Website not working after connecting to a vpn server?

[highend]

Hi,

I'm a user of VPN4All and I don't use their client but OpenVPN portable (latest version with the TAP drivers (x64) from the current stable release of OpenVPN).

Whenever I connect to any of their servers (either via udp or tcp) this website is not working as it should:
http://www.wowhead.com

It has a lot of menu entries that are not displayed regardless how often I refresh that page, click on a link and use the go back button of the browser.

I tried that with Chrome v14 and v15 (stable), IE 8 (standard installation of Windows 7 Ultimate, x64, german), Firefox 7 and Opera (current stable). Before I visit this site I clear the browser cache, cookies, etc.

I don't use any! additional security software (Antivirus, Security Software, Firewall, etc.) beside the integrated Win 7 firewall and (outgoing traffic is allowed by default so there aren't any entries for any browser). This is a clean Windows image (captured right after installing it and the OpenVPN portable client driver) and I restore it every day.

When I disconnect from the vpn server, start any of the above browsers, clear the cache + cookies and call http://www.wowhead.com ... it works flawlessly so this is definitely a problem with a (general) vpn connection.

OpenVPN (portable) itself is not the problem because I already made a new clean install of Windows and installed only their vpn connection software to test if I get any different results.

Don't know if this is really important but this is my config file for one of their vpn servers (the config files are the same, only the ip is different).

Code: Select all

client
proto udp
remote <ip scrambled> 1984
dev tun
ca ./vpn4all_keys/truevpn.crt
auth-user-pass ./vpn4all_keys/vpn4all_pass.txt
comp-lzo
cipher AES-256-CBC
redirect-gateway def1
script-security 2
keepalive 5 30
nobind
verb 1

Can any of the parameters have such an effect, that this website doesn't display properly?

I haven't discovery any other websites so far that weren't rendered correctly (and I use vpn connections from them for about one month now).

I have contacted their support regarding this issue but it wasn't really helpful so far so maybe someone here has a clue why this is happening?

I have made two screenshots.

a.) Captured from a Chrome tab when not connected to a vpn
b.) Captured from a Chrome tab again when connected to a vpn (doesn't matter which one)

a.)



b.)



Thanks for any input,
highend

[janjust]

interesting concept that a website might be displayed differently if you're using a VPN: just tested it here on win 7 64bit using openvpn 2.2 and it worked fine.

Most likely you're looking at a MTU issue - if you're using UDP mode then add

Code: Select all

fragment 1300

to both client and server configs and restart.

Also, are you sure things like large downloads work OK?

[highend]

interesting concept that a website might be displayed differently if you're using a VPN

It's not a concept, just the observation

Most likely you're looking at a MTU issue - if you're using UDP mode then add

I'll give that a try. Only for the client config, I have no control over the server configs.

Also, are you sure things like large downloads work OK?

Absolutely, yes. Haven't had a single problems with files from 50 to 5000MB.

[highend]

After adding the fragment 1300 to the config file and initiating the connection it will drop it after about 30 seconds later.

Log:

Code: Select all

Wed Oct 26 15:45:55 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 14 2010
Wed Oct 26 15:45:55 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 26 15:45:55 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Oct 26 15:45:55 2011 LZO compression initialized
Wed Oct 26 15:45:55 2011 UDPv4 link local: [undef]
Wed Oct 26 15:45:55 2011 UDPv4 link remote: <ip>:1984
Wed Oct 26 15:45:55 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 26 15:45:55 2011 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1562', remote='link-mtu 1518'
Wed Oct 26 15:45:55 2011 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1460'
Wed Oct 26 15:45:55 2011 WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
Wed Oct 26 15:45:55 2011 [truevpn.com] Peer Connection Initiated with <ip>:1984
Wed Oct 26 15:45:58 2011 TAP-WIN32 device [VPN Adapter] opened: \\.\Global\{8A4A214D-E0B7-4659-AFDD-9BC8BB240D08}.tap
Wed Oct 26 15:45:58 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.9.58/255.255.255.252 on interface {8A4A214D-E0B7-4659-AFDD-9BC8BB240D08} [DHCP-serv: 10.8.9.57, lease-time: 31536000]
Wed Oct 26 15:45:58 2011 Successful ARP Flush on interface [16] {8A4A214D-E0B7-4659-AFDD-9BC8BB240D08}
Wed Oct 26 15:45:58 2011 D:\Users\Highend\Tools\OpenVPN\data\config\VPN4All\scripts\up.bat VPN Adapter 1500 1562 10.8.9.58 10.8.9.57 init
Wed Oct 26 15:46:03 2011 Initialization Sequence Completed
Wed Oct 26 15:46:08 2011 FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Wed Oct 26 15:46:18 2011 FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented
Wed Oct 26 15:46:28 2011 [truevpn.com] Inactivity timeout (--ping-restart), restarting
Wed Oct 26 15:46:28 2011 D:\Users\Highend\Tools\OpenVPN\data\config\VPN4All\scripts\down.bat VPN Adapter 1500 1562 10.8.9.58 10.8.9.57 init
Wed Oct 26 15:46:30 2011 SIGUSR1[soft,ping-restart] received, process restarting

So, should I remove the "fragment 1300"
and insert:

link-mtu 1518
tun-mtu 1460

instead (because of the entries in the log file)?

Regards,
highend

[janjust]

nope, the issue is that you need to set the fragment parameter on both ends... as you have no control over the server end you have a serious problem there.

If large file downloads work then the issue is most likely NOT the mtu, but something else... it might even be a matter of that particular site blocking your VPN provider!

Set

Code: Select all

verb 5

in the client config file, reconnect and go to the site again; watch for anything out of the ordinary in the openvpn client log file.

[highend]

it might even be a matter of that particular site blocking your VPN provider!

I asked that before I bought the first month. According to their technical department they aren't blocking any sites at all nor do they use special filters (apart from p2p things for defined servers).

in the client config file, reconnect and go to the site again; watch for anything out of the ordinary in the openvpn client log file.

The only interesting thing I can see is this (these are the last lines in the current log file):

(these are the last few lines before these WRRWW... entries are displayed):

Code: Select all

Wed Oct 26 16:32:58 2011 us=658000 C:\WINDOWS\system32\route.exe ADD 10.8.8.1 MASK 255.255.255.255 10.8.9.57
Wed Oct 26 16:32:58 2011 us=658000 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Oct 26 16:32:58 2011 us=658000 Route addition via IPAPI succeeded [adaptive]
Wed Oct 26 16:32:58 2011 us=658000 Initialization Sequence Completed

and then:

Code: Select all

WRRWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWRRWRWRWWWWRWRRRRWRW...

[janjust]

that looks perferctly ordinary...
hmm it's odd that it's just this single site - have you contacted the wow site or the VPN admins?

[highend]

hmm it's odd that it's just this single site - have you contacted the wow site or the VPN admins?

Regarding the admins of the website: no

It works without a vpn and so far I haven't found any reports that their site is not working correctly.

Regarding the VPN admins: yes

I have an open ticket regarding this issue. They've offered me a TeamViewer connection to investigate the problem. I'll use this ofc, but I don't think they will find anything usefull

I'll report back when this has been completed.

[highend]

Had the Teamviewer session...

They can confirm this weird behavior but after a few pings, tracerts, route prints and changing a few .ovpn options for the client config file (route-method exe, mssfix 1200 and tun-mtu 1460)
they weren't able to find out why this is happening. Will get another Teamviewer session tomorrow but I don't think they'll find the issue

Regards,
highend

[janjust]

the 'tun-mtu' won't do mucn on a windows client as you also need to modify the adapter setting itself, which OpenVPN cannot do. this can be done using a NETSH.EXE command (Vista/7) or it requires a registry change (XP).

further troubleshooting tips:
- have them check that the website IS viewable from the server itself, i.e. have them connect internally via the VPN server and then watch the site; could be an issue between VPN server and site, not between your client and the VPN server.

- have them set up a second VPN instance with

Code: Select all

fragment 1200
mssfix 1200

in it and update your client config to match .

PS You can also tell them to buy my book