VPN Connection working, but black hole afterwards

christophdb · 12-02-2014, 05:18 AM

Hi everybody,

please help me to find my fault. I am totaly depressed because I have no glue why this is not working.

I want
OPENVPN-Client (Ubuntu Notebook with UMTS) --> Internet --> PFSense Firewall --> OpenVPN-Server (Ubuntu Server)

What is working:
- I can establish a connection from the Client to the OpenVPN-Server. All devices can ping each other. Even I can open local webpages or samba shares on 192.168.5.205 or 192.168.5.4 (other server on the lan).
IP-Client: 10.8.0.6
IP-Server (tun0): 10.8.0.1
IP-Server (eth0): 192.168.5.205
IP-PFSense Gateway: 192.168.5.1

My Configurations:
/etc/openvpn/server.conf (reduced to the most important things)
dev tun
server 10.8.0.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"
push "redirect-gateway"

/etc/network/iptables
*nat
: POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -d 192.168.5.0/24 -j SNAT --to-source 192.168.5.205
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MAQUERADE
COMMIT

I can confirm that all traffic is routed through the VPN.

ip route show (on the server)
default via 192.168.5.1 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.5.0/24 dev eth0 proto kernel sceope link src 192.168.5.205

Problem 1:
- I can ping from the client http://www.google.de and it shows me the IP 173.194.39.23
- I can do traceroute http://www.google.de and it takes quite a long time:
1 10.8.0.1 80 ms
2 37.148.137.57 500ms
3 217.0.67.250 600ms
...
- But if i try to open http://www.google.de on the page it shows me a "timeout"
- I can see no blocked packages in my pfsense firewall from the source 10.8.*

Assumption 1:
can you confirm that I have internet access via openvpn. Otherwise it should not be possible to ping anything.
but where is the problem that I can not open url pages? Is the channel back blocked? How can I debug where the problem is?

Problem 2:
- I can open via openvpn all different clients in the lan (I can open 192.168.5.* via openvpn).
- But some pages are not shown correctly. For example If I open seafile via 192.168.5.205 from the LAN everything is perfect.
- If I open same page via openvpn it show me only half of the page and it seems like the computer has huge problems to resolve the url.

Do you have any idea what the problem is? It is pfsense? Is it iptables?
Thanks for your help.

dijetlo · 12-03-2014, 05:01 AM

Quote:

I can open local webpages or samba shares on 192.168.5.205 or 192.168.5.4 (other server on the lan).

If you're saying you've negotiated an encrypted connection and gained access to resources on your lan, I'd guess your VPN isn't your problem.

Quote:

Do you have any idea what the problem is?

How are you resolving DNS?

Quote:

Thanks for your help.

Let's see if that's any help before you thank me.

christophdb · 12-03-2014, 05:07 AM

Hi dijetlo,
I tried four different options
push "dhcp-option DNS 192.168.5.205" # server
push "dhcp-option DNS 192.168.5.1" # pfsense
push "dhcp-option DNS 10.8.0.1" # server
of none.

In any case the resolution of www.google.de was successful to 173....
I even tried to open directly the ip 173.... in the browser. No Difference.

Can I assume that DNS is not the problem or would you check something different?
Best regards
Christoph

dijetlo · 12-06-2014, 08:50 AM

Hey Christoph,

try "nslookup <hostname>", see how long it takes for you to get a response from your DNS server.