Clients can't access internet when VPN connected

craibuc · February 20, 2018, 11:22pm

When I enable one of my OpenVPN connections, I’m unable to access the internet from my workstation. When the VPN is not running, everything works as expected.

Symptoms from client (workstation) when VPN is active:

$ ping google.com
PING google.com (172.217.4.46): 56 data bytes
92 bytes from turris.lan (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 c4cb   0 0000  3f  01 43a8 192.168.1.134  172.217.4.46 

$ host google.com
google.com has address 172.217.4.46
google.com has IPv6 address 2607:f8b0:4009:804::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.

From the Turris when the VPN is active:

# ping google.com
PING google.com (172.217.4.46): 56 data bytes
64 bytes from 172.217.4.46: seq=0 ttl=57 time=12.341 ms
64 bytes from 172.217.4.46: seq=1 ttl=57 time=12.231 ms
64 bytes from 172.217.4.46: seq=2 ttl=57 time=12.621 ms

I’m guessing this is DNS related.

How do I resolve this?

Maxmilian_Picmaus · February 21, 2018, 5:10am

Sometimes using 192.168.x.x network cause routing problems from/to gate(vpngate) and correspond services on lan and/or inside the tunnel. You can set your network to something totally not so generic to make routing more friendly. You can also use “list push” to specify which wins/dns/gate/dhcp can be used.
( at this moment i still have it with that default network , i am planning to change it because of several issues reported by my ovpn clients, so in below sample i still have 192.168.x.x )
something like:

   list push 'redirect-gateway def1'  # forcing all client traffic to go via tunnel/correspond gate
   list push 'dhcp-option DNS 192.168.1.1'  # pushing dns setup from dhcp server 
   list push 'route 192.168.1.0 255.255.255.0'  # you can force routing from correspond network(s)
   list push 'dhcp-option DNS 192.168.1.1' # if you have turris, why not use it for dns 
   list push 'dhcp-option WINS 192.168.1.1' # not needed but helps when you want to use samba inside ovpn
   list push 'dhcp-option DNS 8.8.8.8' # same dns as it is on dhcp
   list push 'dhcp-option DNS 8.8.4.4' # same dns as it is on dhcp

craibuc · February 21, 2018, 1:05pm

Thanks for your response.

Would you add this to the script that runs when the VPN starts? Wouldn’t you need to undo these changes when the VPN stops?

Wouldn’t it make sense to use the VPN provider’s DNS servers, rather than Google’s when the VPN is active to prevent DNS leaks?

vcunat · February 21, 2018, 1:52pm

If 8.8.8.8 is routed through the VPN…

craibuc · February 22, 2018, 4:03am

Sorry for the nOOb question, but where do you add the list push commands?

Maxmilian_Picmaus · February 22, 2018, 7:32am

There is config file for openVPN /etc/config/openvpn .