Internet access lost with OpenVPN

darkcorner

@viragomann
@amidr

It just doesn't surf and every site is unreachable
I have tried Chrome, Opera and Firefox; both in normal and private mode, even by clearing all the cache.
The problem occurs randomly, this is what gets me into trouble.
For example, now I worked without problems for 20 minutes, then for each site called I found the error "DNS_PROBE_FINISHED_NXDOMAIN" ..
I started writing this answer with the VPN active and completed it after I deactivated the VPN because the forum became unreachable.and the "Submit" button did not work.

If I am doing a remote configuration, I also need to access the Internet, for example to consult documentation.
In recent days I was forced to use two computers, one for the remote connection and one to go to the Internet, but in this way I could not copy and paste commands.

Gertjan

@darkcorner said in Internet access lost with OpenVPN:

When I connect to OpenVPN

This concerns :
The OpenVPN access server, you are connecting from 'remote' to your pfSense OpenVPN server ?
Or
You have a OpenVPN client setup in pfSEnse, and you want use some VPN supplier to connect to the Internet ?

edit :
Ok, I presume you are connected to the pfSEnser server - and the connection breaks.

When you can't 'surf' because the connection broke, it is normal that 'dns' doesn't work neither. This explains the

@darkcorner said in Internet access lost with OpenVPN:

then for each site called I found the error "DNS_PROBE_FINISHED_NXDOMAIN" ..

message.

When you are connected, you receive an IP.connected, you receive a tunnel IP.
This IP out of this network :

192.168.3.0/24 is my tunnel network - yours is probably different.

The OpenVPN server (pfSEnse) will use the dot 1 - in my case 192168.3.1.
The IP on your side could be 192.168.3.2 or something like that.
So 192.168.3.1 is the pfSense side of the tunnel.
192.168.3.2 is your side.

Can you ping 192.168.3.1 ?

@darkcorner said in Internet access lost with OpenVPN:

I have checked all the log

The logs on both sides of the tunnel ? The client logs and the server OpenVPN logs ?
When the tunnel breaks, there will be messages .....

A Former User

@darkcorner said in Internet access lost with OpenVPN:

When I connect to OpenVPN I can still browse the Internet because the "Redirect IPv4 Gateway" option is active, but after a few minutes browsing becomes impossible.

Publish your firewall logs the moment you lose connection from and I can help you.

darkcorner

Thanks for the replies.
The ping on the tunnel works, after all I can connect to pfSense.
Ping 8.8.8.8 also works while the one on google.com does not.

Speaking of the logs, these are the errors that I am detecting, but I do not think they interfere with navigation because they always appear, even without activating OpenVPN.

Firewall
There are dozens of these reports, sometimes with different ports.

Jan 8 12:49:41	WAN	Default deny rule IPv4 (1000000103)	  192.168.1.151:55673   239.255.255.250:1900	UDP

Sometimes the IP is this 224.0.0.251:5353
Nobody here knows what these IPs correspond to.

System/Gateways

Jan 8 12:34:44	dpinger	21916	send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.2 identifier "WAN_DHCP "

OpenVPN

Jan 8 12:49:04	openvpn	37563	User-VPN/IP-User-VPN:20964 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2530 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

This same error also appears in the OpenVPN-GUI client log, on Win11 PC.

viragomann

@darkcorner said in Internet access lost with OpenVPN:

Ping 8.8.8.8 also works while the one on google.com does not.

This indicates a DNS issue at all.

So I assume, you're providing a DNS server in the OpenVPN settings, but the client is not able to access it, maybe it has no route or it is not allowed to access the server.
Which server are you providing? If it's a local one ensure that its IP is part of the "Local networks" or add it otherwise.

A Former User

@darkcorner said in Internet access lost with OpenVPN:

Ping 8.8.8.8 also works while the one on google.com does not.

Services >DNS Resolver >General Settings

Enable DNS resolver

darkcorner

Why does it always work from the LAN?
Why does OpenVPN initially work? It ran for 20 minutes yesterday. It's working this way too, yet I'm connected to OpenVPN.
DNS-Resolver is enabled and these are the DNS

A Former User

@darkcorner, I need more information about firewall rules and firewall logs at the moment that I can no longer navigate correctly.

viragomann

@darkcorner
We are still in the dark about what kind of OpenVPN you're talking here.
Please response to the questions @Gertjan asked above.

A Former User

@viragomann said in Internet access lost with OpenVPN:

Please response to the questions

The more information you provide about your system the faster we can help.

darkcorner

It seemed to me that I made it clear.
OpenVPN has been activated on pfSense and on Win11 PC there is OpenVPN GUI.
There is a "Remote Access (SSL / TLS + User Auth)" Server
Use a TLS Key = ON
Data Encryption Algorithms = AES-256-CBC
Redirect IPv4 Gateway = Force all client-generated IPv4 traffic through the tunnel.
Dynamic IP = Allow connected clients to retain their connections if their IP address change
Topology = Subnet - One IP address per client in a common subnet
Ping settings / Inactive = 0

Obviously there is a C.A. a certificate for the server and one for the user who connects via VPN. Once activated, in pfSense I log in as "Admin"

The configuration on pfSense was created with the wizard and therefore the rule is the one created automatically.
The client configuration was exported with the addon and brought to the PC to be used by the client.

However, I repeat, even now I am working connected to OpenVPN and I am surfing the Internet. Maybe in next 10 minutes I keep the VPN connection, but I lose the ability to surf.

==== Update
As I said, not even a couple of minutes after my reply, here I have lost the internet, but the VPN is still active.
I am forced to shut down the VPN just to respond.

viragomann

@darkcorner said in Internet access lost with OpenVPN:

Redirect IPv4 Gateway = Force all client-generated IPv4 traffic through the tunnel.

If you have Redirect gateway on you should provide a DNS server to the clients, do you?
I asked that above already.

darkcorner

@viragomann said in Internet access lost with OpenVPN:

@darkcorner said in Internet access lost with OpenVPN:

Redirect IPv4 Gateway = Force all client-generated IPv4 traffic through the tunnel.

If you have Redirect gateway on you should provide a DNS server to the clients, do you?
I asked that above already.

I answered above.
In pfSense there is 127.0.0.1, 8.8.8.8 and 8.8.4.4
On the PC there is 8.8.8.8, 8.8.4.4
But if I am connected in OpenVPN the active DNS should be that of the pfSense, but not that of PC, right?
DNS which are the same, apart from 127.0.0.1.

Or do I have to set up DNS somewhere else?

That said, the question remains as to why there is this double quirk of a DNS that works and then stops working. Sometimes it works for a couple of minutes, sometimes more.

viragomann

@darkcorner said in Internet access lost with OpenVPN:

But if I am connected in OpenVPN the active DNS should be that of the pfSense, but not that of PC, right?

This depends on if you have this option checked in the DNS server settings:

As stated above, it's recommend to check it and then enter at least one DNS server. But not 127.0.0.1, cause this would be the client itself, which is naturally not capable to resolve requests.

If you want to the client to request pfSense for DNS resolution, enter the virtual VPN server IP or another interface IP.

darkcorner

@viragomann
This setting was not active.
Today I try it.
thanks for now

darkcorner

@viragomann
I tried turning this setting on and using Google's DNS. I haven't actually had any interruptions for over 15 minutes.
But I don't understand:

1. Why doesn't Internet browsing work without this setting? If I ask to direct all traffic via pfSense, I would have already had to use the DNS of pfSense, which by the way are always those of Google.
2. Why did the navigation stop after some time? If I was missing DNS, I was missing them from the start.

However now it seems to work and therefore I consider the problem solved.
Thank you all.

viragomann

@darkcorner said in Internet access lost with OpenVPN:

Why doesn't Internet browsing work without this setting? If I ask to direct all traffic via pfSense, I would have already had to use the DNS of pfSense,

Imagine the clients resides in 192.168.1.0/24, his network settings are
IP = 192.168.1.25
mask = 255.255.255.0
DNS server = 192.168.2.3

So his DNS server resides in another subnet, which he is able to access via his router.

Now the VPN clients establishes the VPN connection and as you have checked "Redirect gateway", the client changes the default route and point it to the VPN server instead of his local router. Hence he will no longer be able to reach the DNS server at 192.168.2.3, cause this traffic is directed to the OpenVPN server as well.

Why did the navigation stop after some time? If I was missing DNS, I was missing them from the start.

Possibly due to his local DNS cache.