Openssh does not work over openvpn

Installing and Using OpenWrt Network and Wireless Configuration
1

OpenWrt 23.05.5, installed OpenVPN, tested ping, works, yay. Now, trying to ssh and it does not work - a few packets exchange and then it stops, and I cannot make sense from tcpdump dumps.
So, the server is some debian9 in the cloud (I can ssh to it via its external IP and record tcpdump of tun0), the client is openwrt + openssh-client. Both tcpdumps are below, first I try ssh, then I try ping, both operations from openwrt with 10.8.0.6.
Have I missed something like "tcp window"? Firewall seems to be permissive enough :-/
Thanks,

This was recorded on the openwrt:

|No.|Time|Source|Destination|Protocol|Length|Info|
|---|---|---|---|---|---|---|
|1|0.000000|10.8.0.6|10.8.0.1|TCP|60|57792 → 22 [SYN] Seq=0 Win=64240 Len=0 MSS=1283 SACK_PERM TSval=1925004202 TSecr=0 WS=128|
|2|0.000057|10.8.0.1|10.8.0.6|TCP|60|22 → 57792 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM TSval=1514919437 TSecr=1925004202 WS=256|
|3|0.483018|10.8.0.6|10.8.0.1|TCP|52|57792 → 22 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=1925004686 TSecr=1514919437|
|4|0.492311|10.8.0.1|10.8.0.6|SSHv2|93|Server: Protocol (SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2)|
|5|0.744758|10.8.0.6|10.8.0.1|SSHv2|73|Client: Protocol (SSH-2.0-OpenSSH_9.8)|
|6|0.744841|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [ACK] Seq=42 Ack=22 Win=29184 Len=0 TSval=1514920182 TSecr=1925004686|
|7|0.990790|10.8.0.6|10.8.0.1|TCP|52|57792 → 22 [ACK] Seq=22 Ack=42 Win=64256 Len=0 TSval=1925004947 TSecr=1514919929|
|8|0.990838|10.8.0.1|10.8.0.6|SSHv2|1132|Server: Key Exchange Init|
|9|0.990884|10.8.0.6|10.8.0.1|TCP|1323|57792 → 22 [ACK] Seq=22 Ack=42 Win=64256 Len=1271 TSval=1925004947 TSecr=1514919929 [TCP PDU reassembled in 11]|
|10|0.990905|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [ACK] Seq=1122 Ack=1293 Win=32000 Len=0 TSval=1514920428 TSecr=1925004947|
|11|1.240001|10.8.0.6|10.8.0.1|SSHv2|317|Client: Key Exchange Init|
|12|1.240032|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [ACK] Seq=1122 Ack=1558 Win=34560 Len=0 TSval=1514920677 TSecr=1925005193|
|13|1.962400|10.8.0.1|10.8.0.6|TCP|1132|[TCP Retransmission] 22 → 57792 [PSH, ACK] Seq=42 Ack=1558 Win=34560 Len=1080 TSval=1514921400 TSecr=1925005193|
|14|3.418402|10.8.0.1|10.8.0.6|TCP|1132|[TCP Retransmission] 22 → 57792 [PSH, ACK] Seq=42 Ack=1558 Win=34560 Len=1080 TSval=1514922856 TSecr=1925005193|
|15|6.322408|10.8.0.1|10.8.0.6|TCP|1132|[TCP Retransmission] 22 → 57792 [PSH, ACK] Seq=42 Ack=1558 Win=34560 Len=1080 TSval=1514925760 TSecr=1925005193|
|16|9.676685|10.8.0.6|10.8.0.1|TCP|52|57792 → 22 [FIN, ACK] Seq=1558 Ack=42 Win=64256 Len=0 TSval=1925013879 TSecr=1514920182|
|17|9.677968|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [FIN, ACK] Seq=1122 Ack=1559 Win=34560 Len=0 TSval=1514929115 TSecr=1925013879|
|18|9.913579|10.8.0.6|10.8.0.1|TCP|40|57792 → 22 [RST] Seq=1559 Win=0 Len=0|
|19|14.175934|10.8.0.6|10.8.0.1|ICMP|84|Echo (ping) request  id=0x6255, seq=0/0, ttl=64 (reply in 20)|
|20|14.175989|10.8.0.1|10.8.0.6|ICMP|84|Echo (ping) reply    id=0x6255, seq=0/0, ttl=64 (request in 19)|
|21|15.176420|10.8.0.6|10.8.0.1|ICMP|84|Echo (ping) request  id=0x6255, seq=1/256, ttl=64 (reply in 22)|
|22|15.176460|10.8.0.1|10.8.0.6|ICMP|84|Echo (ping) reply    id=0x6255, seq=1/256, ttl=64 (request in 21)|

This is from the server:

|No.|Time|Source|Destination|Protocol|Length|Info|
|---|---|---|---|---|---|---|
|1|0.000000|10.8.0.6|10.8.0.1|TCP|60|57792 → 22 [SYN] Seq=0 Win=64240 Len=0 MSS=1283 SACK_PERM TSval=1925004202 TSecr=0 WS=128|
|2|0.000057|10.8.0.1|10.8.0.6|TCP|60|22 → 57792 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM TSval=1514919437 TSecr=1925004202 WS=256|
|3|0.483018|10.8.0.6|10.8.0.1|TCP|52|57792 → 22 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=1925004686 TSecr=1514919437|
|4|0.492311|10.8.0.1|10.8.0.6|SSHv2|93|Server: Protocol (SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2)|
|5|0.744758|10.8.0.6|10.8.0.1|SSHv2|73|Client: Protocol (SSH-2.0-OpenSSH_9.8)|
|6|0.744841|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [ACK] Seq=42 Ack=22 Win=29184 Len=0 TSval=1514920182 TSecr=1925004686|
|7|0.990790|10.8.0.6|10.8.0.1|TCP|52|57792 → 22 [ACK] Seq=22 Ack=42 Win=64256 Len=0 TSval=1925004947 TSecr=1514919929|
|8|0.990838|10.8.0.1|10.8.0.6|SSHv2|1132|Server: Key Exchange Init|
|9|0.990884|10.8.0.6|10.8.0.1|TCP|1323|57792 → 22 [ACK] Seq=22 Ack=42 Win=64256 Len=1271 TSval=1925004947 TSecr=1514919929 [TCP PDU reassembled in 11]|
|10|0.990905|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [ACK] Seq=1122 Ack=1293 Win=32000 Len=0 TSval=1514920428 TSecr=1925004947|
|11|1.240001|10.8.0.6|10.8.0.1|SSHv2|317|Client: Key Exchange Init|
|12|1.240032|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [ACK] Seq=1122 Ack=1558 Win=34560 Len=0 TSval=1514920677 TSecr=1925005193|
|13|1.962400|10.8.0.1|10.8.0.6|TCP|1132|[TCP Retransmission] 22 → 57792 [PSH, ACK] Seq=42 Ack=1558 Win=34560 Len=1080 TSval=1514921400 TSecr=1925005193|
|14|3.418402|10.8.0.1|10.8.0.6|TCP|1132|[TCP Retransmission] 22 → 57792 [PSH, ACK] Seq=42 Ack=1558 Win=34560 Len=1080 TSval=1514922856 TSecr=1925005193|
|15|6.322408|10.8.0.1|10.8.0.6|TCP|1132|[TCP Retransmission] 22 → 57792 [PSH, ACK] Seq=42 Ack=1558 Win=34560 Len=1080 TSval=1514925760 TSecr=1925005193|
|16|9.676685|10.8.0.6|10.8.0.1|TCP|52|57792 → 22 [FIN, ACK] Seq=1558 Ack=42 Win=64256 Len=0 TSval=1925013879 TSecr=1514920182|
|17|9.677968|10.8.0.1|10.8.0.6|TCP|52|22 → 57792 [FIN, ACK] Seq=1122 Ack=1559 Win=34560 Len=0 TSval=1514929115 TSecr=1925013879|
|18|9.913579|10.8.0.6|10.8.0.1|TCP|40|57792 → 22 [RST] Seq=1559 Win=0 Len=0|
|19|14.175934|10.8.0.6|10.8.0.1|ICMP|84|Echo (ping) request  id=0x6255, seq=0/0, ttl=64 (reply in 20)|
|20|14.175989|10.8.0.1|10.8.0.6|ICMP|84|Echo (ping) reply    id=0x6255, seq=0/0, ttl=64 (request in 19)|
|21|15.176420|10.8.0.6|10.8.0.1|ICMP|84|Echo (ping) request  id=0x6255, seq=1/256, ttl=64 (reply in 22)|
|22|15.176460|10.8.0.1|10.8.0.6|ICMP|84|Echo (ping) reply    id=0x6255, seq=1/256, ttl=64 (request in 21)|
2

Can you ssh from OpenWrt over the internet to the Debian? It is not clear if you successfully connect to Debian from OpenWrt or some workstation.
My guess is that it cannot connect because they cannot agree on encryption algorithms, as Debian version is quite old.

3

yes ssh via the internet does work so neither server nor client version is the problem, I suspect [TCP Retransmission] is.

4

aaaahhhhh this is why they say "comp-lzo" is known to cause problems. I disabled it on both ends and voila, ssh works.

5

compression is deprecated and will be removed in future OpenVPN releases it is unsafe and does not really help.

1 Like
6

yeah, I saw that but I did not realize it breaks very basic things :-/

1 Like
7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.