Can't access Apache behind OpenVPN

[bbbb]

Hello,

I've just set up an OpenVPN server so that I could access my Apache server (and later other services) with a secure authentication system. So my installation is the following:

- OpenVPN server (tun, 10.1.1.1:1194) with Apache listening on 10.1.1.1:60000.
- OpenVPN client (10.1.1.5) trying to access 10.1.1.1:60000.
- No iptable yet.

Everything should work smoothly..but doesn't. I can ping the server from the client, and I can ping the client from the server.
However, I can't reach Apache. Well, I can sometimes get a page, but it's extremely slow and random. Using telnet 10.1.1.1 60000 I can send a HEAD request which works, but a GET won't get through. I will see it in the Apache logs (GET /, 200), but the telnet will just be stuck displaying nothing, like it's stuck waiting for an answer. Sometimes however the GET will succeed (mostly with static pages). But obviously, I can't access 10.1.1.1:60000 in my browser (too slow, and will fail anyway 9 times out of 10). When Apache was reachable from the regular Internet, everything was working perfectly fine so it's not (only) an Apache issue.

Nothing appears in the logs (Apache or OpenVPN) and I'm quite confused about this. I know this is not strictly an OpenVPN problem but others might have encountered it.

Do you have any clue about what's going on and how to fix it?

Thanks!

[janjust]

depends a bit on your exact setup; for a UDP based setup, try adding

Code: Select all

fragment 1300

to both client and server configs to see if that helps.
For a TCP based setup you will have to play with the 'tun-mtu' value, which is a bit trickier for Windows clients. Again, start out with something like

Code: Select all

tun-mtu 1400

on both client and server

[maikcat]

hi there,

we need more info about your setup,like:

which distro are you using?
other services work? (f.e ssh,ftp,smb)
apache binds on all interfaces?
please post output of iptables -L -v
please post output of iptables -L -v -t nat
please post server config

could be MTU issue...

Michael.

[bbbb]

That fragment parameter is quite amazing: it works now.

I had tried to play with the MTU, sending ping of different sizes, but nothing came out of it. I guess I did it wrong. Thank you!

Now is there a procedure to tune this parameter in order to get the best out of it?

maikcat: Ubuntu Server 12.04, ssh is the only service that I use and it's working fine. Apache is only listening on this private IP since I don't want the website to be reachable from the outside world. As I said there is no iptable rule since I'm still configuring my server
And here is the fresh-updated server config, extremely classic:

Code: Select all

port 1194
proto udp
fragment 1300
dev tun
ca /etc/ssl/certs/ca.pem
cert /etc/ssl/certs/ovpn.crt
key /etc/ssl/private/ovpn.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.1.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 8 50
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5

Again, thanks to both of you.