Jump to content
Not connected, Your IP: 18.117.70.64
Sign in to follow this  
fantastico

Strange behavior: Unable to ping or surf when connected to vpn

Recommended Posts

My wife and I own a notebook computer each: one (let us name it A) is installed with Debian stable while the other (named B has Microsoft Windows 7.

On A, without a vpn connection, I am able to ping websites. As soon as A is connected to an airvpn server, I am unable to ping websites or even use Iceweasel to surf the internet. I cannot even do sudo apt-get update while A is connected to any airvpn server.

Strangely enough, on B, after a successful connection to any airvpn server, I am able to ping websites and surf the internet using Google Chrome or Internet Explorer.

I must add that both my wife and I are on an overseas work assignment and stay in a hotel which, fortunately, provides LAN connection, which both of us use.

Is Staff or someone here able to help?

Share this post


Link to post

On the debian machine if you're running the Eddie client try unchecking the box in the settings "Check if the tunnel effectively works".

Share this post


Link to post

On the debian machine if you're running the Eddie client try unchecking the box in the settings "Check if the tunnel effectively works".

 

No, I do not have the Eddie client (what's that?). I do not wish to install additional software packages to complicate matters. As it is the current situation is already complex.

Share this post


Link to post

Eddie Client = https://airvpn.org/topic/12464-eddie-27-available/

Did you setup firewall rules via iptables?  Is a rule blocking forwarding?

And did you setup a nat rule?

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
 

Tbh just grabbing the eddie client would be a good bit easier.  It has a network lock that stops connectivity if the vpn drops. It also sets up the dns correctly ect.

 

If you're not running some crazy netfilter/firewall setup there's no reason not to use the eddie client. I've run it on debian with no issues but my current setup is a little to complex to use it. I really wish I could.

Share this post


Link to post
Thanks for the link.

Did you setup firewall rules via iptables?  Is a rule blocking forwarding?

And did you setup a nat rule?

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
 

 

No. I don't know how to set up firewall rules using iptables. I don't even know what forwarding and nat rule are?

 

If you're not running some crazy netfilter/firewall setup there's no reason not to use the eddie client.

Can we stay on topic please? The Eddie client that you recommend is a distraction from the subject.

Share this post


Link to post

@fantastico

 

Please publish OpenVPN logs from computer A, taken after a connection to a VPN server has been allegedly established. They could have some useful clues.

 

Kind regards

Share this post


Link to post

Please publish OpenVPN logs from computer A, taken after a connection to a VPN server has been allegedly established. They could have some useful clues.

 

As requested:

username@hostname:~$ cd airvpn
username@hostname:~/airvpn$ sudo openvpn --config AirVPN_United-States_UDP-2018.ovpn
[sudo] password for username:
Fri Nov 13 23:41:20 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 27 2013
Fri Nov 13 23:41:20 2014 WARNING: file 'user.key' is group or others accessible
Fri Nov 13 23:41:20 2014 WARNING: file 'ta.key' is group or others accessible
Fri Nov 13 23:41:20 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Nov 13 23:41:20 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Nov 13 23:41:20 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Nov 13 23:41:20 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Fri Nov 13 23:41:26 2014 UDPv4 link local: [undef]
Fri Nov 13 23:41:26 2014 UDPv4 link remote: [AF_INET]198.203.28.42:2018
Fri Nov 13 23:41:26 2014 TLS: Initial packet from [AF_INET]198.203.28.42:2018, sid=16e2c3a5 18c5137b
Fri Nov 13 23:41:28 2014 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Fri Nov 13 23:41:28 2014 Validating certificate key usage
Fri Nov 13 23:41:28 2014 ++ Certificate has key usage 00a0, expects 00a0
Fri Nov 13 23:41:28 2014 VERIFY KU OK
Fri Nov 13 23:41:28 2014 Validating certificate extended key usage
Fri Nov 13 23:41:28 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Nov 13 23:41:28 2014 VERIFY EKU OK
Fri Nov 13 23:41:28 2014 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Fri Nov 13 23:41:36 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Nov 13 23:41:36 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Nov 13 23:41:36 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Nov 13 23:41:36 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Nov 13 23:41:36 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Fri Nov 13 23:41:36 2014 [server] Peer Connection Initiated with [AF_INET]198.203.28.42:2018
Fri Nov 13 23:41:38 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Nov 13 23:41:38 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.30.0.1,comp-lzo no,route 10.30.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.30.1.202 10.30.1.201'
Fri Nov 13 23:41:38 2014 OPTIONS IMPORT: timers and/or timeouts modified
Fri Nov 13 23:41:38 2014 OPTIONS IMPORT: LZO parms modified
Fri Nov 13 23:41:38 2014 OPTIONS IMPORT: --ifconfig/up options modified
Fri Nov 13 23:41:38 2014 OPTIONS IMPORT: route options modified
Fri Nov 13 23:41:38 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Nov 13 23:41:38 2014 ROUTE_GATEWAY 192.168.200.1/255.255.255.0 IFACE=eth0 HWADDR={suppressed}
Fri Nov 13 23:41:38 2014 TUN/TAP device tun0 opened
Fri Nov 13 23:41:38 2014 TUN/TAP TX queue length set to 100
Fri Nov 13 23:41:38 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Nov 13 23:41:38 2014 /sbin/ip link set dev tun0 up mtu 1500
Fri Nov 13 23:41:38 2014 /sbin/ip addr add dev tun0 local 10.30.1.202 peer 10.30.1.201
Fri Nov 13 23:41:38 2014 /sbin/ip route add 198.203.28.42/32 via 192.168.200.1
Fri Nov 13 23:41:38 2014 /sbin/ip route add 0.0.0.0/1 via 10.30.1.201
Fri Nov 13 23:41:38 2014 /sbin/ip route add 128.0.0.0/1 via 10.30.1.201
Fri Nov 13 23:41:38 2014 /sbin/ip route add 10.30.0.1/32 via 10.30.1.201
Fri Nov 13 23:41:38 2014 Initialization Sequence Completed
 

 

After machine A is connected to the airvpn server, I am unable to ping websites:

username@hostname:~$ ping yahoo.com
ping: unknown host yahoo.com
username@hostname:~$ ping microsoft.com
ping: unknown host microsoft.com
username@hostname:~$ ping google.com
ping: unknown host google.com
username@hostname:~$ ping airvpn.org
ping: unknown host airvpn.org
username@hostname:~$
 

 

 

 

 

Share this post


Link to post

Some further details:
 
When my colleague was installing Debian Wheezy for me, he opted for "network autoconfiguration" with DHCP enabled. The default gateway was detected as 192.168.1.1 and the IP address assigned was 192.168.1.33. At that time, with or without a VPN connection, I was able to ping websites and surf the internet.
 
But now in the hotel, things started to go awry.
 
Below are the results taken at the current location:

username@hostname:~$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr ac:(suppressed)
          inet addr:192.168.200.96  Bcast:192.168.200.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:182 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17127 (16.7 KiB)  TX bytes:12192 (11.9 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:100 (100.0   TX bytes:100 (100.0 

username@hostname:~$ sudo netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.200.1   0.0.0.0         UG        0 0          0 eth0
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
username@hostname:~$

Share this post


Link to post

@fantastico

 

Apparently it could be just a DNS issue because the connection is successful. From the logs it comes out that you do not worry about DNS push, but you must do it if you don't run our client. What happens if you try to ping directly without names resolution (for example "ping 8.8.8.8")?

 

In one case, maybe the previously configured DNS servers did not accept queries from outside their network, in the other case (colleague configuration) they did. Please see this guide in our "How To" section:

https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf

 

If you don't have resolvconf package installed, either install it or just use our client: it has another method to accept DNS push (resolv.conf direct handling).

 

Kind regards

Share this post


Link to post

From the logs it comes out that you do not worry about DNS push, but you must do it if you don't run our client.

 

 

Do what please?

 

What happens if you try to ping directly without names resolution (for example "ping 8.8.8.8")?

 

I will test pinging directly without names resolution and feedback later.

 

In one case, maybe the previously configured DNS servers did not accept queries from outside their network,

 

Is there a way to get these DNS servers that do not accept queries from outside their network ACCEPT queries from my machine?

 

Staff, could you help me understand why my wife's computer which only has Microsoft Windows OS is able to ping and surf after a successful connection to the same VPN server that I use? Her computer uses the free open source version of Openvpn.

Share this post


Link to post

 

From the logs it comes out that you do not worry about DNS push, but you must do it if you don't run our client.

 

 

Do what please?

 

Hello!

 

"DNS push" is the "push" of VPN DNS servers IP addresses from our servers to your client (more in general, it is an OpenVPN DHCP-push). Your client is free to accept or not the DNS push. If not accepted, no DNS will be modified on your system.

 

I will test pinging directly without names resolution and feedback later.

 

Ok, this will let us discern whether it's a DNS issue or not.

 

In one case, maybe the previously configured DNS servers did not accept queries from outside their network,

 

Is there a way to get these DNS servers that do not accept queries from outside their network ACCEPT queries from my machine?

 

Yes, the DNS servers administrators should configure the servers accordingly. In general, you should not worry about it, because one of the purposes of our service is protecting you against DNS queries snooping/sniffing for profiling or more sinister purposes, so in general one does NOT want to use his/her own ISP DNS or send out DNS queries in plain text.

 

Staff, could you help me understand why my wife's computer which only has Microsoft Windows OS is able to ping and surf after a successful connection to the same VPN server that I use? Her computer uses the free open source version of Openvpn.

 

IF our explanation of the problem is correct, it's because OpenVPN for Windows comes packaged with OpenVPN GUI which by default accepts DNS pushes.

 

Kind regards

Share this post


Link to post

Your client is free to accept or not the DNS push. If not accepted, no DNS will be modified on your system.

 

According to your explanation, when I connect to an Airvpn server, it will push its DNS servers to my machine. For example: Airvpn's DNS servers are 1.1.1.1 and my machine has been configured to use DNS servers 2.2.2.2. When I connect to your server, it will ask me to accept 1.1.1.1 or reject it, is that correct?

 

And how do I accept or reject Airvpn DNS servers in Debian?

 

Ok, this will let us discern whether it's a DNS issue or not.

 

As promised, below are the results of the "ping 8.8.8.8" test.

 

username@hostname:~$ ping google.com
ping: unknown host google.com
username@hostname:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=47 time=415 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=4 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=5 ttl=47 time=416 ms
64 bytes from 8.8.8.8: icmp_req=6 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=7 ttl=47 time=416 ms
64 bytes from 8.8.8.8: icmp_req=8 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=9 ttl=47 time=415 ms
64 bytes from 8.8.8.8: icmp_req=10 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=11 ttl=47 time=415 ms
64 bytes from 8.8.8.8: icmp_req=12 ttl=47 time=416 ms
64 bytes from 8.8.8.8: icmp_req=13 ttl=47 time=416 ms
64 bytes from 8.8.8.8: icmp_req=14 ttl=47 time=414 ms
64 bytes from 8.8.8.8: icmp_req=15 ttl=47 time=417 ms
^C
--- 8.8.8.8 ping statistics ---
16 packets transmitted, 15 received, 6% packet loss, time 15001ms
rtt min/avg/max/mdev = 414.222/415.458/417.025/0.861 ms
username@hostname:~$

Share this post


Link to post

 

Thanks for the link.
"1415964161">

Did you setup firewall rules via iptables?  Is a rule blocking forwarding?

And did you setup a nat rule?

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
 
No. I don't know how to set up firewall rules using iptables. I don't even know what forwarding and nat rule are?

 

If you're not running some crazy netfilter/firewall setup there's no reason not to use the eddie client.

Can we stay on topic please? The Eddie client that you recommend is a distraction from the subject.

 

​This post is actually 100% on topic. The Eddie client is airvpn's custom GUI front end for Openvpn.

 

It will fix the dns settings for you as well as setup temporary firewall rules if the option is chosen to do so. Which frankly will be substantially safer for someone with minimal linux knowledge.

​For a quick test to bypass the dns here is one of startpage.com's ip's.

https://37.0.88.21/

https://startpage.com/

​If the direct ip link https://37.0.88.21/ connects to startpage while you're connected to the vpn then your issue is dns based.

As Staff have said its important for administrators to correctly setup the DNS. Otherwise every time you click a page/site your ISP dns servers will do a lookup on the domain name to direct it to an IP/Server making using a vpn nearly pointless. This is because your isp will still see every domain you're clicking while using their dns servers.

​The simplest solution for this is to install the eddie client. Which will most likely fix your connection problems and make using airvpn safer.

Share this post


Link to post

If you don't have resolvconf package installed, either install it or just use our client: it has another method to accept DNS push (resolv.conf direct handling).

 

I have just installed resolvconf. Does it need to be configured? If yes, how?

 

There is this part about DNS push that I do not quite understand: My colleague configured "Network Manager" to use DNS server 1.1.1.1 which is different from my ISP's. At the hotel, it uses a.a.a.a for its DNS server and Airvpn uses b.b.b.b as its DNS server.

 

Without a VPN connection, when I ping and surf websites, I will be using 1.1.1.1, is that right?

 

When I am connected to an Airvpn server, I will be using Airvpn's DNS server, right?

 

But I have the option to reject Airvpn's DNS server, yes/no?

Share this post


Link to post

 

If you don't have resolvconf package installed, either install it or just use our client: it has another method to accept DNS push (resolv.conf direct handling).

 

I have just installed resolvconf. Does it need to be configured? If yes, how?

 

There is this part about DNS push that I do not quite understand: My colleague configured "Network Manager" to use DNS server 1.1.1.1 which is different from my ISP's. At the hotel, it uses a.a.a.a for its DNS server and Airvpn uses b.b.b.b as its DNS server.

 

Without a VPN connection, when I ping and surf websites, I will be using 1.1.1.1, is that right?

 

When I am connected to an Airvpn server, I will be using Airvpn's DNS server, right?

 

But I have the option to reject Airvpn's DNS server, yes/no?

 

​In the network manager try using 10.4.0.1 for the dns server. That will route all dns queries to airvpn. However you'll need to change it back when not using airvpn.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...