Everything seems to be configured correctly, but I can't ping across the tunnel

Make sure that your options match on both sides of the connection. See below for more info.

Some connection problems are caused by incompatible crypto, compression, or mtu options on either side of the tunnel. If you are using any of the following options on one side of the connection, make sure that you precisely match it on the other side:

  • --cipher
  • --auth
  • --keysize
  • --dev tun|tap [unit number need not match]
  • --dev-type tun|tap--link-mtu
  • --udp-mtu
  • --tun-mtu--no-replay
  • --no-iv
  • --comp-lzo
  • --fragment
  • --tun-ipv6
  • --tls-auth
  • --secret
  • --key-method
  • --tls-client [matched with --tls-server on the other end of the connection]
  • --tls-server [matched with --tls-client on the other end of the connection]
  • --ifconfig x y [matched with --ifconfig y x on the other end of the connection]
  • --proto udp
  • --proto tcp-client [matched with --proto tcp-server on the other end of the connection]
  • --proto tcp-server [matched with --proto tcp-client on the other end of the connection]

It is also useful to try to isolate the problem, e.g. is the crypto support working independently of the networking code? You can test this with:

openvpn --genkey --secret key
openvpn --test-crypto --secret key

Other loopback tests are presented in the INSTALL file. Many connectivity problems start at the firewall. For example, if an OpenVPN daemon is tunneling data to and from a given TUN or TAP virtual adapter, a firewall rule must be present to permit incoming traffic on that TUN/TAP adapter. On a Linux iptables-based firewall you can enable incoming packets on a TUN device with this command:

iptables -A INPUT -i tun+ -j ACCEPT

or similarly you can enable incoming packets on a TAP device:

iptables -A INPUT -i tap+ -j ACCEPT

tcpdump or Wireshark are also very useful tools for troubleshooting connection problems. tcpdump can be used to show encrypted tunnel traffic transiting OpenVPN's UDP port:

tcpdump -i eth0 udp port 1194

The above example assumes that your connection to the internet is via eth0, and that you are using UDP port 1194 as the tunnel port (the default). tcpdump can also be used to show unencrypted traffic on OpenVPN's virtual TUN/TAP device:

tcpdump -i tun0

In the above example, replace tun0 with the name of the TUN/TAP device. ifconfig can be used to show active network devices, both real and virtual. Also, note that you cannot mix --dev tun and --dev tap on different ends of the connection. Use one or the other consistently. If you are connecting different versions of OpenVPN, check the compatibility</a> page.

Return to FAQ

Last modified 11 months ago Last modified on 04/30/16 13:12:19