Can't connect to HA server via VPN

Jarek_P · May 14, 2021, 7:59am

Maybe you can find a solution, because I’m totally stuck. Issue is as follow: my mobile homeassistant app (android) is able to connect to server and works well when it is connected direct to local network. When connection is established via VPN tunnel - not, app reports timeout. I did a TCPdump on my homerouter and it seems that communication is running in both directions. So why app is not working? Also I can’t open a webpage [http://IP_HA:8123] on my mobile.
And important is that only VPN session on mobile is affected, when I’m connecting through the same VPN my laptop, I’m able to open Homeassistant webpage without any problems.

Configuration of my app:

TCPdump when I’m trying to open app via VPN (10.4.4.10 is my HA server, 192.168 is a tunnel IP address of my mobile)

admin@DomwLesie:~$ sudo tcpdump -i switch0.40 -n tcp src or  dst port 8123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on switch0.40, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:09.397288 IP 192.168.100.240.49744 > 10.4.4.10.8123: Flags [S], seq 114590395, win 65535, options [mss 1260,sackOK,TS val 3980984965 ecr 0,nop,wscale 8], length 0
09:25:09.397639 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [S.], seq 2281671713, ack 114590396, win 65160, options [mss 1460,sackOK,TS val 2022935647 ecr 3980984965,nop,wscale 7], length 0
09:25:09.429495 IP 192.168.100.240.49744 > 10.4.4.10.8123: Flags [.], ack 1, win 256, options [nop,nop,TS val 3980985001 ecr 2022935647], length 0
09:25:09.450556 IP 192.168.100.240.49744 > 10.4.4.10.8123: Flags [P.], seq 1:815, ack 1, win 256, options [nop,nop,TS val 3980985001 ecr 2022935647], length 814
09:25:09.450886 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [.], ack 815, win 503, options [nop,nop,TS val 2022935700 ecr 3980985001], length 0
09:25:09.457785 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022935707 ecr 3980985001], length 164
09:25:09.457986 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 165:348, ack 815, win 503, options [nop,nop,TS val 2022935707 ecr 3980985001], length 183
09:25:09.498983 IP 192.168.100.240.49744 > 10.4.4.10.8123: Flags [.], ack 1, win 261, options [nop,nop,TS val 3980985072 ecr 2022935700,nop,nop,sack 1 {165:348}], length 0
09:25:09.517345 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022935767 ecr 3980985072], length 164
09:25:09.584439 IP 10.1.1.117.56595 > 10.4.4.10.8123: Flags [.], seq 2008508446:2008508447, ack 1981891923, win 508, length 1
09:25:09.584728 IP 10.4.4.10.8123 > 10.1.1.117.56595: Flags [.], ack 1, win 501, options [nop,nop,sack 1 {0:1}], length 0
09:25:09.757291 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022936007 ecr 3980985072], length 164
09:25:10.253332 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022936503 ecr 3980985072], length 164
09:25:11.213361 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022937463 ecr 3980985072], length 164
09:25:13.133358 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022939383 ecr 3980985072], length 164
09:25:16.941373 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022943191 ecr 3980985072], length 164
09:25:24.621346 IP 10.4.4.10.8123 > 192.168.100.240.49744: Flags [P.], seq 1:165, ack 815, win 503, options [nop,nop,TS val 2022950871 ecr 3980985072], length 164
^C
17 packets captured
17 packets received by filter
0 packets dropped by kernel

And for comparison, tcpdump done when my mobile is connected not via tunnel but just via wifi direct to local network:

admin@DomwLesie:~$ sudo tcpdump -i switch0.40 -n tcp src or  dst port 8123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on switch0.40, link-type EN10MB (Ethernet), capture size 262144 bytes
09:58:18.428950 IP 10.1.1.161.33022 > 10.4.4.10.8123: Flags [S], seq 1295579804, win 65535, options [mss 1460,sackOK,TS val 3894198981 ecr 0,nop,wscale 8], length 0
09:58:18.429381 IP 10.4.4.10.8123 > 10.1.1.161.33022: Flags [S.], seq 2000865945, ack 1295579805, win 65160, options [mss 1460,sackOK,TS val 233513785 ecr 3894198981,nop,wscale 7], length 0
09:58:18.443011 IP 10.1.1.161.33022 > 10.4.4.10.8123: Flags [.], ack 1, win 256, options [nop,nop,TS val 3894198995 ecr 233513785], length 0
09:58:18.452046 IP 10.1.1.161.33022 > 10.4.4.10.8123: Flags [P.], seq 1:688, ack 1, win 256, options [nop,nop,TS val 3894198995 ecr 233513785], length 687
09:58:18.452414 IP 10.4.4.10.8123 > 10.1.1.161.33022: Flags [.], ack 688, win 504, options [nop,nop,TS val 233513808 ecr 3894198995], length 0
09:58:18.457378 IP 10.4.4.10.8123 > 10.1.1.161.33022: Flags [P.], seq 1:165, ack 688, win 504, options [nop,nop,TS val 233513813 ecr 3894198995], length 164
09:58:18.457536 IP 10.4.4.10.8123 > 10.1.1.161.33022: Flags [P.], seq 165:678, ack 688, win 504, options [nop,nop,TS val 233513813 ecr 3894198995], length 513
09:58:18.466720 IP 10.1.1.161.33022 > 10.4.4.10.8123: Flags [.], ack 165, win 261, options [nop,nop,TS val 3894199018 ecr 233513813], length 0
09:58:18.466780 IP 10.1.1.161.33022 > 10.4.4.10.8123: Flags [.], ack 678, win 265, options [nop,nop,TS val 3894199018 ecr 233513813], length 0
09:58:18.629684 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [S], seq 3032979419, win 65535, options [mss 1460,sackOK,TS val 3894199069 ecr 0,nop,wscale 8], length 0
09:58:18.630078 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [S.], seq 3563905575, ack 3032979420, win 65160, options [mss 1460,sackOK,TS val 233513986 ecr 3894199069,nop,wscale 7], length 0
09:58:18.700418 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [.], ack 1, win 256, options [nop,nop,TS val 3894199207 ecr 233513986], length 0
09:58:18.707700 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [P.], seq 1:570, ack 1, win 256, options [nop,nop,TS val 3894199207 ecr 233513986], length 569
09:58:18.708069 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [.], ack 570, win 505, options [nop,nop,TS val 233514064 ecr 3894199207], length 0
09:58:18.711422 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [P.], seq 1:159, ack 570, win 505, options [nop,nop,TS val 233514067 ecr 3894199207], length 158
09:58:18.711657 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [.], seq 159:1607, ack 570, win 505, options [nop,nop,TS val 233514067 ecr 3894199207], length 1448
09:58:18.711669 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [P.], seq 1607:3055, ack 570, win 505, options [nop,nop,TS val 233514067 ecr 3894199207], length 1448
09:58:18.711675 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [P.], seq 3055:3454, ack 570, win 505, options [nop,nop,TS val 233514067 ecr 3894199207], length 399
09:58:18.722947 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [.], ack 159, win 261, options [nop,nop,TS val 3894199275 ecr 233514067], length 0
09:58:18.723007 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [.], ack 3055, win 283, options [nop,nop,TS val 3894199275 ecr 233514067], length 0
09:58:18.723032 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [.], ack 3454, win 295, options [nop,nop,TS val 3894199275 ecr 233514067], length 0
09:58:18.867074 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [S], seq 2549676523, win 65535, options [mss 1460,sackOK,TS val 3894199418 ecr 0,nop,wscale 8], length 0
09:58:18.867499 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [S.], seq 709483037, ack 2549676524, win 65160, options [mss 1460,sackOK,TS val 233514223 ecr 3894199418,nop,wscale 7], length 0
09:58:18.882966 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 1, win 256, options [nop,nop,TS val 3894199435 ecr 233514223], length 0
09:58:18.889532 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1:571, ack 1, win 256, options [nop,nop,TS val 3894199435 ecr 233514223], length 570
09:58:18.889896 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 571, win 505, options [nop,nop,TS val 233514245 ecr 3894199435], length 0
09:58:18.892791 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 1:293, ack 571, win 505, options [nop,nop,TS val 233514248 ecr 3894199435], length 292
09:58:18.894184 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 293:346, ack 571, win 505, options [nop,nop,TS val 233514250 ecr 3894199435], length 53
09:58:18.903042 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 293, win 261, options [nop,nop,TS val 3894199455 ecr 233514248], length 0
09:58:18.903088 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 346, win 261, options [nop,nop,TS val 3894199455 ecr 233514250], length 0
09:58:19.041802 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 571:772, ack 346, win 261, options [nop,nop,TS val 3894199592 ecr 233514250], length 201
09:58:19.042122 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 772, win 504, options [nop,nop,TS val 233514398 ecr 3894199592], length 0
09:58:19.046162 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 346:357, ack 772, win 504, options [nop,nop,TS val 233514402 ecr 3894199592], length 11
09:58:19.065048 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 357, win 261, options [nop,nop,TS val 3894199615 ecr 233514402], length 0
09:58:19.067783 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 772:826, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 54
09:58:19.067833 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 826:847, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 21
09:58:19.067852 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 847:874, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 27
09:58:19.067871 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 874:903, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 29
09:58:19.067888 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 903:919, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 16
09:58:19.067935 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 919:1006, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 87
09:58:19.067954 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1006:1022, ack 357, win 261, options [nop,nop,TS val 3894199618 ecr 233514402], length 16
09:58:19.068170 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 847, win 504, options [nop,nop,TS val 233514424 ecr 3894199618], length 0
09:58:19.068190 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 919, win 504, options [nop,nop,TS val 233514424 ecr 3894199618], length 0
09:58:19.068374 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 1123, win 504, options [nop,nop,TS val 233514424 ecr 3894199619], length 0
09:58:19.070835 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1123:1144, ack 357, win 261, options [nop,nop,TS val 3894199621 ecr 233514402], length 21
09:58:19.071075 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 1144, win 504, options [nop,nop,TS val 233514427 ecr 3894199621], length 0
09:58:19.082111 IP 10.1.1.161.33028 > 10.4.4.10.8123: Flags [S], seq 1341921909, win 65535, options [mss 1460,sackOK,TS val 3894199633 ecr 0,nop,wscale 8], length 0
09:58:19.082502 IP 10.4.4.10.8123 > 10.1.1.161.33028: Flags [S.], seq 2814444434, ack 1341921910, win 65160, options [mss 1460,sackOK,TS val 233514438 ecr 3894199633,nop,wscale 7], length 0
09:58:19.083533 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 357:404, ack 1144, win 504, options [nop,nop,TS val 233514439 ecr 3894199621], length 47
09:58:19.084654 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1144:1202, ack 357, win 261, options [nop,nop,TS val 3894199636 ecr 233514424], length 58
09:58:19.086933 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 404, win 261, options [nop,nop,TS val 3894199639 ecr 233514439], length 0
09:58:19.087319 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], seq 404:1852, ack 1202, win 504, options [nop,nop,TS val 233514443 ecr 3894199636], length 1448
09:58:19.087337 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 1852:3300, ack 1202, win 504, options [nop,nop,TS val 233514443 ecr 3894199636], length 1448
09:58:19.087495 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], seq 3300:4748, ack 1202, win 504, options [nop,nop,TS val 233514443 ecr 3894199636], length 1448
09:58:19.087502 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 4748:6196, ack 1202, win 504, options [nop,nop,TS val 233514443 ecr 3894199636], length 1448
09:58:19.087508 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 6196:6302, ack 1202, win 504, options [nop,nop,TS val 233514443 ecr 3894199636], length 106
09:58:19.087855 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 6302:6318, ack 1202, win 504, options [nop,nop,TS val 233514443 ecr 3894199636], length 16
09:58:19.088097 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 6318:6333, ack 1202, win 504, options [nop,nop,TS val 233514444 ecr 3894199636], length 15
09:58:19.088903 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 6333:7038, ack 1202, win 504, options [nop,nop,TS val 233514444 ecr 3894199636], length 705
09:58:19.089196 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 7038:7051, ack 1202, win 504, options [nop,nop,TS val 233514445 ecr 3894199636], length 13
09:58:19.089346 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 7051:7066, ack 1202, win 504, options [nop,nop,TS val 233514445 ecr 3894199636], length 15
09:58:19.094680 IP 10.1.1.161.33028 > 10.4.4.10.8123: Flags [.], ack 1, win 256, options [nop,nop,TS val 3894199639 ecr 233514438], length 0
09:58:19.095050 IP 10.1.1.161.33028 > 10.4.4.10.8123: Flags [P.], seq 1:279, ack 1, win 256, options [nop,nop,TS val 3894199639 ecr 233514438], length 278
09:58:19.095252 IP 10.4.4.10.8123 > 10.1.1.161.33028: Flags [.], ack 279, win 507, options [nop,nop,TS val 233514451 ecr 3894199639], length 0
09:58:19.097265 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 1852, win 272, options [nop,nop,TS val 3894199649 ecr 233514443], length 0
09:58:19.097554 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 7066:7812, ack 1202, win 504, options [nop,nop,TS val 233514453 ecr 3894199649], length 746
09:58:19.098769 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], seq 7812:9260, ack 1202, win 504, options [nop,nop,TS val 233514454 ecr 3894199649], length 1448
09:58:19.100439 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 3300, win 283, options [nop,nop,TS val 3894199651 ecr 233514443], length 0
09:58:19.100477 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 4748, win 295, options [nop,nop,TS val 3894199651 ecr 233514443], length 0
09:58:19.100495 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 6196, win 306, options [nop,nop,TS val 3894199651 ecr 233514443], length 0
09:58:19.100513 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 7038, win 317, options [nop,nop,TS val 3894199652 ecr 233514443], length 0
09:58:19.100769 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], seq 9260:10708, ack 1202, win 504, options [nop,nop,TS val 233514456 ecr 3894199651], length 1448
09:58:19.100778 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 10708:12156, ack 1202, win 504, options [nop,nop,TS val 233514456 ecr 3894199651], length 1448
09:58:19.100900 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], seq 12156:13604, ack 1202, win 504, options [nop,nop,TS val 233514456 ecr 3894199651], length 1448
09:58:19.100911 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 13604:15052, ack 1202, win 504, options [nop,nop,TS val 233514456 ecr 3894199651], length 1448
09:58:19.100917 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 15052:15274, ack 1202, win 504, options [nop,nop,TS val 233514456 ecr 3894199652], length 222
09:58:19.101800 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 15274:15288, ack 1202, win 504, options [nop,nop,TS val 233514457 ecr 3894199652], length 14
09:58:19.103242 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 15288:15325, ack 1202, win 504, options [nop,nop,TS val 233514459 ecr 3894199652], length 37
09:58:19.103910 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 7812, win 329, options [nop,nop,TS val 3894199653 ecr 233514445], length 0
09:58:19.103948 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 9260, win 340, options [nop,nop,TS val 3894199654 ecr 233514454], length 0
09:58:19.105572 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 12156, win 362, options [nop,nop,TS val 3894199657 ecr 233514456], length 0
09:58:19.105610 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 13604, win 374, options [nop,nop,TS val 3894199657 ecr 233514456], length 0
09:58:19.105629 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 15052, win 385, options [nop,nop,TS val 3894199657 ecr 233514456], length 0
09:58:19.105646 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 15274, win 396, options [nop,nop,TS val 3894199658 ecr 233514456], length 0
09:58:19.111565 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 15325, win 396, options [nop,nop,TS val 3894199663 ecr 233514457], length 0
09:58:19.112590 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 15325:16456, ack 1202, win 504, options [nop,nop,TS val 233514468 ecr 3894199663], length 1131
09:58:19.115794 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 16456, win 408, options [nop,nop,TS val 3894199667 ecr 233514468], length 0
09:58:19.117092 IP 10.4.4.10.8123 > 10.1.1.161.33028: Flags [P.], seq 1:166, ack 279, win 507, options [nop,nop,TS val 233514473 ecr 3894199639], length 165
09:58:19.117253 IP 10.4.4.10.8123 > 10.1.1.161.33028: Flags [.], seq 166:1614, ack 279, win 507, options [nop,nop,TS val 233514473 ecr 3894199639], length 1448
09:58:19.117263 IP 10.4.4.10.8123 > 10.1.1.161.33028: Flags [P.], seq 1614:1706, ack 279, win 507, options [nop,nop,TS val 233514473 ecr 3894199639], length 92
09:58:19.124046 IP 10.1.1.161.33028 > 10.4.4.10.8123: Flags [.], ack 166, win 261, options [nop,nop,TS val 3894199676 ecr 233514473], length 0
09:58:19.124104 IP 10.1.1.161.33028 > 10.4.4.10.8123: Flags [.], ack 1706, win 273, options [nop,nop,TS val 3894199676 ecr 233514473], length 0
09:58:19.167646 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1202:1234, ack 16456, win 408, options [nop,nop,TS val 3894199719 ecr 233514468], length 32
09:58:19.167693 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1234:1253, ack 16456, win 408, options [nop,nop,TS val 3894199720 ecr 233514468], length 19
09:58:19.168219 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 1253, win 504, options [nop,nop,TS val 233514524 ecr 3894199719], length 0
09:58:19.170439 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 16456:16473, ack 1253, win 504, options [nop,nop,TS val 233514526 ecr 3894199719], length 17
09:58:19.171143 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 16473:16738, ack 1253, win 504, options [nop,nop,TS val 233514527 ecr 3894199719], length 265
09:58:19.175253 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 16473, win 408, options [nop,nop,TS val 3894199727 ecr 233514526], length 0
09:58:19.175294 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 16738, win 419, options [nop,nop,TS val 3894199727 ecr 233514527], length 0
09:58:19.198499 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1253:1283, ack 16738, win 419, options [nop,nop,TS val 3894199750 ecr 233514527], length 30
09:58:19.198542 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1283:1326, ack 16738, win 419, options [nop,nop,TS val 3894199750 ecr 233514527], length 43
09:58:19.199021 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [.], ack 1326, win 504, options [nop,nop,TS val 233514555 ecr 3894199750], length 0
09:58:19.199846 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [P.], seq 1326:1344, ack 16738, win 419, options [nop,nop,TS val 3894199752 ecr 233514527], length 18
09:58:19.204162 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 16738:16752, ack 1344, win 504, options [nop,nop,TS val 233514560 ecr 3894199752], length 14
09:58:19.205649 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 16752:16766, ack 1344, win 504, options [nop,nop,TS val 233514561 ecr 3894199752], length 14
09:58:19.206016 IP 10.4.4.10.8123 > 10.1.1.161.33026: Flags [P.], seq 16766:17335, ack 1344, win 504, options [nop,nop,TS val 233514562 ecr 3894199752], length 569
09:58:19.211171 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 16766, win 419, options [nop,nop,TS val 3894199763 ecr 233514560], length 0
09:58:19.211213 IP 10.1.1.161.33026 > 10.4.4.10.8123: Flags [.], ack 17335, win 430, options [nop,nop,TS val 3894199763 ecr 233514562], length 0
09:58:19.484637 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [P.], seq 570:1359, ack 3454, win 295, options [nop,nop,TS val 3894199867 ecr 233514067], length 789
09:58:19.484981 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [.], ack 1359, win 501, options [nop,nop,TS val 233514840 ecr 3894199867], length 0
09:58:19.508582 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [P.], seq 3454:3631, ack 1359, win 501, options [nop,nop,TS val 233514864 ecr 3894199867], length 177
09:58:19.508694 IP 10.4.4.10.8123 > 10.1.1.161.33024: Flags [P.], seq 3631:4656, ack 1359, win 501, options [nop,nop,TS val 233514864 ecr 3894199867], length 1025
09:58:19.518267 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [.], ack 3631, win 306, options [nop,nop,TS val 3894200067 ecr 233514864], length 0
09:58:19.518323 IP 10.1.1.161.33024 > 10.4.4.10.8123: Flags [.], ack 4656, win 317, options [nop,nop,TS val 3894200067 ecr 233514864], length 0
^C
114 packets captured
122 packets received by filter
8 packets dropped by kernel

All other my stuff works well via this VPN, only HA server is affected.

Jarek_P · May 14, 2021, 3:51pm

As additional info: I requested about help also on Ubiquiti community, the same dumps, and here is a reply which I’ve got:

SYN packet goes to 10.4.4.10.8123 , and has mss =1260.

Somehow , VPN client software or ER changed the default mss from 1460 to 1260…which is fine.

But host 10.4.4.10 answers with mss value = 1460 ! afaik, it should use lowest size from received SYN and its own Max.

Now remote VPN client thinks it can send large packets , having mss=1460 , MTU=1500 , and these won’t fit your VPN

Any idea, what can I fix such issue?

georgk111 · August 26, 2023, 5:06am

Had a similar Problem with HA and VPN: access via http://LOCAL_IP:8123 possible, but not via VPN_IP. After reading these pages found out that MTU on serverside was 48000 (?! had been installed to optimize throughput on large files and worked for this purpose).
Fri Aug 25 14:51:11 2023 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1553', remote='link-mtu 48000'
After putting the line “mssfix 1420” in openvpn client.conf also http://VPN_IP:8123 worked! Thanks for that input.