SSH is timing out when connecting through OpenVPN

I have setup OpenVPN server in routing mode. When I try connect via SSH to my VPN server it hangs up at:

ssh -i .ssh/mpolitaev_mba [email protected] -vvv
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 97: Deprecated option "useroaming"
debug1: /etc/ssh/ssh_config line 105: Applying options for *
debug2: resolving "192.168.200.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.200.1 [192.168.200.1] port 22.
debug1: Connection established.
debug1: identity file .ssh/mpolitaev_mba type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/mpolitaev_mba-cert type -1
debug1: identity file /Users/mpolitaev/.ssh/aws_prod type 2
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mpolitaev/.ssh/aws_prod-cert type -1
debug1: identity file /Users/mpolitaev/.ssh/aws_dev type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mpolitaev/.ssh/aws_dev-cert type -1
debug1: identity file /Users/mpolitaev/.ssh/rackspace type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/mpolitaev/.ssh/rackspace-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.200.1:22 as 'mpolitaev'
debug3: hostkeys_foreach: reading file "/dev/null"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection to 192.168.200.1 port 22 timed out

My guess the packets comes from VPN server are broken due to tcpdump's log on my local laptop:

13:55:01.147863 IP (tos 0x0, ttl 64, id 27443, offset 0, flags [DF], proto TCP (6), length 64)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [S], cksum 0xf9bb (correct), seq 3468332659, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 901043415 ecr 0,sackOK,eol], length 0
13:55:01.206537 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [S.], cksum 0x167a (correct), seq 1112662382, ack 3468332660, win 14480, options [mss 1288,sackOK,TS val 174689830 ecr 901043415,nop,wscale 7], length 0
13:55:01.206616 IP (tos 0x0, ttl 64, id 2145, offset 0, flags [DF], proto TCP (6), length 52)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6ce5 (correct), seq 1, ack 1, win 4107, options [nop,nop,TS val 901043473 ecr 174689830], length 0
13:55:01.211397 IP (tos 0x0, ttl 64, id 27582, offset 0, flags [DF], proto TCP (6), length 73)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0xa91b (correct), seq 1:22, ack 1, win 4107, options [nop,nop,TS val 901043477 ecr 174689830], length 21
13:55:01.269790 IP (tos 0x0, ttl 64, id 28464, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7c27 (correct), seq 1, ack 22, win 114, options [nop,nop,TS val 174689892 ecr 901043477], length 0
13:55:01.370906 IP (tos 0x0, ttl 64, id 28465, offset 0, flags [DF], proto TCP (6), length 73)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0xbafe (correct), seq 1:22, ack 22, win 114, options [nop,nop,TS val 174689991 ecr 901043477], length 21
13:55:01.370968 IP (tos 0x0, ttl 64, id 25885, offset 0, flags [DF], proto TCP (6), length 52)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6b7a (correct), seq 22, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 0
13:55:01.371771 IP (tos 0x0, ttl 64, id 52837, offset 0, flags [DF], proto TCP (6), length 1328)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0xb35c (correct), seq 22:1298, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 1276
13:55:01.371850 IP (tos 0x0, ttl 64, id 51514, offset 0, flags [DF], proto TCP (6), length 208)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0x9a41 (correct), seq 1298:1454, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 156
13:55:01.427768 IP5
13:55:01.442396 IP (tos 0x0, ttl 64, id 28467, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7278 (correct), seq 862, ack 1298, win 136, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.442563 IP (tos 0x0, ttl 64, id 28468, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x71c8 (correct), seq 862, ack 1454, win 156, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.686620 IP5
13:55:02.198083 IP5
13:55:03.226019 IP5
13:55:05.284218 IP5
13:55:09.644658 IP5
13:55:17.633380 IP5
13:55:34.225695 IP5
13:56:06.963920 IP5
13:57:01.368988 IP (tos 0x0, ttl 64, id 28477, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [F.], cksum 0x9d44 (correct), seq 862, ack 1454, win 156, options [nop,nop,TS val 174809992 ecr 901043634], length 0
13:57:01.369106 IP (tos 0x0, ttl 64, id 4567, offset 0, flags [DF], proto TCP (6), length 64)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x0e83 (correct), seq 1454, ack 22, win 4106, options [nop,nop,TS val 901163195 ecr 174689991,nop,nop,sack 1 {862:863}], length 0

What is mean "IP5"?

From server side:

tcpdump -i tun1 -nn -vv
tcpdump: listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
13:55:01.226101 IP (tos 0x0, ttl 64, id 27443, offset 0, flags [DF], proto TCP (6), length 64)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [S], cksum 0xfa67 (correct), seq 3468332659, win 65535, options [mss 1288,nop,wscale 5,nop,nop,TS val 901043415 ecr 0,sackOK,eol], length 0
13:55:01.226120 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [S.], cksum 0x15ce (correct), seq 1112662382, ack 3468332660, win 14480, options [mss 1460,sackOK,TS val 174689830 ecr 901043415,nop,wscale 7], length 0
13:55:01.282564 IP (tos 0x0, ttl 64, id 2145, offset 0, flags [DF], proto TCP (6), length 52)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6ce5 (correct), seq 1, ack 1, win 4107, options [nop,nop,TS val 901043473 ecr 174689830], length 0
13:55:01.287821 IP (tos 0x0, ttl 64, id 27582, offset 0, flags [DF], proto TCP (6), length 73)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0xa91b (correct), seq 1:22, ack 1, win 4107, options [nop,nop,TS val 901043477 ecr 174689830], length 21
13:55:01.287829 IP (tos 0x0, ttl 64, id 28464, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7c27 (correct), seq 1, ack 22, win 114, options [nop,nop,TS val 174689892 ecr 901043477], length 0
13:55:01.387274 IP (tos 0x0, ttl 64, id 28465, offset 0, flags [DF], proto TCP (6), length 73)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0xbafe (correct), seq 1:22, ack 22, win 114, options [nop,nop,TS val 174689991 ecr 901043477], length 21
13:55:01.446675 IP (tos 0x0, ttl 64, id 25885, offset 0, flags [DF], proto TCP (6), length 52)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0x6b7a (correct), seq 22, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 0
13:55:01.446684 IP (tos 0x0, ttl 64, id 28466, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x76dc (correct), seq 22:862, ack 22, win 114, options [nop,nop,TS val 174690051 ecr 901043634], length 840
13:55:01.450341 IP (tos 0x0, ttl 64, id 52837, offset 0, flags [DF], proto TCP (6), length 1328)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [.], cksum 0xb35c (correct), seq 22:1298, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 1276
13:55:01.450348 IP (tos 0x0, ttl 64, id 28467, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x7278 (correct), seq 862, ack 1298, win 136, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.450356 IP (tos 0x0, ttl 64, id 51514, offset 0, flags [DF], proto TCP (6), length 208)
    10.54.108.6.54922 > 192.168.200.1.22: Flags [P.], cksum 0x9a41 (correct), seq 1298:1454, ack 22, win 4106, options [nop,nop,TS val 901043634 ecr 174689991], length 156
13:55:01.450359 IP (tos 0x0, ttl 64, id 28468, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [.], cksum 0x71c8 (correct), seq 862, ack 1454, win 156, options [nop,nop,TS val 174690055 ecr 901043634], length 0
13:55:01.703311 IP (tos 0x0, ttl 64, id 28469, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x7019 (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174690308 ecr 901043634], length 840
13:55:02.217306 IP (tos 0x0, ttl 64, id 28470, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x6e17 (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174690822 ecr 901043634], length 840
13:55:03.245283 IP (tos 0x0, ttl 64, id 28471, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x6a13 (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174691850 ecr 901043634], length 840
13:55:05.301311 IP (tos 0x0, ttl 64, id 28472, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x620b (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174693906 ecr 901043634], length 840
13:55:09.413283 IP (tos 0x0, ttl 64, id 28473, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x51fb (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174698018 ecr 901043634], length 840
13:55:17.637285 IP (tos 0x0, ttl 64, id 28474, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0x31db (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174706242 ecr 901043634], length 840
13:55:34.085309 IP (tos 0x0, ttl 64, id 28475, offset 0, flags [DF], proto TCP (6), length 892)
    192.168.200.1.22 > 10.54.108.6.54922: Flags [P.], cksum 0xf19a (correct), seq 22:862, ack 1454, win 156, options [nop,nop,TS val 174722690 ecr 901043634], length 840

While ping to 192.168.200.1 is ok. I thought that large packet can't pass VPN tunnel but see large (1276) packet on my local pc comes from VPN server, while smaller (892) packets didn't reach my laptop.

Where the issue can be?


Solution 1:

The cause was in new generation type of compression. I have disable it and ssh login ok.