Home / server / Questions / 194441
Accepted
Filip Ekberg
Asked: 2010-10-26 02:01:47 +0800 CST

OpenVPN connection disconnects, but SSH and Ping Works?

  • 772

I got a bit of a weird problem, I have an OpenVPN Server running on my WNDR3700 router that used DD-WRT.

Server Configuration

push "route 192.168.1.0 255.255.255.0"
server 192.168.1.0 255.255.255.0

dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

As a side note, I've also tried Bridged Mode and it results the same way!

Client Configuration

remote myserver.com 1194
client 
dev tun
proto udp 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

verb 3

I will use comp-lzo and cipher once the tunnel is up.

The problem is that the connection disconnects when I try to remote desktop or surf to a web-site inside the LAN on the VPN-side. But I can SSH and Ping the Server without it disconnecting. But as soon as I try to access a Website ( i.e. 192.168.1.1 the router management interface ) the Ping stops and the connection does not work anymore.

Example

ping 192.168.1.1  -n 1000
Reply from 192.168.1.1: bytes=32 time=27ms TTL=64
Reply from 192.168.1.1: bytes=32 time=27ms TTL=64
Reply from 192.168.1.1: bytes=32 time=28ms TTL=64
Request timed out.

The Time out occurs when I do "heavy" stuff over the VPN. Any suggestions how I fix this? The same setup has worked with another VPN Server Before and I can't see any weird settings.

router openvpn

3 Answers

  1. Best Answer

    looks like a MTU problem, verify by sending big-packet pings (ping -s). check packet-splitting options, when that works do turn on LZO compression (otherwise performance can take a dip). also check about advertising a smaller MTU (only works on router links, not on bridge-type links)

    edit: from OpenVPN docs:

    The usual symptom of such a breakdown is an OpenVPN connection which successfully starts, but then stalls during active usage.

    If --fragment and --mssfix are used together, --mssfix will take its default max parameter from the --fragment max option.

    Therefore, one could lower the maximum UDP packet size to 1300 (a good first try for solving MTU-related connection problems) with the following options:

    --tun-mtu 1500 --fragment 1300 --mssfix
    • 2

  2. your VPN IP range seems to be same as your internal network IP range - that is not advisable/possible:

    push "route 192.168.1.0 255.255.255.0" server 192.168.1.0 255.255.255.0

    Try choosing a different VPN IP range (e.g. server 10.8.0.0 255.255.255.0)

    HTH,

    JJK

    • 1

  3. Similar problem here. There are also others who reported problems with the DD-WRT / WNDR3700 / OpenVPN combination on the DD-WRT forum.

    I transferred my OpenVPN config from my router to a server on the LAN and it worked perfectly.

    I think it comes down to some sort of incompatibility between this router and DD-WRT / OpenVPN and there is nothing much you can do unfortunately. What a shame.

    • 0