrong. My first guess would be that you ran afoul of an MTU issue. Small packets will work. Large ones will get dropped, and hang the connection. Comparing your failed log with a successful one here, it looks like the next step would be for the sshd to send its host key. That is probably a fairly large packet, and could trigger an MTU problem. A packet capture of the failed connection would confirm. I suggest running it on both ends. I expect to see the server send its ssh key, get no response, and keep retransmitting. I expect the client to not see the server key, ever. If so, then you should check the MTU on the VPN interface.
PermitTunnel is not relevant here. That controls whether ssh/sshd are allowed to set up an ad-hoc VPN of their own, running inside the ssh connection. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10789
Location: Somewhere over Atlanta, Georgia
|
| Posted: Wed Apr 30, 2025 9:16 pm Post subject: |
|
|
Ah. Thank you! I've run into MTU issues in the past; should've thought of it. I'm off to mess with it a bit more. Will do captures if necessary.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10789
Location: Somewhere over Atlanta, Georgia
|
| Posted: Thu May 01, 2025 11:47 am Post subject: |
|
|
You called it in one. Thanks again.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
