[Openvpn-users] problem with local TCP connections

  • Subject: [Openvpn-users] problem with local TCP connections
  • From: "Burkhardt, Jan" <Jan.Burkhardt@xxxxxx>
  • Date: Wed, 9 May 2007 15:28:32 +0200
I use OpenVPN 2.0.9 as client on an embedded mips32 system with a modified 2.4.17mvl21 Linux Kernel. The System has a ppp0 Interface for UMTS WAN. The system has routing capabilities, realized with netfilter.

OpenVPN is installed and started with (example, I tried many configs):

openvpn --tls-client --client \
        --dev tun --dev-node /dev/misc/net/tun
        --proto udp
        --tun mtu 1500 --fragment 1300 --mssfix \
        --remote ****.dyndns.org --cipher BF-CBC \
        --pkcs12 ****.p12 --ns-cert-type server \
        --verb 5 --ping 2

A corresponding OpenVPN server is running on an IPCop Firewall with ZERINA Plugin. The client connects, gets it address and sets up the routes. Ping and UDP can be done in both directions. (Pings up to 5000Bytes, perhaps more, but because of the unstable UMTS link...).

But TCP connections over the tunnel are broken in both directions.

For example a traced HTTP request to the board:
1st packet: TCP  p->80 [SYN]
2nd packet: TCP  80->p [SYN, ACK]
3rd packet: TCP  p->80 [ACK]
4th packet: HTTP p->80 GET / HTTP/1.1
5th packet: TCP  80->p [RST]

As seen, the 3 way handshake works and the 1st HTTP packet is transported, but the connection ends because of the TCP reset.
This is for other TCP services and clients the same. I get such a trace on both sides of the connection (tun0 on mips and ethx on OpenVPN server side).

This is the most frequent case, but sometimes connections are possible, but quite unstable and in the next try its broken again.

The curisity is: When I set up a portforwarding to a server behind (NAT masqueraded), then the TCP connection to that server didn't break. Connections in the other direction are possible too. I reach rates about 15kByte/s.

An OpenVPN client on another system which uses the same configuration works fully correct, even when it uses the same UMTS link (routed by the mips system).

I tried tcp tunnels and other MTU values and many TCP servers and clients. I tried to build up the tunnel over ethernet instead over the internet, other OpenVPN servers on other hosts, recompiled the kernel without netfilter, flushed the tables and turned on only masquerading. I replaced the tunnel driver with a new from a 2.4.32 Kernel. More than a week of work... It's always the same...

I don't know where the bug could be:

OpenVPN: it works with routed connections
tun: UDP, Ping and Routing are working
iptables: routed tcp works, and when I don't use it... same problem
TCP: works well on other interfaces (ethX,ppp0,lo)
MTU: UDP and Ping work, small TCP connections (300 byte HTTP Get) are broken too
Applications: there are more than one and they run well on other interfaces

I hope, someone can help me ...
