I am trying to set up a VPN into my home network. The use will be for remote streaming of movies from my home media server as well as access to files and computers on my home LAN. I have it mostly working, except for a few things I don’t know how to debug. My VPN endpoint (the server) is my home router, running Tomato firmware and OpenVPN. My client end is a laptop running Linux and OpenVPN. My server is setup to use UDP and the TUN interface. And the server directs clients to route all internet traffic through the tunnel. And the server also does a “Push LAN to clients” (I believe this is Tomato-firmware-speak for OpenVPN “advertising the LAN subnet to the VPN clients”). Eventually I want to also set up a secondary VPN server using TCP and TAP, but for now it’s only UDP/TUN (because someday soon the clients will include iPads and Android tablets, and those do not currently support TAP at all).

OK. I can set up the tunnel successfully (the client was logged into the free WiFi at my wife’s workplace for the testing). Once the tunnel is set up, the client can ping the LAN address of my home router and can also ping things inside my home LAN – other computers, printers, etc. Good, the tunnel looks correct at this point. The client can also SSH into one of my home LAN’s Linux boxes via the VPN tunnel. Good, the fact that SSH works implies that the routing is good. Now comes the part I don’t understand. If the client fires up a web browser (Firefox in my case) and tries to access a webserver running inside my home LAN (that webserver is running on the same computer that just had the successful SSH connection), then the browser just spins forever, saying “Connecting…” So next I tried using the client browser to access Google. That request should have gone through the tunnel into my home LAN and then out to Google. That attempt just spun endlessly, same as when I tried to access my internal LAN webserver. Next up I tried a browser connection to my home router itself (the LAN IP address). That should have given me the management interface for the router. It tried, because I was prompted for a login/password for the router. That was more positive than my previous browser connect attempts, at least it shows some kind of connection was successfully made. But after I entered the login/password, THEN the browser just spins endlessly again.

I was testing web access first, because my home media server, Plex, provides a web interface where you can both control the server, and also watch media directly in the web browser. Plex also supports DLNA, but I have not tried testing that yet. And I may not even test it, if I can just use the web browser interface to watch media.

OK. At this point, the tunnel is up, I can ping through it and I can SSH to an internal LAN server through it. But HTTP stuff isn’t working. So next up I tried to access a SAMBA (CIFS) share. This is a share on my home LAN that is provided by another Linux box (my home fileserver). The client was able to successfully mount the share (mount details were entered into /etc/fstab on the client, followed my a “mount /public” command). But when I tried to run “ls” on the /public mountpoint, it hung. Nothing would get me unhung – not ctrl-c, not ~. I had to kill the terminal window on the client. So at this point, CIFS shares aren’t working either.

So I killed the VPN tunnel from the laptop and switched gears. Next up I tried using an iPad as my client. There is an “OpenVPN Connect” app available for the iPad. I used that, and the tunnel came up successfully. Good. I tried the web browser on the iPad (Safari) going to my internal webserver. Same as with the laptop, it just spun endlessly trying to connect. I hadn’t installed any other apps on the iPad that would be useful over the tunnel, so that’s where my testing stopped.

Next up in my testing, probably tomorrow, will be installing a packet sniffer on the client and seeing if I can determine where things are going awry. Don’t know where that might lead me, probably to a dead end with the VPN being encrypted and all that, but I’ll give it a shot anyway. While I won’t be able to read the packets contents, I should be able to track them going over the wire (maybe!)

Does anyone have any idea what could be going wrong here? I have more details if required. On the laptop Linux client I have captures of the routing tables, ifconfig output, traceroutes, etc. I’m not very good at interpreting routing tables but I would think all of that is OK given that SSH through the tunnel to an internal LAN computer worked flawlessly.

Thanks in advance for any help/suggestions.

From your description, this could be a DNS issue. (My apologies in advance if I'm on the wrong track here.)

A quick check would be to try pinging hosts on your network by hostname vs IP address. (Check /etc/resolv.conf of the client machine when your VPN connection is established). So, you may need to make sure that your OpenVPN sever is successfully pushing DNS to the client.

Here's just one guide on the subject of OpenVPN server DNS configuration
https://wiki.archlinux.org/index.php/OpenVPN#DNS

Wow, you nailed it! Thanks!!!

There is a setting in OpenVPN as implemented on the Tomato router that says "Respond to DNS" and another one that says "Advertise DNS to clients". I checked both of those and things started working. At least the http access thing, I haven't tried the CIFS share yet.

In retrospect, I can see why DNS was the issue (except for one case). When I was coming into my LAN's webserver (using the IP address, not a domain name), that should have worked. But what I didn't take into account was that the specific webpage I was trying to access goes out from the home LAN to the internet at large to get some scripts, and that was getting nuked by lack of DNS. Same thing for when I tried to tunnel in to my LAN and then bounce out to Google. With no DNS, there was no way to find Google. The one case that I don't understand why DNS was required is access to the LAN interface of my router. I was giving it the routers IP address, and then getting prompted for a login/password (good - that was as expected). But after entering the authentication, then the browser hung. That would seem to imply that the router administrative login was trying to do something that required DNS. I don't understand what that would have been. Maybe this is a different issue (I haven't tried access the routers LAN interface since ticking the DNS checkboxes, so it may still be failing - I don't know until I can test again later).

Anyway, adding DNS to the VPN server settings fixed the problem I was trying to solve.

THANKS!!!

Glad to have been of help.