Sudden strange problems with OpenVPN

Hi,

I'll cut straight to the case: I'm situated in China, set up OpenVPN on Linode (Lenny) and everything worked fine until recently. Also I'm a complete nowise on linux, setting this up is the first time ever inside a linux console.

Here's what's up:

  • I can connecct as normal

  • Seconds after I connect, I can open facebook (which is blocked in China) and everything seems fine

  • After some seconds, things are failing to load.

  • After some time, I can't load web pages at all.

What can be the reason for this?

  • I didn't change or do anything on the server

  • I tried to reboot my linode, no change in behaviour.

  • I tried restarting the openvpn on the server

  • I've tried turning off IPv6 on my wireless adapter

  • I've tried adding google DNS to my wireless adapter

  • I've tried doing a ipconfig /flushdns in command line.

  • I've tried both TCP and UDP (on server/client). The logs here are when being on TCP.

  • I dont have auto updates enabled on windows, and i didn't update anything

  • I've turned off Firewall in Windows, and it shouldn't be the router.

Anyone have any idea? Here's the logs and configs:

Linode OpenVPN was set up folliwing

http://library.linode.com/networking/op … an-5-lenny">http://library.linode.com/networking/openvpn/debian-5-lenny

rc.local:

#!/bin/sh -e
#
# rc.local

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

/etc/init.d/dnsmasq restart

exit 0

server.conf (on my linode)

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
;mute 20

OpenVPN config on Client (Windows 7)

client
dev tun
proto tcp
remote MYIPADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert olemarius.crt
key olemarius.key
comp-lzo
verb 3

OpenVPN client log when connecting (censored IP ;P )

Wed Jun 13 15:28:39 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Jun 13 15:28:39 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 13 15:28:39 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 13 15:28:39 2012 LZO compression initialized
Wed Jun 13 15:28:39 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 13 15:28:39 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 13 15:28:39 2012 Data Channel MTU parms [ L:1544 D:1400 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 13 15:28:39 2012 Local Options hash (VER=V4): '69109d17'
Wed Jun 13 15:28:39 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Wed Jun 13 15:28:39 2012 Attempting to establish TCP connection with {MY-IP-ADDRESS}:{MY-IP-ADDRESS}1194
Wed Jun 13 15:28:40 2012 TCP connection established with {MY-IP-ADDRESS}:1194
Wed Jun 13 15:28:40 2012 TCPv4_CLIENT link local: [undef]
Wed Jun 13 15:28:40 2012 TCPv4_CLIENT link remote: {MY-IP-ADDRESS}:1194
Wed Jun 13 15:28:41 2012 TLS: Initial packet from {MY-IP-ADDRESS}:1194, sid=5bdf87d5 0a946c73
Wed Jun 13 15:28:49 2012 VERIFY OK: depth=1, /C=CN/ST=BJ/L=Beijing/O=Bloc-AS/CN=Bloc-AS_CA/emailAddress=contact@bloc.no
Wed Jun 13 15:28:49 2012 VERIFY OK: depth=0, /C=CN/ST=BJ/L=Beijing/O=Bloc-AS/CN=server/emailAddress=contact@bloc.no
Wed Jun 13 15:29:06 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 13 15:29:06 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 13 15:29:06 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 13 15:29:06 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 13 15:29:06 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 13 15:29:06 2012 [server] Peer Connection Initiated with {MY-IP-ADDRESS}:1194
Wed Jun 13 15:29:09 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 13 15:29:10 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: route options modified
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 13 15:29:10 2012 ROUTE default_gateway=192.168.1.1
Wed Jun 13 15:29:10 2012 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{FF3F7A3C-F7FB-4A34-9B83-7B32150055F9}.tap
Wed Jun 13 15:29:10 2012 TAP-Win32 Driver Version 9.9 
Wed Jun 13 15:29:10 2012 TAP-Win32 MTU=1460
Wed Jun 13 15:29:10 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.252 on interface {FF3F7A3C-F7FB-4A34-9B83-7B32150055F9} [DHCP-serv: 10.8.0.9, lease-time: 31536000]
Wed Jun 13 15:29:10 2012 Successful ARP Flush on interface [31] {FF3F7A3C-F7FB-4A34-9B83-7B32150055F9}
Wed Jun 13 15:29:15 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD {MY-IP-ADDRESS} MASK 255.255.255.255 192.168.1.1
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.9
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.9
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.9
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 Initialization Sequence Completed

Thanks a lot to anyone who can spot out what's causing this. Let me know if you need any additional information.

1 Reply

Ole,

I think you definitely want to use UDP instead of TCP. Doing TCP on the private network (10.8.0.0/24) inside of TCP over the Internet may be causing problems. Try setting "proto udp" on both the server and client, then restart the service on the Linode. Re-test it out and let us know if you see any change.

Another thing to check. When you are connected to the OpenVPN, go to a command prompt on your Windows machine, and type "nslookup facebook.com". It should list the DNS server as 10.8.0.1. If it isn't, then your DNS setup is not right…

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct