Topic: OpenVPN_SiteToSite

[simone686]

Hello everyone...

I have two production machines with the OpenVPN_SiteToSite contrib.
From the logs, it seems like there are problems with one of the two connections.
I'll start by saying that I've never had to fiddle with the configuration files, but I find myself having to.
I should put these values ​​in both boxes:
keepalive 10 60
tun-mtu 1500
mssfix 1360
Can anyone help me?
thanks

[ReetP]

You probably need to give us some more information.

There is no point in adding settings if you don't know what the issue is.

Are your certificates up to date?

What do your logs tell you? Something like this?

Code: [Select]

grep -i error /var/log/openvpn-s2s/openvpn-s2s.log
What does this show?

Code: [Select]

config show openvpn-s2s

[simone686]

Hi, and thanks...
I had Claude analyze the logs from both servers, and he recommended making these changes.
He believes (as I do) that there's a connectivity issue, which these changes could address.

[ReetP]

Hi, and thanks...
I had Claude analyze the logs from both servers, and he recommended making these changes.

That's probably your first mistake.

Please do NOT trust AI with a Koozali SME server. At all. It is likely to pull random nonsense. Already seen it happen. Don't do it, unless you REALLY know what you are doing. Which you don't because that is why you are here asking.

You are here amongst experts. Trust them. Or you will likely make things worse.

He believes (as I do) that there's a connectivity issue, which these changes could address.

Did you give your AI bot all your config settings for both servers, all your logs, versions etc? If not then it is guessing.

Why are you telling us what you think, instead of supplying the information we need to to try and diagnose your issue?

Tell us about your problem, not your attempts at a solution:

https://xyproblem.info/

Otherwise you are going to get yourself in a right mess and THEN still want us to try and fix it.

So far you have told us almost absolutely nothing so we can't diagnose anything.

Please, do as I asked otherwise we can't help you.

Thanks.

[Jean-Philippe Pialasse]

considering most ISP will give a MTU of 1500 forcing your tun MTU to 1500 will likely fail.

you can imagine MTU like the diameter of a pipe. and to be precise the pipe ha an internal and external diameter. 
if you want to fit a pipe inside another you need the second pipe external diameter to be smaller than the internal diameter of the bigger pipe. 

in a connexion the thickness of the pipe is the header of the protocol. If your connection uses pppoe you will already have such pipe inside the pipe and your vpn will be a third pipe inside those. 

as a resumé do not play with mtu. 

start reading the log. 

Claude is locked out of our infra because he and his friends were putting our infra down. So Claude knows nothing of SME. Do not ask Claude anything SME related.