[oconf] DNS, ssh, ping working but not http and IMAP

[uegede]

I am trying to setup openvpn on a raspberry pi. I can connect, DNS works just fine and I can ssh both to the raspberry pi as well as to external hosts. However http and IMAP is not working. As an example if I try to reach a web page on the client, I see

Code: Select all

~ % curl -v http://www.imperial.ac.uk
* Rebuilt URL to: http://www.imperial.ac.uk/
*   Trying 155.198.64.24...
* Connected to www.imperial.ac.uk (155.198.64.24) port 80 (#0)
> GET / HTTP/1.1
> Host: www.imperial.ac.uk
> User-Agent: curl/7.47.1
> Accept: */*
> 
-- hangs forever here --

On the server side I see

Code: Select all

~# iptables -t nat -n -L -v
Chain PREROUTING (policy ACCEPT 964 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 108 packets, 16847 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 189 packets, 12920 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 189 packets, 12920 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  816  120K MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0           

where the number of packets goes up when I try to load a web page.

Running tcpdump on the server clearly shows that the request from the webpage is seen but I do not know what I should look for.

Code: Select all

root@raspberrypi:~# tcpdump tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:22:45.924525 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 4079108791, ack 2225672104, win 229, options [nop,nop,TS val 272895250 ecr 2927495660], length 0
09:22:46.182715 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272895509 ecr 2927495660], length 0
09:22:46.445961 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272895773 ecr 2927495660], length 0
09:22:46.897818 IP raspberrypi.38050 > wrp.cc.gslb.ic.ac.uk.http: Flags [S], seq 2256951577, win 29200, options [mss 1340,sackOK,TS val 4131298087 ecr 0,nop,wscale 7], length 0
09:22:46.925098 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [S.], seq 4077472846, ack 2256951578, win 4020, options [mss 1418,nop,wscale 2,nop,nop,TS val 2927715379 ecr 4131298087,sackOK,eol], length 0
09:22:46.953980 IP raspberrypi.38050 > wrp.cc.gslb.ic.ac.uk.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4131298143 ecr 2927715379], length 0
09:22:46.955045 IP raspberrypi.38050 > wrp.cc.gslb.ic.ac.uk.http: Flags [P.], seq 1:83, ack 1, win 229, options [nop,nop,TS val 4131298143 ecr 2927715379], length 82: HTTP: GET / HTTP/1.1
09:22:46.982587 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [.], ack 83, win 1025, options [nop,nop,TS val 2927715437 ecr 4131298143], length 0
09:22:46.989700 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272896317 ecr 2927495660], length 0
09:22:47.287800 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 1:1329, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP: HTTP/1.1 200 OK
09:22:47.288466 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 1329:2657, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.289236 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 2657:3985, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.289754 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 3985:5313, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.290467 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 5313:6641, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.291426 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 6641:7969, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.291939 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 7969:9297, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.292691 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 9297:10625, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.293427 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 10625:11953, ack 83, win 1025, options [nop,nop,TS val 2927715742 ecr 4131298143], length 1328: HTTP
09:22:47.293907 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 11953:13281, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:47.294675 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 13281:14609, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:47.295416 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 14609:15937, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:47.295872 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 15937:17265, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:47.296655 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 17265:18593, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:47.297405 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 18593:19921, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:47.297867 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [P.], seq 19921:21249, ack 83, win 1025, options [nop,nop,TS val 2927715743 ecr 4131298143], length 1328: HTTP
09:22:48.077616 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272897405 ecr 2927495660], length 0
09:22:48.288047 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [.], seq 1:1329, ack 83, win 1025, options [nop,nop,TS val 2927716742 ecr 4131298143], length 1328: HTTP: HTTP/1.1 200 OK
09:22:50.190182 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272899517 ecr 2927495660], length 0
09:22:50.288172 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [.], seq 1:1329, ack 83, win 1025, options [nop,nop,TS val 2927718742 ecr 4131298143], length 1328: HTTP: HTTP/1.1 200 OK
09:22:54.288167 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [.], seq 1:1329, ack 83, win 1025, options [nop,nop,TS val 2927722742 ecr 4131298143], length 1328: HTTP: HTTP/1.1 200 OK
09:22:54.542136 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272903869 ecr 2927495660], length 0
09:23:01.392218 IP raspberrypi.38050 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 83, ack 1, win 229, options [nop,nop,TS val 4131312581 ecr 2927715437], length 0
09:23:01.418642 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [.], ack 84, win 1025, options [nop,nop,TS val 2927729873 ecr 4131312581], length 0
09:23:02.288289 IP wrp.cc.gslb.ic.ac.uk.http > raspberrypi.38050: Flags [.], seq 1:1329, ack 84, win 1025, options [nop,nop,TS val 2927730742 ecr 4131312581], length 1328: HTTP: HTTP/1.1 200 OK
09:23:03.246310 IP raspberrypi.37992 > wrp.cc.gslb.ic.ac.uk.http: Flags [F.], seq 0, ack 1, win 229, options [nop,nop,TS val 272912573 ecr 2927495660], length 0
^C
35 packets captured
37 packets received by filter
0 packets dropped by kernel

The server configuration is

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.0.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.17"
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.220.220"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io

where the DNS is pointing to the Raspberry pi itself. This doesn't seem to be the problem as DNS is working just fine on the client.

The client configuration is

Code: Select all

client
dev tun
proto udp
remote X 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1

The server is sitting behind a router at home with port 1194 forwarded. On the server, I can connect to web page s without any problem. On the server, the openvpn log states

Code: Select all

Thu Apr 27 09:46:15 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Thu Apr 27 09:46:15 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Thu Apr 27 09:46:15 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Apr 27 09:46:15 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/pki/ta.key' as a OpenVPN static key file
Thu Apr 27 09:46:15 2017 TUN/TAP device tun0 opened
Thu Apr 27 09:46:15 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 27 09:46:15 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu Apr 27 09:46:15 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Thu Apr 27 09:46:15 2017 GID set to nogroup
Thu Apr 27 09:46:15 2017 UID set to nobody
Thu Apr 27 09:46:15 2017 UDPv4 link local (bound): [undef]
Thu Apr 27 09:46:15 2017 UDPv4 link remote: [undef]
Thu Apr 27 09:46:15 2017 Initialization Sequence Completed
Thu Apr 27 09:48:44 2017 146.X.X.X:35924 [X] Peer Connection Initiated with [AF_INET]146.X.X.X:35924
Thu Apr 27 09:48:44 2017 X/146.X.X.X:35924 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Thu Apr 27 09:48:46 2017 X/146.X.X.X:35924 send_push_reply(): safe_cap=940
Thu Apr 27 09:52:54 2017 X/146.X.X.X:35924 [egedelt] Inactivity timeout (--ping-restart), restarting

Any help would be much appreciated.

[uegede]

Worked out that the problem was that packages got dropped going from server to client. For an ssh connection the packages were small and the problem did not show up.it was fixed by setting

mssfix 1200

In both the server and client configuration.not sure if it was required for the client.