OpenVPN Problem
I’m having problems communicating with a remote server, with openvpn. I can link with SSH ok, but the link stalls when viewing any but the smallest texts. I tried reducing the tun0 MTU, though only from 1500 to 1400, but this seemed to have no effect.
Before trying a larger reduction, I’d like to clarify two points.
Firstly, is it necessary to re-boot the remote machine for the change in MTU to come into effect?
Or is it sufficient to re-start the openvpn service?
(I’m reluctant to re-boot the remote machine unless it is essential.)
Secondly, must the MTU be changed at both ends?
Any info on these two points gratefully received.
9 thoughts on - OpenVPN Problem
Timothy Murphy wrote on Sat, 08 Feb 2014 13:50:07 +0000:
First, did you check that it works fine without OpenVPN (e.g. firewall open)?
Second, what exactly are you doing/do you want to achieve?
VPN makes sense if you go thru a triangle (client -> network a -> network b, where b allows access only from a) or if you want to secure certain kinds of remote connections, but encapsulating an SSH link with a VPN
tunnel makes not much sense in my eyes.
Kai
Kai Schaetzl wrote:
It is not clear to me what you are saying.
Are you saying that having set up OpenVPN, with a server and clients, it is not a good idea to login to a remote site with “ssh somewhere-vpn”?
If so, what is the best way (in your opinion) to connect to a remote site?
Most sites I have looked at suggest using network-manager-openvpn-kde
(I’m running Fedora-20/KDE). I’d prefer not to involve NM if that can be avoided, as it seems to me to add an unnecessary step to the operation. Others suggest using some kind of OpenVPN GUI.
Or are you saying that I should use SSH directly without VPN?
In my case the remote site has a dynamic IP address, and while I run ddclient there are times when this does not work.
In practice I maintain both connections as a safety precaution.
But I am genuinely interested in the best way to use OpenVPN. All the documents I looked at online spent their time explaining at inordinate length how to setup OpenVPN. If anyone knows of a site with a simple explanation of how to use OpenVPN (preferably with the commands and responses during an actual session) I should be very grateful.
Timothy Murphy wrote Its down to the question about what you are needing to do. If you just need SSH access then SSH direct without VPN is just fine. SSH itself is encrypted and the VPN just encrypts the already encrypted traffic again and just slows things down.
If you want other kinds of access to the remote machine, for example using protocols that don’t use SSL themselves, such as legacy ones like telnet or ftp, then I’d put that traffic through a VPN.
The OpenVPN documentation has a quick setup section, or at least it used to. I found that a good way to get it going. But from your original post you were asking about MTU, suggesting that you are having network problems getting a reliable connection. Is a direct SSH connection reliable? From what you said it isn’t. I’d investigate why that is first as diagnosing OpenVPN issues with a flaky underlying network might get very confusing. Is the remote machine at a datacentre somewhere? Is your local network and its internet connection solid?
:-) Ken
Direct SSH access might be impossible if the remote machine is behind a NAT. Using SSH through VPN is a very convenient solution in those cases. I also happen to use OpenVPN, for precisely that reason.
HTH, :-)
Marko
Ken Smith wrote:
Thank you for your response. But I’m not really asking whether to use VPN or SSH (directly), I’m just asking the best way to use OpenVPN.
I don’t want to use telnet or ftp – does anyone use ftp nowadays?
I have OpenVPN set up; I found the brief instructions that come with CentOS openvpn (eg /etc/openvpn/2.0/README)
perfectly adequate – what I’m asking about is the _use_ of OpenVPN.
I’ve found that reducing the MTU to 1000 has solved this problem.
It is perfectly reliable when it can be established. But occasionally there is a problem establishing it, essentially because the remote machine has a dynamic IP address.
The remote machine is under my control (in a house in Italy). The internet connection there is rather slow (around 6Mb/s), but is pretty reliable (except during electric storms). The local network at my home in Ireland is fine, and the internet connection is good too (around 50Mb/s).
Sorry, what exactly are you asking for here? The implemented OpenVPN
is nothing but a (virtual, distributed, etc…) LAN. Imagine several hosts connected together with a switch and a bunch of ethernet cables. It is used in the same way an ordinary LAN can be used.
Imagine having several computers connected in a local network. How do you “use” this LAN? Well, you can ssh/ftp/ping among hosts, you can deploy various services among them (dns, nfs, samba, apache, mta, gaming servers, whatever…), and so on. The network is *virtual* in the sense that there are no physical cables and switches connecting the nodes directly. It is *private* because all communication is encrypted. But other than that, a VPN is simply a *network*, like any other network, and can be used in all the ways an ordinary network can.
An additional usage point is managing access certificates — if you share your VPN with other people, you can issue certificates to all people who are supposed to join the network, revoke certificates from people you want to kick out of the network, etc.
One obvious benefit of VPN is that the nodes can be widely distributed geographically, while still connected into a single (virtual) LAN. It is also completely immaterial how is any given node physically connected to the Internet — VPN is transparent to firewalls, NAT-s, etc.
HTH, :-)
Marko
Marko Vojinovic wrote:
Thanks for your response.
I’m interested to know how you – or anyone else implementing OpenVPN –
actually uses it in practice. I use it to login to a remote computer over OpenVPN using ssh.
(This is largely a safety measure, since a straightforward SSH connection sometimes fails because the remote machine has a dynamic address. But it is also simpler because it avoids firewall issues, as you say.)
Someone suggested that using SSH with openvpn was foolish since
“encapsulating an SSH link with a VPN tunnel makes not much sense”. So I’m interested to know how people in general use OpenVPN. Am I in fact unusual in using SSH with OpenVPN?
I prefer not to run OpenVPN through NetworkManager because I have problems with NM anyway, and also I don’t run NM on the servers in question.
There are several different reasons to use it. One is to allow individual remote connections to a LAN, another is to connect two or more private LANS over the internet – which can work through NAT
routers, another (with bridging) is to allow protocols that don’t route well to work remotely, and yet another is to make your source address to appear to be somewhere else to bypass some restrictions. And in all cases the connection would be encrypted.
For the individual connection to one server case that is always done over SSH there is not that much value added by openvpn, although the connections might be more robust with openvpn if you need to go through NAT or make the connection in the reverse direction. But it does open up other protocols to work remotely.
Well, I tend to support a number of people (Linux/computing noobs in general), maintaining their laptops and desktops.
So each machine that I maintain is connected to my VPN, and I can access it whenever the client needs me to, wherever their laptop might be at the moment. Most of those machines are personal laptops, being carried all over the planet and connected to all sorts of networks. Any dynamic DNS stuff is useless for them, and they are typically behind some NAT in some third-party’s LAN, in a hotel room or a university wireless LAN or an airport or at home or… You get the picture.
So having them all in my VPN is very efficient. I typically use SSH to access them, VNC if needed. I also roll an apache server on one of my machines, so that I can access it from client-side if needed. As far as fixing problems and maintenance goes, it’s the next best thing to having the machine in my office on my desk.
The only two things I cannot troubleshoot are hardware problems and network access failures. :-)
Best, :-)
Marko