1

I have the following setup:

Machine 1 -> Home router -> Internet -> Mobile hotspot -> Machine 2

Machine 1 is running an OpenVPN server on UDP port 1194 and SSH on port 2022. I want to SSH from Machine 2 to Machine 1.

My home router has a static IP assigned to it by the ISP and I have enabled port forwarding for UDP port 1194 from router to machine 1.

I am able to connect to OpenVPN and get following IPs - Machine 1 (10.8.0.1), Machine 2 (10.8.0.6). Both machines are able to ping each other.

I have also opened the firewall on machine 1. Following is the UFW output.

myuser@pc-arch:~$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----                    
[ 1] 1194/udp                   ALLOW IN    Anywhere                  
[ 2] 2022/tcp                   ALLOW IN    10.8.0.6          
[ 3] 1194/udp (v6)              ALLOW IN    Anywhere (v6)

However when I try to SSH using ssh -vvv -p 2022 [email protected], it gets stuck and then timeouts.

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 10.8.0.1 port 2022

SSHD logs from machine 1:
Apr 17 13:21:18 pc-arch sshd[938]: Timeout before authentication for connection from 10.8.0.6 to 10.8.0.1, pid = 1175711

Following are my server and client configurations for OpenVPN:

server 10.8.0.0 255.255.255.0
dev tun
proto udp
port 1194

# Privileges
user openvpn
group openvpn

# Notify clients when server is restarted server to reconnect quickly
explicit-exit-notify 1

# Ping every 60s, restart if no data received for 5 minutes
keepalive 60 300

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/local.crt
key /etc/openvpn/server/local.key
dh /etc/openvpn/server/dh.pem
tls-crypt /etc/openvpn/server/ta.key

client
remote <static public IP> 1194
dev tun

user openvpn
group openvpn

ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/local.crt
key /etc/openvpn/client/local.key
tls-crypt /etc/openvpn/server/ta.key
Improve this question
5
  • temporarily disable ufw and test again, while also verifying the routing Commented Apr 17 at 9:01
  • What is your VPN tun interface MTU? Do you allow ICMP packets both ways (outside and inside the VPN)? Commented Apr 17 at 10:20
  • 1
    Looks like the MTU is 1600 based on the OpenVPN server logs 2025-04-17 14:20:56 106.224.138.253:37117 peer info: IV_MTU=1600. I am going to guess ICMP is allowed since ping works both on the VPN and in my LAN. I can also ping my router from outside. Commented Apr 17 at 10:35
  • Out of curiosity: how do you get a static public IP on a mobile hotspot? Commented Apr 17 at 18:46
  • @tink no idea. I don't have that in my setup. Commented Jul 12 at 21:06

1 Answer 1

Reset to default
2

I solved this by adding tun-mtu 1400 to both OpenVPN server and client configurations.

Improve this answer
1
  • Yes, a hang on the step after OpenSSH's default KEXINIT, which is quite large, is typically due to (P)MTU. It can be masked by selecting short values (lists) for one or more of KexAlgorithms Ciphers MACs HostKeyAlgorithms which makes the KEXINIT smaller, but this may fail later. Basically dupe unix.stackexchange.com/questions/722954/… and cross serverfault.com/questions/210408/… Commented Jul 12 at 23:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.