[resolved] Can Connect a Client but Cannot Access Web Pages

Locked
Peter B
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 19, 2011 10:13 am

[resolved] Can Connect a Client but Cannot Access Web Pages

Post by Peter B » Mon Dec 19, 2011 12:02 pm

Hi

I run OpenVPN AS on a VPS server in the UK – with a static IP.

The server works fine. I connect from a Windows XP OpenVPN client, through a wirelesss connection to a BT Home Hub router and BT broadband (dynamic IP). Traffic passes through the VPN and webpages do report that my public IP is the VPN server’s IP.

The problem is that a friend in Spain can no longer use the VPN service. Previously he could use the VPN. He can connect from the OpenVPN client on his Windows XP and his connection appears in the VPN server’s openvpnas log. But he cannot access the web through the VPN. The only main change to his setup that I know is that he now uses Telefonica/Movistar Broadband (dynamic IP) through a wireless connection to a Zyxel P660HW-B1A router. The OpenVPN server was migrated earlier this year to a new VPS server and, at that point, I modified the IPtables. He has not been able to connect since then, but he had not tried the connection for a few months before that and so it is difficult to pinpoint the possible cause. Given that I can still use the VPN from UK, it seems that his problem is more likely a result of changing his ISP and/or router.

When he attempts to access a webpage he gets a standard browser message about cannot connect to web page. Of course, he can use the web direct – without the VPN.

We both use the same client ovpn config file.

Comparison of the IPconfig on client machines.
To me, the only noticeable difference is in the wireless connection, DNS IP.
In the UK: DNS Servers . . . . . . . . . . . : 192.168.1.254
In Spain: DNS Servers . . . . . . . . . . . : 80.58.61.250
80.58.61.254
These are Telefonica DNS Servers.

Part of my IPconfig in UK

Windows IP Configuration

Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Ethernet adapter Wireless Network Connection 3:

Description . . . . . . . . . . . : Broadcom 802.11a/b/g WLAN
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.65
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 5.5.0.50
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 5.5.0.1
DHCP Server . . . . . . . . . . . : 5.5.15.254
DNS Servers . . . . . . . . . . . : 194.0.252.231
194.0.252.16

Part of IPconfig in Spain

Windows IP Configuration

Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TP-LINK 11b/g Wireless Adapter
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . : 192.168.1.99
DHCP Server . . . . . . . . . . : 192.168.1.99
DNS Servers . . . . . . . . . . . : 80.58.61.250
80.58.61.254

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter OAS
Physical Address. . . . . . . . . : 00-FF-29-76-11-22
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 5.5.0.54
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 5.5.0.1
DHCP Server . . . . . . . . . . . : 5.5.15.254
DNS Servers . . . . . . . . . . . : 194.0.252.231
194.0.252.16


Any help gratefully appreciated. Peter

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Can Connect a Client but Cannot Access Web Pages

Post by Mimiko » Tue Dec 20, 2011 6:06 am

Most likely the ISP DNS servers is not accesible after VPN connection. Use

Code: Select all

push "route 80.58.61.0 255.255.255.0 net_gateway"
to disable accessing ISP network thru the tunnel.

Peter B
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 19, 2011 10:13 am

Re: Can Connect a Client but Cannot Access Web Pages

Post by Peter B » Tue Dec 20, 2011 3:44 pm

Thanks Mimiko. I’ve added that push and am now waiting for report back from Spain. Will then report back here.

In the meantime, I received the client log yesterday from Spain and compared with my own client log. Cannot spot any significant difference but both logs contain the same errors, which I include here just in case they are relevant.

Spain
Mon Dec 19 20:21:46 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.1.1jOAS)
Mon Dec 19 14:10:46 2011 NOTE: Release of DHCP-assigned IP address lease on TAP-Win32 adapter failed: The system cannot find the file specified. (code=2)
Mon Dec 19 20:21:47 2011 WARNING: Failed to renew DHCP IP address lease on TAP-Win32 adapter: The system cannot find the file specified. (code=2)
UK
Mon Dec 19 14:10:45 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.1.1)
Mon Dec 19 14:10:46 2011 NOTE: Release of DHCP-assigned IP address lease on TAP-Win32 adapter failed: The system cannot find the file specified. (code=2)
Mon Dec 19 14:10:46 2011 WARNING: Failed to renew DHCP IP address lease on TAP-Win32 adapter: The system cannot find the file specified. (code=2)
I understand that the “Unrecognized option or missing parameter(s)” message can be safely ignored. Perhaps the same is true of “Release of DHCP-assigned IP address lease on TAP-Win32 adapter failed”. Given that both warnings are present in both client logs, I guess that they are not relevant.

Peter B
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 19, 2011 10:13 am

Re: Can Connect a Client but Cannot Access Web Pages

Post by Peter B » Tue Dec 20, 2011 7:10 pm

Mimiko Wrote
Most likely the ISP DNS servers is not accessible after VPN connection. Use
push "route 80.58.61.0 255.255.255.0 net_gateway"
to disable accessing ISP network thru the tunnel.
That has not fixed the problem. The client in Spain still cannot access web pages through the VPN. However, it does seem to be a DNS problem. When the OpenVPN client is connected, a web page can be accessed by entering the IP address of the web page in the browser. The whole web page is not displayed correctly - presumably because some of the content is derived from other domains.

Peter B
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 19, 2011 10:13 am

Re: Can Connect a Client but Cannot Access Web Pages

Post by Peter B » Wed Dec 21, 2011 1:31 am

In the previous post I stated
That has not fixed the problem.
referring to the push "route 80.58.61.0 255.255.255.0 net_gateway"

But - I was not sure where to place that command and decided on the as.conf file. I hope I've now got it right - using the Access Server under Config Directives to insert it. Have checked that the command now shows using /usr/local/openvpn_as/scripts ./confdba --show :
"vpn.server.config_text": "push \"route 80.58.61.0 255.255.255.0 net_gateway\"\n"

Tomorrow I'll find out if it worked.

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Can Connect a Client but Cannot Access Web Pages

Post by Mimiko » Wed Dec 21, 2011 6:15 am

Usually aditional options are set in the administration page of the AS.

Peter B
OpenVpn Newbie
Posts: 5
Joined: Mon Dec 19, 2011 10:13 am

Re: Can Connect a Client but Cannot Access Web Pages

Post by Peter B » Wed Dec 21, 2011 9:52 am

Thanks Mimiko. It works now.

Locked