Google Cloud Platform: why my GCP regional TCP load balancer can't connect to my target group

I am trying to put a GCP regional TCP load balancer in front of my service. My service exposes port 7933. And I can get a response from the IP address of my service server.

The configuration is based on this article.

https://cloud.google.com/community/tutorials/modular-load-balancing-with-terraform

But I don't know why the Load Balancer connection rejected me. I can make sure my service is active (because I can get the response from the server IP).

I also made this TCP load balancer work before selecting session affinity with the IP and client protocol. But I don't know why it doesn't work at all after one day.

Also, my firewall rule is fine and the cloud armor is not selected.

My configuration in GCP (this service still cannot provide status verification)

network: why do firewalls focus on tcp and udp?

To use a different protocol, your program must be able to open such a socket.

In general, only TCP and UDP sockets can be opened by non-system programs.

When you try to open p. an ICMP socket as non-root, which will simply fail. Also, even if you could, the most likely thing is that the network stack simply does not know what to do with its packages and drops them upon receipt.

Nor will routers route these packets to you.

So, there is no attack or exfiltration surface here, because someone capable of opening a socket other than TCP or UDP can also reconfigure the firewall running on the same computer.

Typically, routers do not forward packets that are not TCP or UDP, so it is a kind of inherent "discard all" firewall. ICMP is an exception, but it is also quite well covered by firewalls.

There are some special protocols (SCTP comes to my mind) that are in use, but neither TCP nor UDP, but honestly, when you configure your computer to allow a non-superuser to open those sockets, you could also add specific rules to your firewall to allow entry of these packages: it is likely that a backbone network is operating.

Game server: I created a TCP server-client connection, but it only works if both the server and the client are on the same machine. Any ideas?

So I want to start by saying that I am a complete beginner in terms of networks.

I am creating a game in C ++, using SFML for networks (both the server and the client are in C ++, SFML). And I successfully created a server-client connection, to be able to send packets from one to another, but it only works when the server and the client are on the same machine (or the same Internet connection (router)).

What I would like to achieve is a server on my machine that, once started, can establish connections with my friends (who are not on the same router) clients.

I tried to resend the port I am using from the PC on which the server is running, but it seems to not work.

Any ideas?

c # – Unit testing the asynchronous TCP server

I created a multi-client asynchronous TCP server for the use of RPC. It is working fine, but I have found it difficult to test the unity of certain functions:

  1. Connect 2x customers, it's customer count 2
  2. Connect 1x client, disconnect client, is the zero account of the client

I want to prove that the server is robust with handling disconnections and multiple connections. The following test fails only due to programming.

Unit test

        (TestMethod)
        public void Start_TwoConnections_ClientsIsTwo()
        {
            var handler = new HandlerStub();
            using (server = new APIServer(handler))
            using (var client1 = new TcpClient())
            using (var client2 = new TcpClient())
            {
                server.Start();
                client1.Connect(IPAddress.Loopback, port);
                client2.Connect(IPAddress.Loopback, port);
                // await Task.Delay(500); <-- This will fix the problem, but is surely unreliable.
                Assert.AreEqual(2, server.Clients);
            }
        }

Server fragment

        public void Start()
        {
            // Root try-catch, for unexpected errors
            try
            {
                server = new TcpListener(IPAddress.Loopback, 8352);
                IsRunning = true;
                do // Retry loop
                {
                    // Start server errors
                    try
                    {
                        server.Start();
                        var task = Task.Run(AcceptConnections);
                    }
                    catch (SocketException ex)
                    {
                        Console.WriteLine(string.Format("Error {0}: Failed to start server.", ex.ErrorCode));
                    }
                }
                while (!server.Server.IsBound && !IsDisposed);
            }
            catch (Exception ex)
            {
                IsRunning = false;
                Console.WriteLine(string.Format("Unexpected Error: {0}", ex.ToString()));
                throw ex;
            }
        }

        private async Task AcceptConnections()
        {
            try
            {            
                // Multi-client listener loop
                do
                {
                    var connection = await AcceptConnection();
                    connections.Add(connection);
                }
                while (!IsDisposed && IsRunning);
            }
            catch (SocketException ex)
            {
                Console.WriteLine(string.Format("Error {0}: Server socket error.", ex.ErrorCode));
                CleanupConnections();
            }
        }

How can this code be refactored to improve its testing capacity?

ssh – tcp USB tunnel application

I need to find a tcp tunneler that runs on USB. I need to be able to tunnel from my school's library PC, yes, I can do it, to my home PC to run sftp through that tunnel.

According to my ISP, they block the ssh and RDP service on their edge routers due to so much abuse in my state. BUT I am allowed to use tunnels to access my files in accordance with their policies and the USA.

I wanted to try to open vpn or hamachi but neither one runs from a USB, they require some kind of administrator rights.

Therefore, I need a tcp tunneler, which does not use ssh as a connection method, that runs on a usb, so that I can send ssh to my house to obtain task files without the edge router blocking it. I know that all port forwarding works because I have other servers that work fine, but ISP blocks ssh and RDP. I have confirmed this by calling them

such thing? Changing ISP is not an option, I do not have control of that in my apartment … someone else is :] So I have to work with what I have haha.

my system
win 10
16 gb of ram
5 tb HDD
Ssh BITVISE server

Thank you

network: TCP reboot attack / fake TCP reboot prevention

How do you prevent someone from performing a TCP reset attack between the client and the host without accessing the host?

I am trying to solve a CTF for fun and learning purposes.
In one of the challenges I establish a connection with a server that starts sending me TCP packets, but I am interrupted by a third party that sends what appears to be a fake tcp reboot. I receive an RST, ACK and packages stop arriving.

I have tried DROPing and REJECTING the RST package without success, using the following command:

iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

Is there any way I can nullify the attacker who tries to avoid communication between the host and me?

What can I do with my knowledge for tcp ip

Battery exchange network

The Stack Exchange network consists of 175 question and answer communities, including Stack Overflow, the largest and most reliable online community for developers to learn, share their knowledge and develop their careers.

Visit Stack Exchange

networks – TCP / IP: there is no SYN / ACK response from the dedicated server & # 39; OVH kimsufi & # 39; after the client sends SYN to port 873 (rsyncd)

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

rsync or telnet test does not access the remote socket:

 # telnet 1.1.1.1 873
 Trying 1.1.1.1...

If I try other ports, such as 80, 443 or ssh, everything works fine!

tcptraceroute 1.1.1.1 873 it hangs on the last router and doesn't get my server (port 80 also works)


rsync -avP --debug=ALL 1.1.1.1::etc /tmp
opening tcp connection to ovh port 873

telnet:

telnet 1.1.1.1 873
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^)'.
@RSYNCD: 31.0

rsync.conf:

port = 873
max connections=4
use chroot = yes
lock file = /var/lock/rsyncd
read only = no
list = yes
uid = root
gid = root
hosts allow = 2.2.2.2
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
strict modes = no
#motd file=/etc/motd
pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd.log

netstat

# netstat -nptl | grep :873
tcp        0      0 0.0.0.0:873             0.0.0.0:*               LISTEN      16898/rsync         
tcp6       0      0 :::873                  :::*                    LISTEN      16898/rsync

ipv4

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

ipv6

# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

test netcat on port 873:

# netcat 0.0.0.0 873
@RSYNCD: 31.0

If I try tcpdump, I get SYN from the client (telnet or rsync):

# tcpdump port 873
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:06:10.237078 IP 2.2.2.2.38368 > 1.1.1.1.rsync: Flags (S), seq 3731769872, win 29200, options (mss 1460,sackOK,TS val 996733675 ecr 0,nop,wscale 7), length 0
02:06:11.247448 IP 2.2.2.2.38368 > 1.1.1.1.rsync: Flags (S), seq 3731769872, win 29200, options (mss 1460,sackOK,TS val 996733928 ecr 0,nop,wscale 7), length 0
02:06:13.263389 IP 2.2.2.2.38368 > 1.1.1.1.rsync: Flags (S), seq 3731769872, win 29200, options (mss 1460,sackOK,TS val 996734432 ecr 0,nop,wscale 7), length 0
02:06:17.487448 IP 2.2.2.2.38368 > 1.1.1.1.rsync: Flags (S), seq 3731769872, win 29200, options (mss 1460,sackOK,TS val 996735488 ecr 0,nop,wscale 7), length 0
02:06:25.679471 IP 2.2.2.2.38368 > 1.1.1.1.rsync: Flags (S), seq 3731769872, win 29200, options (mss 1460,sackOK,TS val 996737536 ecr 0,nop,wscale 7), length 0

sysctl network:

# sysctl -a | grep '^net.' | grep -v ipv6
net.core.bpf_jit_enable = 0
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 0
net.core.bpf_jit_limit = 264241152
net.core.busy_poll = 0
net.core.busy_read = 0
net.core.default_qdisc = pfifo_fast
net.core.dev_weight = 64
net.core.dev_weight_rx_bias = 1
net.core.dev_weight_tx_bias = 1
net.core.fb_tunnels_only_for_init_net = 0
net.core.flow_limit_cpu_bitmap = 0
net.core.flow_limit_table_len = 4096
net.core.max_skb_frags = 17
net.core.message_burst = 10
net.core.message_cost = 5
net.core.netdev_budget = 300
net.core.netdev_budget_usecs = 2000
net.core.netdev_max_backlog = 1000
net.core.netdev_rss_key = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
net.core.netdev_tstamp_prequeue = 1
net.core.optmem_max = 20480
net.core.rmem_default = 212992
net.core.rmem_max = 212992
net.core.rps_sock_flow_entries = 0
net.core.somaxconn = 1024
net.core.tstamp_allow_data = 1
net.core.warnings = 0
net.core.wmem_default = 212992
net.core.wmem_max = 212992
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.drop_gratuitous_arp = 0
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.ignore_routes_with_linkdown = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0
net.ipv4.conf.default.accept_local = 0
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_notify = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.default.disable_policy = 0
net.ipv4.conf.default.disable_xfrm = 0
net.ipv4.conf.default.drop_gratuitous_arp = 0
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.default.force_igmp_version = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.default.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.default.ignore_routes_with_linkdown = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.medium_id = 0
net.ipv4.conf.default.promote_secondaries = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.default.route_localnet = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.shared_media = 1
net.ipv4.conf.default.src_valid_mark = 0
net.ipv4.conf.default.tag = 0
net.ipv4.conf.eth0.accept_local = 0
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth0.accept_source_route = 1
net.ipv4.conf.eth0.arp_accept = 0
net.ipv4.conf.eth0.arp_announce = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.arp_ignore = 0
net.ipv4.conf.eth0.arp_notify = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.bootp_relay = 0
net.ipv4.conf.eth0.disable_policy = 0
net.ipv4.conf.eth0.disable_xfrm = 0
net.ipv4.conf.eth0.drop_gratuitous_arp = 0
net.ipv4.conf.eth0.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.eth0.force_igmp_version = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.eth0.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.eth0.ignore_routes_with_linkdown = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.medium_id = 0
net.ipv4.conf.eth0.promote_secondaries = 0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.eth0.route_localnet = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.secure_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.eth0.shared_media = 1
net.ipv4.conf.eth0.src_valid_mark = 0
net.ipv4.conf.eth0.tag = 0
net.ipv4.conf.lo.accept_local = 0
net.ipv4.conf.lo.accept_redirects = 1
net.ipv4.conf.lo.accept_source_route = 1
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_notify = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.bootp_relay = 0
net.ipv4.conf.lo.disable_policy = 1
net.ipv4.conf.lo.disable_xfrm = 1
net.ipv4.conf.lo.drop_gratuitous_arp = 0
net.ipv4.conf.lo.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.lo.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.lo.ignore_routes_with_linkdown = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.medium_id = 0
net.ipv4.conf.lo.promote_secondaries = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.lo.route_localnet = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.lo.shared_media = 1
net.ipv4.conf.lo.src_valid_mark = 0
net.ipv4.conf.lo.tag = 0
net.ipv4.fib_multipath_hash_policy = 0
net.ipv4.fib_multipath_use_neigh = 0
net.ipv4.fwmark_reflect = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_msgs_burst = 50
net.ipv4.icmp_msgs_per_sec = 1000
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168
net.ipv4.igmp_link_local_mcast_reports = 1
net.ipv4.igmp_max_memberships = 20
net.ipv4.igmp_max_msf = 10
net.ipv4.igmp_qrv = 2
net.ipv4.inet_peer_maxttl = 600
net.ipv4.inet_peer_minttl = 120
net.ipv4.inet_peer_threshold = 65664
net.ipv4.ip_default_ttl = 64
net.ipv4.ip_dynaddr = 0
net.ipv4.ip_early_demux = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv4.ip_local_port_range = 32768    60999
net.ipv4.ip_local_reserved_ports = 
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.ip_nonlocal_bind = 0
net.ipv4.ip_unprivileged_port_start = 1024
net.ipv4.ipfrag_high_thresh = 4194304
net.ipv4.ipfrag_low_thresh = 3145728
net.ipv4.ipfrag_max_dist = 64
net.ipv4.ipfrag_secret_interval = 0
net.ipv4.ipfrag_time = 30
net.ipv4.neigh.default.anycast_delay = 100
net.ipv4.neigh.default.app_solicit = 0
net.ipv4.neigh.default.base_reachable_time_ms = 30000
net.ipv4.neigh.default.delay_first_probe_time = 5
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.gc_stale_time = 60
net.ipv4.neigh.default.gc_thresh1 = 128
net.ipv4.neigh.default.gc_thresh2 = 512
net.ipv4.neigh.default.gc_thresh3 = 1024
net.ipv4.neigh.default.locktime = 100
net.ipv4.neigh.default.mcast_resolicit = 0
net.ipv4.neigh.default.mcast_solicit = 3
net.ipv4.neigh.default.proxy_delay = 80
net.ipv4.neigh.default.proxy_qlen = 64
net.ipv4.neigh.default.retrans_time_ms = 1000
net.ipv4.neigh.default.ucast_solicit = 3
net.ipv4.neigh.default.unres_qlen = 101
net.ipv4.neigh.default.unres_qlen_bytes = 212992
net.ipv4.neigh.eth0.anycast_delay = 100
net.ipv4.neigh.eth0.app_solicit = 0
net.ipv4.neigh.eth0.base_reachable_time_ms = 30000
net.ipv4.neigh.eth0.delay_first_probe_time = 5
net.ipv4.neigh.eth0.gc_stale_time = 60
net.ipv4.neigh.eth0.locktime = 100
net.ipv4.neigh.eth0.mcast_resolicit = 0
net.ipv4.neigh.eth0.mcast_solicit = 3
net.ipv4.neigh.eth0.proxy_delay = 80
net.ipv4.neigh.eth0.proxy_qlen = 64
net.ipv4.neigh.eth0.retrans_time_ms = 1000
net.ipv4.neigh.eth0.ucast_solicit = 3
net.ipv4.neigh.eth0.unres_qlen = 101
net.ipv4.neigh.eth0.unres_qlen_bytes = 212992
net.ipv4.neigh.lo.anycast_delay = 100
net.ipv4.neigh.lo.app_solicit = 0
net.ipv4.neigh.lo.base_reachable_time_ms = 30000
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.gc_stale_time = 60
net.ipv4.neigh.lo.locktime = 100
net.ipv4.neigh.lo.mcast_resolicit = 0
net.ipv4.neigh.lo.mcast_solicit = 3
net.ipv4.neigh.lo.proxy_delay = 80
net.ipv4.neigh.lo.proxy_qlen = 64
net.ipv4.neigh.lo.retrans_time_ms = 1000
net.ipv4.neigh.lo.ucast_solicit = 3
net.ipv4.neigh.lo.unres_qlen = 101
net.ipv4.neigh.lo.unres_qlen_bytes = 212992
net.ipv4.ping_group_range = 1   0
net.ipv4.route.error_burst = 1250
net.ipv4.route.error_cost = 250
net.ipv4.route.gc_elasticity = 8
net.ipv4.route.gc_interval = 60
net.ipv4.route.gc_min_interval = 0
net.ipv4.route.gc_min_interval_ms = 500
net.ipv4.route.gc_thresh = -1
net.ipv4.route.gc_timeout = 300
net.ipv4.route.max_size = 2147483647
net.ipv4.route.min_adv_mss = 256
net.ipv4.route.min_pmtu = 552
net.ipv4.route.mtu_expires = 600
net.ipv4.route.redirect_load = 5
net.ipv4.route.redirect_number = 9
net.ipv4.route.redirect_silence = 5120
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_adv_win_scale = 1
net.ipv4.tcp_allowed_congestion_control = reno cubic
net.ipv4.tcp_app_win = 31
net.ipv4.tcp_autocorking = 1
net.ipv4.tcp_available_congestion_control = reno cubic
net.ipv4.tcp_available_ulp = 
net.ipv4.tcp_base_mss = 1024
net.ipv4.tcp_challenge_ack_limit = 1000
net.ipv4.tcp_comp_sack_delay_ns = 1000000
net.ipv4.tcp_comp_sack_nr = 44
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_early_demux = 1
net.ipv4.tcp_early_retrans = 3
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_ecn_fallback = 1
net.ipv4.tcp_fack = 0
net.ipv4.tcp_fastopen = 1
net.ipv4.tcp_fastopen_blackhole_timeout_sec = 3600
net.ipv4.tcp_fastopen_key = 798c9188-b1cbc7d0-67527e7c-78e0042e
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_frto = 2
net.ipv4.tcp_fwmark_accept = 0
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_l3mdev_accept = 0
net.ipv4.tcp_limit_output_bytes = 262144
net.ipv4.tcp_low_latency = 0
net.ipv4.tcp_max_orphans = 8192
net.ipv4.tcp_max_reordering = 300
net.ipv4.tcp_max_syn_backlog = 128
net.ipv4.tcp_max_tw_buckets = 8192
net.ipv4.tcp_mem = 22467    29957   44934
net.ipv4.tcp_min_rtt_wlen = 300
net.ipv4.tcp_min_snd_mss = 48
net.ipv4.tcp_min_tso_segs = 2
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_mtu_probing = 0
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.tcp_notsent_lowat = 4294967295
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_pacing_ca_ratio = 120
net.ipv4.tcp_pacing_ss_ratio = 200
net.ipv4.tcp_probe_interval = 600
net.ipv4.tcp_probe_threshold = 8
net.ipv4.tcp_recovery = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retrans_collapse = 1
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_rmem = 4096    87380   6291456
net.ipv4.tcp_sack = 1
net.ipv4.tcp_slow_start_after_idle = 1
net.ipv4.tcp_stdurg = 0
net.ipv4.tcp_syn_retries = 6
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_thin_linear_timeouts = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tso_win_divisor = 3
net.ipv4.tcp_tw_reuse = 2
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 4096    16384   4194304
net.ipv4.tcp_workaround_signed_windows = 0
net.ipv4.udp_early_demux = 1
net.ipv4.udp_l3mdev_accept = 0
net.ipv4.udp_mem = 44934    59914   89868
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_wmem_min = 4096
net.ipv4.xfrm4_gc_thresh = 32768
net.netfilter.nf_conntrack_acct = 0
net.netfilter.nf_conntrack_buckets = 16384
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 15
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 1
net.netfilter.nf_conntrack_expect_max = 256
net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_helper = 0
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 65536
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_log.0 = NONE
net.netfilter.nf_log.1 = NONE
net.netfilter.nf_log.10 = NONE
net.netfilter.nf_log.11 = NONE
net.netfilter.nf_log.12 = NONE
net.netfilter.nf_log.2 = nfnetlink_log
net.netfilter.nf_log.3 = NONE
net.netfilter.nf_log.4 = NONE
net.netfilter.nf_log.5 = NONE
net.netfilter.nf_log.6 = NONE
net.netfilter.nf_log.7 = NONE
net.netfilter.nf_log.8 = NONE
net.netfilter.nf_log.9 = NONE
net.netfilter.nf_log_all_netns = 0
net.nf_conntrack_max = 65536
net.unix.max_dgram_qlen = 512

If I turn off rsync and run:

# netcat -l -p 873

and run from the client:

# telnet 1.1.1.1 873
Trying 1.1.1.1...

still the problem, there is no response from the server (no rsync but a TCP / IP problem).

Any clue?

Another problem in // is that icmp does not respond too, even with the firewall disabled

TCP – OpenVPN over UDP – Internet connection fails

Running in Raspbain Light

When I configure OpenVPN over TCP (I'm not a geek, so I only used PiVPN.io to configure OpenVPN), everything works fine. I combined it with dnsmasq and now my local network and Internet work well.

However, I heard that OpenVPN is better configured through UDP instead of TCP. But when I do this, the local network is available (and fast), but the Internet doesn't work! I can ping Google, but traceroute gets stuck in 10.8.0.1. How can I make OpenVPN work over UDP?

Also, when the client connects to the VPN, the client's public IP changes. Routing all the traffic through my raspberry pi. This is not my intention. I am using the VPN just to get access to my home network, not to route traffic. How can I configure OpenVPN so that the public IP of the client does not change, my home network is available and all non-domestic traffic passes through the regular network to which the client is connected?

I'm new to Linux networks, so I get a little confused.

Thanks in advance.

/etc/openvpn/server.conf

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/plug_2f7e9769-829f-4772-a58f-59838f8b01c9.crt
key /etc/openvpn/easy-rsa/pki/private/plug_2f7e9769-829f-4772-a58f-59838f8b01c9.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN local.example.com" 
push "dhcp-option DNS 10.0.0.22"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

/etc/dnsmasq.conf

#/etc/dnsmasq.conf
domain-needed
bogus-priv
expand-hosts

# The address 192.168.0.176 is the static IP of this server 
# You can find this ip by running ifconfig and look for the 
# IP of the interface which is connected to the router.
listen-address=127.0.0.1
listen-address=10.0.0.22
bind-interfaces

# Use open source DNS servers
server=8.8.8.8
server=8.8.4.4

# Create custom 'domains'.
# Custom 'domains' can also be added in /etc/hosts
address=/local.example.com/10.0.0.22


dhcp-mac=set:client_is_a_pi,B8:27:EB:*:*:*
dhcp-reply-delay=tag:client_is_a_pi,2

I wonder why my VPN VPN server Pi (PiVPN) can only use the TCP protocol but not the UDP protocol

So I made a personal VPN server using PiVPN with my Raspbery Pi 3B + (Raspbian Jessie). I do my server according to this guide:

https://www.cloudpro.co.uk/it-infrastructure/virtualization/7503/how-to-turn-a-raspberry-pi-into-a-vpn-server

I follow the instructions until I found a problem. In the guide, say that I have to choose UDP (port 1194) to configure my server, forwarding the same port with the same protocol. But when I use the VPN file with OpenVPN, I can't connect to the Internet, I try to reconfigure it every time I see a publication that tries to change the protocol to TCP and the port to 443x (x is a random number). And guess what! It worked, I still use that TCP protocol so far, but recently I saw a post in this community:

What is the difference between VPN over TCP vs UDP?

I found that the VPN server prefers UDP than TCP.

Can anyone explain to me why I have faced this problem?

Thank you so much guys !!