Weird Issue with OpenVPN on Mobile Networks

Hey everyone, I wanted to share a strange issue I ran into with OpenVPN, hoping it helps anyone facing the same frustration.

What Happened:

  • I’ve been using OpenVPN for over a year without any problems, but recently, I started having issues when connecting over a mobile network. Sometimes, my SSH connection would just hang at debug1: expecting SSH2_MSG_KEX_ECDH_REPLY, but if I connected using Wi-Fi, it worked fine. :thinking:
  • The real kicker? This issue wasn’t consistent! Sometimes it worked on mobile, other times it didn’t. It was driving me nuts!
  • It wasn’t just SSH either. I also had trouble accessing my server http://10.8.0.1:37680 through an NGINX proxy when on the mobile network. Again, Wi-Fi worked perfectly, and so did curl from the command line. But if I tried to access the same address through a browser, it just wouldn’t load on mobile. Weird, right?
  • Oh, and just to add to the confusion, it wasn’t a problem with SSH itself. If I connected directly to the server over the mobile network without using OpenVPN, SSH worked just fine. It only became an issue when using OpenVPN with the mobile network.

What I Found Out:

  • Turns out, this was all due to differences in how mobile networks handle VPN traffic, especially when it comes to packet sizes. Mobile networks can be pretty strict with this stuff, and it seems like the packets were getting fragmented or dropped during the process.
  • After digging around and testing a bunch of stuff, I found that adjusting the MTU (Maximum Transmission Unit) and MSS (Maximum Segment Size) on the OpenVPN server was the key.

The Fix:

  • Here’s what I added to my OpenVPN server configuration:

    tun-mtu 1400
    mssfix 1360
    
  • This made sure that the packet sizes were adjusted properly before going through the tunnel, so they didn’t get messed up by the mobile network’s limits.

  • What’s cool is that I didn’t even need to set these values on the client—just doing it on the server was enough to fix the problem for all clients connected through the VPN.

SSH Workaround:

  • I’ve used this server-side fix, as a temporary workaround for the SSH issue:
    • Using this command with an extra option fixed the SSH hang:

      ssh -o KexAlgorithms=ecdh-sha2-nistp521 user@server
      
    • This forces SSH to use a specific key exchange algorithm, which seemed to play nicer with the VPN over the mobile network. It’s not ideal, but it got me through until I could adjust the server settings.

    • And remember, SSH was fine directly over the mobile network—this issue only popped up when using OpenVPN.

Why This Was So Annoying:

  • The issue wasn’t consistent! It sometimes worked fine over mobile, and other times it just wouldn’t. It made troubleshooting super confusing because I couldn’t tell if it was fixed or just in one of its “working” phases.
  • Plus, it only started happening recently. For a year, I had zero problems with this setup. But one day, the connection just decided to get picky about mobile networks. :sweat_smile:

So, if you’re dealing with flaky VPN connections on mobile networks, try tweaking the MTU and MSS on the server. It might save you a few headaches! And if you’re stuck with SSH hanging, give the -o KexAlgorithms option a shot—it’s not a permanent fix but can help in a pinch.

Hope this helps someone out there!