Everything works except HTTPS

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
zerogravitas
OpenVpn Newbie
Posts: 2
Joined: Wed Apr 26, 2017 7:16 pm

Everything works except HTTPS

Post by zerogravitas » Wed Apr 26, 2017 7:25 pm

Hi everybody, new to OpenVPN and I am stumped. I have been following guidance from around the Internet to try and set up the following.

Ubuntu 14.04 (virtual) server running the packaged openvpn and easy-rsa from the official repos.
Win10 client running the latest OpenVPN client GUI from the download pages here.

I have no firewall on the Ubuntu machine, just two very simple iptables rules to deal with forwarding, I am attempting to route traffic from tun0 through eth4 (the machine's only interface is called eth4 for historical reasons.)

Code: Select all

iptables -I FORWARD -i tun0 -o eth4 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
This seems to be working after a fashion, I can see tun0 being created and that it is getting some traffic.

Code: Select all

# ifconfig -a
eth4      Link encap:Ethernet  HWaddr 00:16:3e:53:98:94
          inet addr:192.168.1.108  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2a02:c7f:c211:7c00:216:3eff:fe53:9894/64 Scope:Global
          inet6 addr: fd9c:377:47de:0:216:3eff:fe53:9894/64 Scope:Global
          inet6 addr: fe80::216:3eff:fe53:9894/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21720 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21096 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7114192 (7.1 MB)  TX bytes:7668832 (7.6 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1009 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1009 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:325936 (325.9 KB)  TX bytes:325936 (325.9 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:9880 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12329 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1292827 (1.2 MB)  TX bytes:4099170 (4.0 MB)
When I connect the Windows client machine, all appears well - the status messages are all encouraging and everything seem to work. IMAP over SSL is fine, HTTP is fine, ssh is fine, looks good. However, as soon as I try to connect to anything over HTTPS then I get a connection reset message in my browser. Other applications that I know use HTTPS such as Dropbox also lose their connection when the VPN is turned on. The client side log looks like this.

Code: Select all

Wed Apr 26 20:14:04 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
Wed Apr 26 20:14:04 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Apr 26 20:14:04 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Wed Apr 26 20:14:04 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Apr 26 20:14:04 2017 Need hold release from management interface, waiting...
Wed Apr 26 20:14:05 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Apr 26 20:14:05 2017 MANAGEMENT: CMD 'state on'
Wed Apr 26 20:14:05 2017 MANAGEMENT: CMD 'log all on'
Wed Apr 26 20:14:05 2017 MANAGEMENT: CMD 'echo all on'
Wed Apr 26 20:14:05 2017 MANAGEMENT: CMD 'hold off'
Wed Apr 26 20:14:05 2017 MANAGEMENT: CMD 'hold release'
Wed Apr 26 20:14:05 2017 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Wed Apr 26 20:14:05 2017 MANAGEMENT: >STATE:1493234045,RESOLVE,,,,,,
Wed Apr 26 20:14:05 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]188.221.21.147:1194
Wed Apr 26 20:14:05 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Apr 26 20:14:05 2017 UDP link local: (not bound)
Wed Apr 26 20:14:05 2017 UDP link remote: [AF_INET]188.221.21.147:1194
Wed Apr 26 20:14:05 2017 MANAGEMENT: >STATE:1493234045,WAIT,,,,,,
Wed Apr 26 20:14:05 2017 MANAGEMENT: >STATE:1493234045,AUTH,,,,,,
Wed Apr 26 20:14:05 2017 TLS: Initial packet from [AF_INET]188.221.21.147:1194, sid=1f620c57 1457ed1a
Wed Apr 26 20:14:06 2017 VERIFY OK: depth=1, *REDACTED*
Wed Apr 26 20:14:06 2017 VERIFY OK: nsCertType=SERVER
Wed Apr 26 20:14:06 2017 VERIFY OK: depth=0, *REDACTED*
Wed Apr 26 20:14:06 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Apr 26 20:14:06 2017 [jimbo.uk.to] Peer Connection Initiated with [AF_INET]188.221.21.147:1194
Wed Apr 26 20:14:07 2017 MANAGEMENT: >STATE:1493234047,GET_CONFIG,,,,,,
Wed Apr 26 20:14:07 2017 SENT CONTROL [*REDACTED*]: 'PUSH_REQUEST' (status=1)
Wed Apr 26 20:14:07 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Apr 26 20:14:07 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 26 20:14:07 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 26 20:14:07 2017 OPTIONS IMPORT: route options modified
Wed Apr 26 20:14:07 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 26 20:14:07 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Apr 26 20:14:07 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 20:14:07 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Apr 26 20:14:07 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 20:14:07 2017 interactive service msg_channel=596
Wed Apr 26 20:14:07 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=17 HWADDR=00:25:d3:7c:28:48
Wed Apr 26 20:14:07 2017 open_tun
Wed Apr 26 20:14:07 2017 TAP-WIN32 device [Ethernet] opened: \\.\Global\{1C86F609-7308-4239-83F4-B33DE6FC0A8B}.tap
Wed Apr 26 20:14:07 2017 TAP-Windows Driver Version 9.21 
Wed Apr 26 20:14:07 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {1C86F609-7308-4239-83F4-B33DE6FC0A8B} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Apr 26 20:14:07 2017 Successful ARP Flush on interface [7] {1C86F609-7308-4239-83F4-B33DE6FC0A8B}
Wed Apr 26 20:14:07 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Apr 26 20:14:07 2017 MANAGEMENT: >STATE:1493234047,ASSIGN_IP,,10.8.0.6,,,,
Wed Apr 26 20:14:12 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Apr 26 20:14:12 2017 C:\WINDOWS\system32\route.exe ADD 188.221.21.147 MASK 255.255.255.255 192.168.1.1
Wed Apr 26 20:14:12 2017 Route addition via service succeeded
Wed Apr 26 20:14:12 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Apr 26 20:14:12 2017 Route addition via service succeeded
Wed Apr 26 20:14:12 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Apr 26 20:14:12 2017 Route addition via service succeeded
Wed Apr 26 20:14:12 2017 MANAGEMENT: >STATE:1493234052,ADD_ROUTES,,,,,,
Wed Apr 26 20:14:12 2017 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Apr 26 20:14:12 2017 Route addition via service succeeded
Wed Apr 26 20:14:12 2017 Initialization Sequence Completed
Wed Apr 26 20:14:12 2017 MANAGEMENT: >STATE:1493234052,CONNECTED,SUCCESS,10.8.0.6,188.221.21.147,1194,,
There is nothing especially alarming in /var/log/syslog at the server end and I can't work out why everything works apart from that one protocol. Any suggestions? HTTPS is pretty essential really!

:)

zerogravitas
OpenVpn Newbie
Posts: 2
Joined: Wed Apr 26, 2017 7:16 pm

Re: Everything works except HTTPS

Post by zerogravitas » Wed Apr 26, 2017 7:37 pm

I am attempting to route all internet traffic through the VPN. My server side config looks like this.

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
And the client side looks like this. I have the certificates and the key embedded in the config file, I've chopped them out of this version for sharing obviously.

Code: Select all

client
dev tun
proto udp
remote *redacted* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

Post Reply