Can't access Apache behind OpenVPN

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Post Reply
bbbb
OpenVpn Newbie
Posts: 2
Joined: Tue May 15, 2012 3:12 pm

Can't access Apache behind OpenVPN

Post by bbbb » Tue May 15, 2012 3:26 pm

Hello,

I've just set up an OpenVPN server so that I could access my Apache server (and later other services) with a secure authentication system. So my installation is the following:

- OpenVPN server (tun, 10.1.1.1:1194) with Apache listening on 10.1.1.1:60000.
- OpenVPN client (10.1.1.5) trying to access 10.1.1.1:60000.
- No iptable yet.

Everything should work smoothly..but doesn't. I can ping the server from the client, and I can ping the client from the server.
However, I can't reach Apache. Well, I can sometimes get a page, but it's extremely slow and random. Using telnet 10.1.1.1 60000 I can send a HEAD request which works, but a GET won't get through. I will see it in the Apache logs (GET /, 200), but the telnet will just be stuck displaying nothing, like it's stuck waiting for an answer. Sometimes however the GET will succeed (mostly with static pages). But obviously, I can't access 10.1.1.1:60000 in my browser (too slow, and will fail anyway 9 times out of 10). When Apache was reachable from the regular Internet, everything was working perfectly fine so it's not (only) an Apache issue.

Nothing appears in the logs (Apache or OpenVPN) and I'm quite confused about this. I know this is not strictly an OpenVPN problem but others might have encountered it.

Do you have any clue about what's going on and how to fix it?

Thanks!

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Can't access Apache behind OpenVPN

Post by janjust » Wed May 16, 2012 8:24 am

depends a bit on your exact setup; for a UDP based setup, try adding

Code: Select all

fragment 1300
to both client and server configs to see if that helps.
For a TCP based setup you will have to play with the 'tun-mtu' value, which is a bit trickier for Windows clients. Again, start out with something like

Code: Select all

tun-mtu 1400
on both client and server

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Can't access Apache behind OpenVPN

Post by maikcat » Wed May 16, 2012 8:26 am

hi there,

we need more info about your setup,like:

which distro are you using?
other services work? (f.e ssh,ftp,smb)
apache binds on all interfaces?
please post output of iptables -L -v
please post output of iptables -L -v -t nat
please post server config

could be MTU issue...

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

bbbb
OpenVpn Newbie
Posts: 2
Joined: Tue May 15, 2012 3:12 pm

Re: Can't access Apache behind OpenVPN

Post by bbbb » Wed May 16, 2012 9:00 pm

That fragment parameter is quite amazing: it works now.

I had tried to play with the MTU, sending ping of different sizes, but nothing came out of it. I guess I did it wrong. Thank you!

Now is there a procedure to tune this parameter in order to get the best out of it?

maikcat: Ubuntu Server 12.04, ssh is the only service that I use and it's working fine. Apache is only listening on this private IP since I don't want the website to be reachable from the outside world. As I said there is no iptable rule since I'm still configuring my server ;-)
And here is the fresh-updated server config, extremely classic:

Code: Select all

port 1194
proto udp
fragment 1300
dev tun
ca /etc/ssl/certs/ca.pem
cert /etc/ssl/certs/ovpn.crt
key /etc/ssl/private/ovpn.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.1.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 8 50
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5
Again, thanks to both of you.

Post Reply