Successful connect but webpages cannot be opened

[ext_user]

Hello guys!

I've installed OpenVPN server on a VDS and two clients: one on my Android phone and one on my home computer running win7 64. VPN on the phone works fine, but when I establish a connection from the desktop, I can't open any webpages. What confuses me most is - I can access the webhosts via telnet 80, I get a response when I ping them (using any packet length), but they don't open in any browser (neither using domain name nor IP address). I've already tried disabling firewall and antivirus, it doesn't help. Take a look please. I'd appreciate any help from you.

Client config

remote 213.211.150.167 1127
client
dev tun
ping 10
comp-lzo
proto udp
tls-client
remote-cert-tls server
pkcs12 vpn.windows_tls.p12
verb 3
pull
tls-auth ta.key 1

Server config

local 213.211.150.167
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
tls-auth ta.key 0
port 1127
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
;log-append openvpn.log
verb 9
;mute 20

Connect log:

c:\Program Files\OpenVPN\config>"c:\Program Files\OpenVPN\bin\openvpn.exe" --config "c:\Program Files\OpenVPN\config\myconf.ovpn"
Wed Aug 21 00:46:01 2013 OpenVPN 2.3_beta1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Sep 21 2012
Wed Aug 21 00:46:01 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Aug 21 00:46:05 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug 21 00:46:05 2013 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Aug 21 00:46:05 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 21 00:46:05 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 21 00:46:05 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Aug 21 00:46:05 2013 UDPv4 link local (bound): [undef]
Wed Aug 21 00:46:05 2013 UDPv4 link remote: [AF_INET]213.211.150.167:1127
Wed Aug 21 00:46:05 2013 TLS: Initial packet from [AF_INET]213.211.150.167:1127, sid=ade1fe4e 68fc7f48
Wed Aug 21 00:46:05 2013 VERIFY OK: depth=1, C=RU, ST=RU, L=Moscow, O=Myorg, CN=Myorg CA, emailAddress=me@myhost.mydomain
Wed Aug 21 00:46:05 2013 Validating certificate key usage
Wed Aug 21 00:46:05 2013 ++ Certificate has key usage 00a0, expects 00a0
Wed Aug 21 00:46:05 2013 VERIFY KU OK
Wed Aug 21 00:46:05 2013 Validating certificate extended key usage
Wed Aug 21 00:46:05 2013 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Aug 21 00:46:05 2013 VERIFY EKU OK
Wed Aug 21 00:46:05 2013 VERIFY OK: depth=0, C=RU, ST=RU, L=Moscow, O=Myorg, CN=server, emailAddress=me@myhost.mydomain
Wed Aug 21 00:46:05 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Aug 21 00:46:05 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 21 00:46:05 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Aug 21 00:46:05 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 21 00:46:05 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Aug 21 00:46:05 2013 [server] Peer Connection Initiated with [AF_INET]213.211.150.167:1127
Wed Aug 21 00:46:08 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Aug 21 00:46:08 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13'
Wed Aug 21 00:46:08 2013 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug 21 00:46:08 2013 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug 21 00:46:08 2013 OPTIONS IMPORT: route options modified
Wed Aug 21 00:46:08 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Aug 21 00:46:08 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Aug 21 00:46:08 2013 open_tun, tt->ipv6=0
Wed Aug 21 00:46:08 2013 TAP-WIN32 device [Подключение по локальной сети 3] opened: \\.\Global\{63EAE8F7-39E0-404F-B683-11AF9E08EB23}.tap
Wed Aug 21 00:46:08 2013 TAP-Windows Driver Version 9.9
Wed Aug 21 00:46:08 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.14/255.255.255.252 on interface {63EAE8F7-39E0-404F-B683-11AF9E08EB23} [DHCP-serv: 10.8.0.13, lease-time: 31536000]
Wed Aug 21 00:46:08 2013 Successful ARP Flush on interface [16] {63EAE8F7-39E0-404F-B683-11AF9E08EB23}
Wed Aug 21 00:46:13 2013 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Wed Aug 21 00:46:13 2013 Route: Waiting for TUN/TAP interface to come up...
Wed Aug 21 00:46:18 2013 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Aug 21 00:46:18 2013 C:\Windows\system32\route.exe ADD 213.211.150.167 MASK 255.255.255.255 192.168.1.1
Wed Aug 21 00:46:18 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Wed Aug 21 00:46:18 2013 Route addition via IPAPI succeeded [adaptive]
Wed Aug 21 00:46:18 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.13
Wed Aug 21 00:46:18 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Aug 21 00:46:18 2013 Route addition via IPAPI succeeded [adaptive]
Wed Aug 21 00:46:18 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.13
Wed Aug 21 00:46:18 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Aug 21 00:46:18 2013 Route addition via IPAPI succeeded [adaptive]
Wed Aug 21 00:46:18 2013 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.13
Wed Aug 21 00:46:18 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Aug 21 00:46:18 2013 Route addition via IPAPI succeeded [adaptive]
Wed Aug 21 00:46:18 2013 Initialization Sequence Completed

[maikcat]

please post the output of:

iptables -t nat -L -v
ifconfig

on your openvpn server...

Michael.

[ext_user]

Here it is

root@server11:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 251K packets, 74M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 82819 packets, 5914K bytes)
pkts bytes target prot opt in out source destination
8482 531K MASQUERADE all -- any eth0 10.8.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT 82819 packets, 5914K bytes)
pkts bytes target prot opt in out source destination

root@server11:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:f6:2a:9a
inet addr:213.211.150.167 Bcast:213.211.150.191 Mask:255.255.255.192
inet6 addr: 2a02:578:2001:3:216:3eff:fef6:2a9a/64 Scope:Global
inet6 addr: fe80::216:3eff:fef6:2a9a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6097493 errors:0 dropped:0 overruns:0 frame:0
TX packets:1555964 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:866974847 (826.8 MiB) TX bytes:637622036 (608.0 MiB)
Interrupt:9

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:88123 errors:0 dropped:0 overruns:0 frame:0
TX packets:90951 errors:0 dropped:220 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:28036096 (26.7 MiB) TX bytes:71666751 (68.3 MiB)

[maikcat]

run this to your openvpn server

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

can you post the output of

tracert 8.8.8.8

from your client after he connects?

Michael.

[ext_user]

maikcat,

this command already exists in my /etc/rc.local. But ok, I ran it.

Tracert log:

Трассировка маршрута к google-public-dns-a.google.com [8.8.8.8]
с максимальным числом прыжков 30:

1 47 ms 49 ms 51 ms 10.8.0.1
2 52 ms 51 ms 51 ms 212.71.10.129.static.edpnet.net [212.71.10.129]

3 51 ms 51 ms 51 ms core1.ams.net.google.com [195.69.144.247]
4 81 ms 87 ms 54 ms 209.85.248.118
5 49 ms 51 ms 51 ms 72.14.238.153
6 54 ms 54 ms 55 ms 216.239.49.28
7 * * * Превышен интервал ожидания для запроса.
8 54 ms 55 ms 52 ms google-public-dns-a.google.com [8.8.8.8]

Трассировка завершена.

[maikcat]

tracert looks good...

if you cant resolve names then its dns issue...

btw rc.local executes on start up,
you can use iptables-save or add manually the appropriate entry
into /etc/sysconfig/iptables

are iptables start automatically?

what distro are you using?

Michael.

[ext_user]

Michael,

I can resolve names.

btw rc.local executes on start up

I restarted my server after editinh rc.local

are iptables start automatically?

I don't quite understand what you mean, but VPN on my phone works fine after server reboot.

what distro are you using?

Debian 6.0 32bit

[maikcat]

but VPN on my phone works fine after server reboot.

so you are ok,right?

Michael.

[ext_user]

No I'm not.

See the 1st post:

I've installed OpenVPN server on a VDS and two clients: one on my Android phone and one on my home computer running win7 64. VPN on the phone works fine, but when I establish a connection from the desktop, I can't open any webpages.

[maikcat]

What confuses me most is - I can access the webhosts via telnet 80, I get a response when I ping them (using any packet length), but they don't open in any browser

if you telnet whaismyip.com 80 you get response back and if you open the webpage
via a browser you get nothing?????

did you checked your pc for spyware/virus?

Michael.

[ext_user]

Exactly.

Yes, I did. I have a constantly running AV software and it does regular scans on my PC.

[maikcat]

keep in mind that AV's are usually not very good antispywares...

did you tried tools like malware bytes antimalaware to scan your pc?
can you create a VM on your pc and try from it?

Michael.

[ext_user]

I solved the problem adding "fragment 1400" and "mssfix" options to client and server config files.

Thanks for trying to help, Michael.