Sudden strange problems with OpenVPN
I'll cut straight to the case: I'm situated in China, set up OpenVPN on Linode (Lenny) and everything worked fine until recently. Also I'm a complete nowise on linux, setting this up is the first time ever inside a linux console.
Here's what's up:
I can connecct as normal
Seconds after I connect, I can open facebook (which is blocked in China) and everything seems fine
After some seconds, things are failing to load.
After some time, I can't load web pages at all.
What can be the reason for this?
I didn't change or do anything on the server
I tried to reboot my linode, no change in behaviour.
I tried restarting the openvpn on the server
I've tried turning off IPv6 on my wireless adapter
I've tried adding google DNS to my wireless adapter
I've tried doing a ipconfig /flushdns in command line.
I've tried both TCP and UDP (on server/client). The logs here are when being on TCP.
I dont have auto updates enabled on windows, and i didn't update anything
I've turned off Firewall in Windows, and it shouldn't be the router.
Anyone have any idea? Here's the logs and configs:
Linode OpenVPN was set up folliwing
rc.local:
#!/bin/sh -e
#
# rc.local
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq restart
exit 0
server.conf (on my linode)
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
;mute 20
OpenVPN config on Client (Windows 7)
client
dev tun
proto tcp
remote MYIPADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert olemarius.crt
key olemarius.key
comp-lzo
verb 3
OpenVPN client log when connecting (censored IP ;P )
Wed Jun 13 15:28:39 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Jun 13 15:28:39 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 13 15:28:39 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 13 15:28:39 2012 LZO compression initialized
Wed Jun 13 15:28:39 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 13 15:28:39 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 13 15:28:39 2012 Data Channel MTU parms [ L:1544 D:1400 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 13 15:28:39 2012 Local Options hash (VER=V4): '69109d17'
Wed Jun 13 15:28:39 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Wed Jun 13 15:28:39 2012 Attempting to establish TCP connection with {MY-IP-ADDRESS}:{MY-IP-ADDRESS}1194
Wed Jun 13 15:28:40 2012 TCP connection established with {MY-IP-ADDRESS}:1194
Wed Jun 13 15:28:40 2012 TCPv4_CLIENT link local: [undef]
Wed Jun 13 15:28:40 2012 TCPv4_CLIENT link remote: {MY-IP-ADDRESS}:1194
Wed Jun 13 15:28:41 2012 TLS: Initial packet from {MY-IP-ADDRESS}:1194, sid=5bdf87d5 0a946c73
Wed Jun 13 15:28:49 2012 VERIFY OK: depth=1, /C=CN/ST=BJ/L=Beijing/O=Bloc-AS/CN=Bloc-AS_CA/emailAddress=contact@bloc.no
Wed Jun 13 15:28:49 2012 VERIFY OK: depth=0, /C=CN/ST=BJ/L=Beijing/O=Bloc-AS/CN=server/emailAddress=contact@bloc.no
Wed Jun 13 15:29:06 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 13 15:29:06 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 13 15:29:06 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 13 15:29:06 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 13 15:29:06 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 13 15:29:06 2012 [server] Peer Connection Initiated with {MY-IP-ADDRESS}:1194
Wed Jun 13 15:29:09 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 13 15:29:10 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: route options modified
Wed Jun 13 15:29:10 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 13 15:29:10 2012 ROUTE default_gateway=192.168.1.1
Wed Jun 13 15:29:10 2012 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{FF3F7A3C-F7FB-4A34-9B83-7B32150055F9}.tap
Wed Jun 13 15:29:10 2012 TAP-Win32 Driver Version 9.9
Wed Jun 13 15:29:10 2012 TAP-Win32 MTU=1460
Wed Jun 13 15:29:10 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.252 on interface {FF3F7A3C-F7FB-4A34-9B83-7B32150055F9} [DHCP-serv: 10.8.0.9, lease-time: 31536000]
Wed Jun 13 15:29:10 2012 Successful ARP Flush on interface [31] {FF3F7A3C-F7FB-4A34-9B83-7B32150055F9}
Wed Jun 13 15:29:15 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD {MY-IP-ADDRESS} MASK 255.255.255.255 192.168.1.1
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.9
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.9
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.9
Wed Jun 13 15:29:15 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jun 13 15:29:15 2012 Route addition via IPAPI succeeded [adaptive]
Wed Jun 13 15:29:15 2012 Initialization Sequence Completed
Thanks a lot to anyone who can spot out what's causing this. Let me know if you need any additional information.
1 Reply
I think you definitely want to use UDP instead of TCP. Doing TCP on the private network (10.8.0.0/24) inside of TCP over the Internet may be causing problems. Try setting "proto udp" on both the server and client, then restart the service on the Linode. Re-test it out and let us know if you see any change.
Another thing to check. When you are connected to the OpenVPN, go to a command prompt on your Windows machine, and type "nslookup facebook.com". It should list the DNS server as 10.8.0.1. If it isn't, then your DNS setup is not right…