Page 1 of 3 123 LastLast
Results 1 to 10 of 28
  1. #1
    Newbie
    Join Date
    Jan 2020
    Posts
    9

    Default OpenVPN Full Tunnel Breaks Internet

    Hello, I'm having some trouble with VPN clients connecting to the Internet through a full tunnel. Base network connection is good, however connections time out. I have witnessed a page or two load, only for it to stop working, so it appears to be intermittent. Meanwhile, split tunnel connections to internal resources are fast enough to stream HD video. I can't find any issues in the OpenVPN or Firewall logs... although I may not be looking in the correct location.

    1. The appliance has a static IP, and the VPN is on 172.16.0.0/24.
    2. NAT OpenVPN traffic to true.
    3. There are no firewall rules applied to the OpenVPN interface or network ranges.
    4. Config > Network > NAT Rules has no entry for VPN (assuming #2 to be valid).
    5. Client is iPhone 8 and iPad (not sure version) with OpenVPN app.
    6. Full and split tunnel groups Push DNS and Push DNS Server (OpenVPN Server).
    7. No custom DNS entries.
    8. Pushes local domain.
    9. Two local networks are exported. (I wondered about exporting 0.0.0.0)
    10. No changes to Advanced tab.


    Where can I find a log to monitor VPN traffic more closely?
    Last edited by gnurob; 01-04-2020 at 08:39 PM.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,407

    Default

    - On the client side, does the VPN app show as disconnected?
    - If it says connected, you will need to determine why the Internet is not working. using this troubleshooting guide.
    https://wiki.untangle.com/index.php/...ternet_is_Down
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jan 2020
    Posts
    9

    Default

    Hi, thanks for your reply.

    The VPN client shows as connected.

    I am not sure why following the Internet connection test steps would help: by fact that the VPN client successfully logged into the VPN server on the WAN interface, we know we have a link. In any case, there are no connection issues with any devices on the appliances internal LAN interfaces. GB of traffic passes daily and a web and mail server are happy.

    This feels like a routing issue, guessing.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,407

    Default

    I'm looking to methodology determine the issue. It could be DNS, IP range, routing or protocol related. There are tests in there to run on the remote PC.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Jan 2020
    Posts
    9

    Default

    Hi, thanks, here's the results of the tests conducted with a full tunnel using a laptop for terminal utilities. (This was actually run over a personal hot spot through the iPhone because the tunnel doesn't work from inside the firewall.)

    PING 172.16.0.1 (172.16.0.1): 56 data bytes
    64 bytes from 172.16.0.1: icmp_seq=0 ttl=64 time=122.927 ms

    PING x.x.x.180 (x.x.x.180): 56 data bytes
    64 bytes from x.x.x.180: icmp_seq=0 ttl=45 time=113.757 ms

    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=161.393 ms

    laptop:~ username$ nslookup google.com
    Server: 172.16.0.1
    Address: 172.16.0.1#53

    Non-authoritative answer:
    Name: google.com
    Address: 172.217.6.238

    PING google.com (172.217.6.238): 56 data bytes
    64 bytes from 172.217.6.238: icmp_seq=0 ttl=53 time=159.048 ms

    laptop:~ username$ wget --server-response -q google.com
    HTTP/1.1 301 Moved Permanently
    Location: ** removed link because Untangle forum rules **
    Content-Type: text/html; charset=UTF-8
    Date: Sun, 05 Jan 2020 13:25:11 GMT

    laptop:~ username$ wget --server-response -q 172.16.0.1
    HTTP/1.1 302 Found
    Date: Sun, 05 Jan 2020 13:26:21 GMT


    From this, you may determine that the link is working. However running Ookla Speedtest has very different results:
    - From inside the network, no tunnel, laptop: works
    (Loaded test and gave expected speed result.)

    - From outside the network, full tunnel, iPhone with OpenVPN: fail
    "Safari could not open the page because the server stopped responding"

    The next thing to consider may be the iPhone vs the laptop, however I ran the same ping and nslookup tests using iNetTools app, with full tunnel, and the results were that the network is working.

    So, it is not that the connection is up or down, but intermittent failures--mostly linked to higher data loads than a network test utility. For example, loading YouTube.

  6. #6
    Newbie
    Join Date
    Jan 2020
    Posts
    9

    Default

    Quick update, I did run nllookup from the iPhone over full tunnel, and it works, but a whois fails, along with loading a web page.

    Connections fail with clients configured with and without Push DNS.

    Edit: A few more tests, and it looks like nslookup is occasionally slow and times out. I ran some tests using the full tunnel with Push DNS and OpenVPN Server for DNS using FQDN addresses that were in the Static DNS Entries and others that were not.

    Static entries loaded immediately (e.g. router1 . mydomain . tld)

    "Remote" entries were slow, taking on average 30 seconds (e.g. www . mydomain . tld and google . com)
    Last edited by gnurob; 01-05-2020 at 07:52 AM.

  7. #7
    Master Untangler
    Join Date
    Oct 2013
    Posts
    132

    Default

    I've got both Split and Full tunnel working in OpenVPN. Just a shot in the dark, have you tried leaving the "Push DNS Domain" field empty?

  8. #8
    Newbie
    Join Date
    Jan 2020
    Posts
    9

    Default

    Quote Originally Posted by oj88 View Post
    I've got both Split and Full tunnel working in OpenVPN. Just a shot in the dark, have you tried leaving the "Push DNS Domain" field empty?
    Hi, I ran a full tunnel with and without Push DNS. Same results for non-static DNS entries.

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,407

    Default

    So the Tunnel is open and connected but http traffic is not flowing. I would try with compress set to empty (nothing in the value field). This needs to be changed on the server and the client config. Also restart OpenVPN after the changes by setting app to disabled then enabled.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Master Untangler RiffRaff's Avatar
    Join Date
    Jul 2008
    Location
    Indianapolis, Indiana, USA
    Posts
    135

    Default

    Quote Originally Posted by jcoffin View Post
    So the Tunnel is open and connected but http traffic is not flowing. I would try with compress set to empty (nothing in the value field). This needs to be changed on the server and the client config. Also restart OpenVPN after the changes by setting app to disabled then enabled.
    Thank you! I have been struggling to figure out why my remote servers were working fine but clients would connect without any traffic. Implementing this change resolved that problem.

    Risking my life for people I hate for reasons I don't understand.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2