OpenVPN

Charles Duffy <cduffy@...> writes:
>I goofed: It should be "dhcp-option" (singular), not "dhcp-options"
>(plural).

OK, that took care of that error, but not the problem. The client went all
the way to:
"initialization Sequence Completed"
and then the log was flodded with
"write UDPv4: No buffer space available (code=55)"

I believe that is basically the same error reported by Ralf Hildebrandt. I
commented out the DOMAIN line, but got the same results. I then commented
out the DNS line and was back to square 1. Jon suggested pushing fewer
routes, but my config only has one route. Angelo suggested it had
something to do with up/down scripts and asked about tap/tun ... my confs
seem to indicate I'm using tun. 

BTW: Thank you for your time and attention.

Charles Duffy <cduffy@...> writes:
>I believe it's rc1 of tunnelblick which my MacOS-based users are 
>(happily) using;

Hey! That worked! I had to "spoof" the download address from the
tunnelblick page to find rc1:
http://www.tunnelblick.net/Tunnelblick_3.0_rc1.zip
and deleted the rc2 and installed the rc1 and, ta-da, along with the push
additions to server.conf on IPCop, FQDN's on the private network worked
fine. Good that the previous release had not been removed from the
directory.

So, obviously something changed between Tunnelblick 3.0rc1 and 3.0rc2 that
breaks the triangle with Zerina and OpenVPN with respect to DNS. 

Folks cc'd at Zerina and Tunnelblick - the full thread can be found in the
OpenVPN archives. Of course, when IPCop goes to 1.5 this may all be moot
... but in the interim i will be nice not to have to type IP addresses
when on the move.

Thanks Charles!

Lawrence Bean wrote:
> Although I connect fine, still no go on fqdn. I can't seem to figure out
> how to copy the Tunnelblick client log or find where it is kept on the
> client machine, but in the display I see:
> 
> -----
> PUSH: Received control message: 'PUSH_REPLY
> Options error: Unrecognized option or missing parameter(s) in
> [PUSH-OPTIONS]:2 dhcp-options (2.0.5)
> Options error: Unrecognized option or missing parameter(s) in
> [PUSH-OPTIONS]:3 dhcp-options (2.0.5)
> -----

I goofed: It should be "dhcp-option" (singular), not "dhcp-options" 
(plural).

Garry Dunn wrote:
> I've searched the archives and couldn't find any answers to my
> situation.  Here goes:
> 
> I've got OpenVPN (2.0.5) running on a Linux server (Slackware) and
> connect to it with various Windows XP & 2000 computers.  Samba is
> running on that server.  I have an application which runs on the Windows
> computer, but uses the Borland/Paradox database engine to get files off
> a mapped drive on the server (through the VPN).  That application runs
> slow (4 minutes to get a password prompt).
> 
> If I copy files (large and/or small) through the tunnel using the
> Windows Explorer I get roughly 35kBytes/sec throughput.  If I do the
> same files through an FTP interface (still through the tunnel), I get
> closer to 85kBytes/sec.  A ping takes 85ms.
> 
> For fun, I copied the files to a different server I have access to (also
> running Slackware/Samba/OpenVPN).  That server shows 85kBytes/sec
> through the FTP interface AND the Windows Explorer interface.  A ping
> takes 22ms (its physically much closer to me--only 100km instead of
> 2500km).  The application runs OK on that server (30 seconds to get the
> password prompt).
> 
> Based on the reading I've done, Samba is a 'chatty' interface so it
> could be greatly effected by the longer latency.  I've tried both
> version 2 and 3 of Samba and there was virtually no difference.
> 
> What's really nagging me is that the first test I did of the system
> worked great (30 seconds to the password prompt).  I left the system
> alone for a couple of months since it wasn't needed right then.  Now
> that I've gotten back to it, its running slow.
> 
> Anyone have any ideas?

Fragmentation ?

cheers

Erich

Erich Titl wrote:
> Fragmentation ?

I forgot to mention that part.  I played with:

	mssfix = 1420 (and 1400 and 1300 and 1000)

Same (bad) results for all 4 settings.

Thanks for the quick reply.

Garry

I just tried my luck at accessing samba shares via VPN (I use UDP).=20
The password prompt showed up within 10 seconds and i was able to copy
file to and from with ease.



On 4/28/06, Garry Dunn <garry@...> wrote:
> I've searched the archives and couldn't find any answers to my
> situation.  Here goes:
>
> I've got OpenVPN (2.0.5) running on a Linux server (Slackware) and
> connect to it with various Windows XP & 2000 computers.  Samba is
> running on that server.  I have an application which runs on the Windows
> computer, but uses the Borland/Paradox database engine to get files off
> a mapped drive on the server (through the VPN).  That application runs
> slow (4 minutes to get a password prompt).
>
> If I copy files (large and/or small) through the tunnel using the
> Windows Explorer I get roughly 35kBytes/sec throughput.  If I do the
> same files through an FTP interface (still through the tunnel), I get
> closer to 85kBytes/sec.  A ping takes 85ms.
>
> For fun, I copied the files to a different server I have access to (also
> running Slackware/Samba/OpenVPN).  That server shows 85kBytes/sec
> through the FTP interface AND the Windows Explorer interface.  A ping
> takes 22ms (its physically much closer to me--only 100km instead of
> 2500km).  The application runs OK on that server (30 seconds to get the
> password prompt).
>
> Based on the reading I've done, Samba is a 'chatty' interface so it
> could be greatly effected by the longer latency.  I've tried both
> version 2 and 3 of Samba and there was virtually no difference.
>
> What's really nagging me is that the first test I did of the system
> worked great (30 seconds to the password prompt).  I left the system
> alone for a couple of months since it wasn't needed right then.  Now
> that I've gotten back to it, its running slow.
>
> Anyone have any ideas?
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job ea=
sier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim=
o
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=
=3D121642
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>

Jim Drash wrote:
> I just tried my luck at accessing samba shares via VPN (I use UDP). The 
> password prompt showed up within 10 seconds and i was able to copy
> file to and from with ease.

That's about the same as what I see for the Samba password (I'm using 
UDP too).

The password that is trouble is the one for the application I'm running 
through Samba.  That one takes 30 seconds on the (85kB/sec & 22ms ping) 
physically close link and 4 minutes on the (35kB/sec & 85ms ping) 
physically distant link.

Can you check throughput of the Windows interface (Explorer) copying a 
bunch of files (I did 40MB) vs. FTP of the same files?  That's where I 
see 1/2 the throughput.  I can't explain why FTP through the tunnel is 
85kBytes/sec but Samba is 35kBytes/sec.

The tunnel does work (no errors logged in OpenVPN or Samba).  It just 
works really slow.

Garry Dunn wrote:
> Erich Titl wrote:
> 
>> Fragmentation ?
> 
> 
> I forgot to mention that part.  I played with:
> 
>     mssfix = 1420 (and 1400 and 1300 and 1000)
> 
> Same (bad) results for all 4 settings.

I would have expected some change in the numbers.

Have you been able to verify those settings, e.g. have the packets 
actually been of different size?

Just a bad case of paranoia I guess :-(

cheers

Erich

Lawrence Bean wrote:
> -----
> #OpenVPN Server conf
> tls-client
> client
> dev tun
> proto udp
> remote [myFirewall] 1194
> pkcs12 [myCertificate].p12
> cipher BF-CBC
> comp-lzo
> verb 3
> -----

(This is clearly the client configuration, contrary to the comment at 
the top)

> Tunnelblick connects quickly and
> neatly, but when connected using "FirstClass.u47.k12.me.us" eventually
> times out and I have to replace it with the private IP address to get a
> connection.

Is your server pushing appropriate options? You should have something 
like this in your server's configuration:

push "dhcp-options DOMAIN u47.k12.me.us"
push "dhcp-options DNS your.dns.ip.address"

* Charles Duffy <cduffy@...>:

> >OK, we're using Tunnelblick, not a bare-bone openvpn binary.
>=20
> The 2.x branch of Tunnelblick, right? Use the 3.x version; it sets up=20
> DNS correctly out-of-the-box.

You da man. Will try that tomorrow morning first thing.

--=20
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt@....=
de
Charite - Universit=E4tsmedizin Berlin            Tel.  +49 (0)30-450 570=
-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-9=
62
IT-Zentrum Standort CBF                 send no mail to spamtrap@....=
de

* Ralf Hildebrandt <Ralf.Hildebrandt@...>:
> * Charles Duffy <cduffy@...>:
>=20
> > >OK, we're using Tunnelblick, not a bare-bone openvpn binary.
> >=20
> > The 2.x branch of Tunnelblick, right? Use the 3.x version; it sets up=
=20
> > DNS correctly out-of-the-box.
>=20
> You da man. Will try that tomorrow morning first thing.

Uhhh, it's awful. I tried RC2, and it's giving me
"write UDP4: No buffer space available (code=3D55)"
errors once the interface is up and the routes have been set.

--=20
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt@....=
de
Charite - Universit=E4tsmedizin Berlin            Tel.  +49 (0)30-450 570=
-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-9=
62
IT-Zentrum Standort CBF                 send no mail to spamtrap@....=
de

Den fredag 28.apr kl. 13:23 skrev Ralf Hildebrandt:

> * Ralf Hildebrandt <Ralf.Hildebrandt@...>:
>> * Charles Duffy <cduffy@...>:
>>
>>>> OK, we're using Tunnelblick, not a bare-bone openvpn binary.
>>>
>>> The 2.x branch of Tunnelblick, right? Use the 3.x version; it  
>>> sets up
>>> DNS correctly out-of-the-box.
>>
>> You da man. Will try that tomorrow morning first thing.
>
> Uhhh, it's awful. I tried RC2, and it's giving me
> "write UDP4: No buffer space available (code=55)"
> errors once the interface is up and the routes have been set.

oh yeah i got that one as well, but damned if i remember how i fixed it.
Try pushing fewer routes.



JonB

* Jon Bendtsen <jon.bendtsen@...>:

> oh yeah i got that one as well, but damned if i remember how i fixed it=
.
> Try pushing fewer routes.

Good point, but we have that many networks :(

--=20
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt@....=
de
Charite - Universit=E4tsmedizin Berlin            Tel.  +49 (0)30-450 570=
-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-9=
62
IT-Zentrum Standort CBF                 send no mail to spamtrap@....=
de

Den fredag 28.apr kl. 14:06 skrev Ralf Hildebrandt:

> * Jon Bendtsen <jon.bendtsen@...>:
>
>> oh yeah i got that one as well, but damned if i remember how i  
>> fixed it.
>> Try pushing fewer routes.
>
> Good point, but we have that many networks :(

And none of them can be forced together?

like all of 192.168.0.0/16 ?
10.0.0.0/8

??

Hi,

On Apr 28, 2006, at 1:23 PM, Ralf Hildebrandt wrote:
>
> Uhhh, it's awful. I tried RC2, and it's giving me
> "write UDP4: No buffer space available (code=55)"
> errors once the interface is up and the routes have been set.

I think it has something to do with the up/down scripts that are  
setting the DNS Server. They seem to have some unwanted side effects.  
I'm gonna have to experiment with these a little bit more.

Are you using the tun or tap device?

Angelo

* Angelo Laub <al@...>:

> >Uhhh, it's awful. I tried RC2, and it's giving me
> >"write UDP4: No buffer space available (code=3D55)"
> >errors once the interface is up and the routes have been set.
>=20
> I think it has something to do with the up/down scripts that are =20
> setting the DNS Server. They seem to have some unwanted side effects. =20
> I'm gonna have to experiment with these a little bit more.
>=20
> Are you using the tun or tap device?

/dev/tun0

--=20
Ralf Hildebrandt (i.A. des IT-Zentrums)         Ralf.Hildebrandt@....=
de
Charite - Universit=E4tsmedizin Berlin            Tel.  +49 (0)30-450 570=
-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-9=
62
IT-Zentrum Standort CBF                 send no mail to spamtrap@....=
de