Can resolve Internet DNS and ping anything, can't browse Internet or LAN servers

[petehartz]

Somewhat new user of linux, but longtime network engineer here. I installed openvpn on Centos 7 on my home server. Got everything working to the point that I can connect from my Galaxy S9. But there's this one little problem...

Pings work, to both IP address and DNS name, anywhere on the Internet. But when I attempt to browse, nothing shows up in my phone's browser. I ran tcpdump on the tun0 interface on my openvpn server, and it shows traffic in both directions to/from the server I am trying to reach on my phone, but still nothing.

***************************************
Service.conf file contents:

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/homelan-server.crt
key /etc/openvpn/server/homelan-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/easy-rsa/3/pki/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 192.168.71.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 192.168.20.21"
push "dhcp-option DNS 192.168.20.22"

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 10 60
persist-key
persist-tun
comp-lzo
daemon
user nobody
group nobody
# tcp-nodelay

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

***************************************
client.ovpn file contents:

client
dev tun
proto udp

remote us.***.com 1194

ca ca.crt
cert Mobile01.crt
key Mobile01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
comp-lzo

persist-key
persist-tun
mute-replay-warnings
verb 6
***************************************

Also, I am unable to use my internal bind servers to resolve servers on my local network. This works from my laptop and phone when they are on wifi, but not from my phone when it is connected via OpenVPN.

Soooo, what am I doing wrong?

[TinCanTech]

what am I doing wrong?

You are not reading the howto ..

How do I know, see the DNS server IPs you are pushing .. how does the client know where they are ?

https://community.openvpn.net/openvpn/w ... versubnet.

[petehartz]

Because of this in the server config:

push "redirect-gateway def1"

I can ping my DNS servers from my phone when my client is connected. My phone just doesn't use them for resolution.

I can ping anything by name on the Internet and (as it turns out, if I would just try it once in a while...) on my home network. I just can't browse to anything on the Internet or on my local subnets.

After further review, however, I am able to SSH to hosts on my local subnets. I just can't browse. So two-way communications is working, but the tunnel is trashing browser traffic on the way back into the OpenVPN tunnel somehow.

[TinCanTech]

Because of this in the server config:

push "redirect-gateway def1"

Ah .. you got me there

Are you using NAT on the server or pure routing ?

[petehartz]

NAT/masquerade in FirewallD.

[petehartz]

I have to wonder if this is an MTU issue. It certainly acts like one. I tried setting fragment, but that doesn't connect, since it is not supported on Android. I now have to wait until I get home tonight to experiment further because I locked myself out of my OpenVPN server now and can't do it remotely anymore.

Does anyone else have this working on an Android phone with a Centos 7 server on the other end? Does it work better on other server OS platforms?

[TinCanTech]

I presume you have either disabled selinux or set it up correctly ..

[petehartz]

Yes, disabled. It's entirely behind my ASA firewall, so other than UDP 1194, it is protected.

[Pippin]

Please try

Code: Select all

mssfix 1300

on client side.

[petehartz]

I think the mssfix command is only for tcp connections? It didn't work. I got it to work with the tun-mtu command. The fragment command doesn't work on Android clients: "can't use on android, and can't connect android clients to servers using fragment either." Is there a better way to control the MTU? And does pmtud work on android and Centos 7?

[Pippin]

Please read --mssfix in manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage

Announce to TCP sessions running over the tunnel that they should limit.............
.....
The --mssfix option only makes sense when you are using the UDP protocol for OpenVPN peer-to-peer communication, i.e. --proto udp.

[petehartz]

Okay, I guess I musta messed it up the first time, as it seems to be working now with mssfix 1450 configured on both ends. I messed it up? Really? That never happens... Thanks for everyone's help.

[Pippin]

--mssfix 1450 is the default, as in not specifying --mssfix